microsoft / aaronlocker Goto Github PK
View Code? Open in Web Editor NEWRobust and practical application control for Windows
License: MIT License
Robust and practical application control for Windows
License: MIT License
I downloaded the latest master branch, but the scripts in there aren't signed, so I can't use the RemoteSigned execution policy. Is this intended, or is there a right way to get the signed scripts?
I know I can work around this via execution mode unrestricted but obviously that won't work in production. Thanks!
PS C:\aaronlocker\AaronLocker-master\AaronLocker\Support> Get-AuthenticodeSignature .\DownloadAccesschk.ps1
Directory: C:\aaronlocker\AaronLocker-master\AaronLocker\Support
SignerCertificate Status Path
NotSigned DownloadAccesschk.ps1
Would be nice if AaronLocker could already make the split XML files for Intune (Appx, MSI, EXE, Scripts and DLL)
Anyway thanks for the tool! Really like it.
Regards Menno
Hi,
Would it be possible for someone to look at creating a version of the AaronLocker Excel Spreadsheet in Microsoft Sentinel as a Workbook? Use the Sentinel workspace Defender 365 connector raw data feed as the data source.
Need to update the docx with additional configuration steps needed for Windows Event Collector. The default wsman permissions on the server often don't work:
https://support.microsoft.com/kb/4494462
Hi,
I have a question about the allow and deny wdac rules.
The documentation states that:
The WDAC Allow and Deny policies can be deployed together or separately based on your specific enforcement requirements.
In my opinion, both types of policies should be deployed to get the maximum protection. Actually ms has there own block rules. Those should definitly be honored.
That means that both policies get deployed to the devices as base policies.
According to the ms documentation, if there are multiple base policies:
If two base policies exist on a device, an application has to be allowed by both to run
The deny-policy contains a "allow everything" rule (also see #28)
The allow-policy contains specific allow rules.
The combination of both will allow all applications to run that are allowed by the allow-policy (because the deny-policy allows all of them, too). And block all other applications because they are either not whitelisted by the allow-policy or denied by the deny policy.
Is that right?
Best regards
I've found an Excel Macro which can pull VirusTotal malicious data into the aaron Workbook results, but it doesn't accept Hash from the workbook. I believe it's Microsoft Authenticode Hash and not a true SHA256 hash. However, if possible I'd like to check the unsigned files etc for VirusTotal suspicious type etc
I guess my major issue is, how do you check these AppLocker HASH values against Virus Total, otherwise I have to pull the DLL or EXE and upload it manually, which I could do but that runs the risk of spreading a suspicious file.
When adding paths to CustomizationInputs/GetSafePathsToAllow.ps1 such as:
### Windows Defender put their binaries in ProgramData for a while. Comment this back out when they move it back.
"%OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\*";
"C:\Test1\*";
"D:\Test2\*";
The output applocker policy creates 3 FilePathRules for D:\Test2\*
<FilePathRule Id="f57ec424-b91a-4304-8593-9cc076cb1432" Name="Additional allowed path: D:\Test2\*" Description="Allows Everyone to execute from D:\Test2\*" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="D:\Test2\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="7a3a4a26-b067-4adb-8cb0-fa5dbacdec09" Name="Additional allowed path: D:\Test2\*" Description="Allows Everyone to execute from D:\Test2\*" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="D:\Test2\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="7d5afda0-1373-4358-8505-f9946c350d95" Name="Additional allowed path: D:\Test2\*" Description="Allows Everyone to execute from D:\Test2\*" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="D:\Test2\*" />
</Conditions>
</FilePathRule>
Hello.
I use Windows10 (ltsb) and if I generate reports I see "??" instead of groups
<dir name="C:\Windows\Tasks">
<Grantee>NT AUTHORITY\????????? ????????</Grantee>
</dir>
<dir name="C:\Windows\Temp">
<Grantee>BUILTIN\????????????</Grantee>
</dir>
There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.
Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.
First off: Great Tool. Thank you.
EDIT: I know RTFM.
WDAC is supported on Windows Server 2016 and later.
However the Create-Policies script does not generate WDAC policies and reports the following:
AaronLocker supports WDAC on Windows 10 version 1903 (build 18362) and greater. Current build is 17763. Processing AppLocker only.
After I disabled the check in Create-Policies.ps1, the script reports errors on the Set-CIPolicyIdInfo command because on Windows Server 2019 this commandlet does not have a -ResetPolicyID parameter.
Just reviewing the documentation and the section unusual EXE/DLL combinations talks about using code integrity rules but has this comment "[[[ Working on this; not ready to release yet. ]]]".
Do you have support for this yet?
Hi,
I may be missing something important but cann't we directly use Scan-Directories.ps1 to factorise parent folder which are not user-writable in all sub-folders?
In this particular case it's better to add C:\Apps* in GetSafePathsToAllow.ps1 instead of adding all sub-folders that contains binaries even if C:\Apps\ doesn't have any binary.
Because for the moment, we need to use Support\Enum-WritableDirs.ps1 to verify if the NonDefaultDir is totally safe.
Many thanks.
Will there be an update to the suite of tools to include PS scripts for Get-WDACEvents.ps1 and Save-WEFEvents.ps1 same as there are for AppLocker? as most people will be looking to go the WDAC route with MS recommendations moving forward.
I'm playing around with AppLocker for a while now.
AaronLocker makes my life easy.
Normally, EXEs and DLLs in UnSafePath are restricted to a specific AD Group. As number of generate rules can be massive (for example Oracle installed in C:\Oracle), and manually reviewing all related rules very boring... if there is an option to specify a custom AD group SID for them wuold be great.
Something like:
@{
label = "Oracle";
paths = "C:\Oracle";
customUserorGroupSid = "S-1-5-21-4163178468-2177354522-4168272174-26602"
}
Other option is using Static rules, but is painfull to keep updated...
Thanks,
David
I'm trying to prevent regular users from launching msiexec.exe but when I edit "C:\AaronLocker\CustomizationInputs\GetExeFilesToDenyList.ps1 "
as shown below
# Files used by ransomware
"$env:windir\System32\cipher.exe"
"$env:windir\System32\msiexec.exe"
And then re-ran PS C:\AaronLocker> .\Create-Policies.ps1
The resulting .xml rules don't include the new exception.
[----- Publisher exceptions -----]
CIPHER.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® WINDOWS® OPERATING SYSTEM
INSTALLUTIL.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® .NET FRAMEWORK
MICROSOFT.WORKFLOW.COMPILER.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US;
MICROSOFT® .NET FRAMEWORK`
MSBUILD.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® .NET FRAMEWORK
MSHTA.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; INTERNET EXPLORER
PRESENTATIONHOST.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® WINDOWS®
OPERATING SYSTEM`
REGASM.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® .NET FRAMEWORK
REGSVCS.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® .NET FRAMEWORK
RUNAS.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® WINDOWS® OPERATING
SYSTEM`
WMIC.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® WINDOWS® OPERATING
SYSTEM`
Please, advice.
Just getting started with using this - thanks for providing a very interesting project.
I see that it has produced a warning for our AD logon scripts as expected for \\DOMAIN\netlogon\*
, but I'm seeing an audit warning for trying to exec a login script from a particular AD server. Something like \\SERVER\NETLOGON\USER.BAT
with SERVER being a short (non-FQDN) name. Is that a configuration setting somewhere? The scriptPath setting in ldap is simply USER.bat.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.