How to Bypass Windows AppLocker
AppLocker
Is a technology first introduced with Microsoft’s Windows 7 operating system. Through AppLocker we can restrict programs that users can execute, based on the hash, program’s path or publisher. AppLocker configuration can be done via GPO.
Group Policy Object (GPO) — Through the use of GPO, it is possible to configure and manage various applications, operating systems and user settings in a centralized way in Active Directory.
AppLocker Default Rules by default allow all files inside the Windows folder and Program Files folder to be executed, otherwise the system will not work normally.
AppLocker Rule types
- Publisher
To use a publisher condition, files must be digitally signed by the software publisher. This does not allow users to use programs that are not digitally signed. - Path
The path condition identifies an application from its location in the computer file system. This condition prevent or allow the execution of applications based on folder PATH. - File Hash
Are the most recommended because they allow us to create a rule for different publisher combinations, product name, file name and version.
Based on what you read above we have come to a conclusion that using AppLocker will greatly increase security.
However, there are still many ways to bypass AppLocker and I have explained one of them step by step with a video.
Proof of concept can be found below