-
Notifications
You must be signed in to change notification settings - Fork 69
Home
Microsoft AppLocker is an application control feature built into Windows that helps administrators control which applications and files users can run. This includes executable files, scripts, Windows Installer files, DLLs, and packaged app installers. By using AppLocker, organizations can:
- Prevent unlicensed software from running
- Restrict software to only those that are approved
- Help mitigate malware and other unwanted software
This project contains a host of prebuilt scripts to start an AppLocker deployment that can be immediately used to import a default policy or to start a policy for further customization.
For the past several years, Living Off the Land techniques have been seeing an increase in usage by threat actors. These techniques often utilize binaries, scripts, and libraries that come pre-installed on Windows or see high usage on most Windows systems, which allow threat actors to operate very stealthily in those environments. LOLBAS threats can be partially mitigated using Applocker or other application control solutions. To that end, the security community has created and maintains a repository of well-known LOLBAS, called the LOLBAS Project, to help defenders and admins be aware and to develop application control policies addressing LOLBAS. Microsoft has additionally put out a list of binaries that they recommend be blocked due to frequent abuse. The default policies within this repository have been updated with explicit deny rules for the respective LOLBAS and MS recommendations, but administrators should still evaluate their own networks for usage of LOLBAS and adjust the AppLocker policies accordingly.
Importing the starter policy file will automatically enable the DLL rule collection and configure it for auditing. Refer to Enabling the DLL Rule Collection.
- Starter Rules - This section details the rules that are present within the starter policy.
Instructions for manually enabling the DLL rule collection.
Guidelines for creating and modifying AppLocker rules to suit your organization's needs.