Hot Take Applocker on Windows Home.

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@Andy Ful

Blocking hh.exe to start other sponsors should minimize the options to misuse hh.exe as lolbin (or is that a wrong assumption?). Could this also be achieved by adding MD Exploit protection for hh.exe (e.g; only allow signed Microsoft DLL's and Block starting other programs).
The LOLBin hh.exe is a default utility to open CHM files that can include scripts. The cons are that some applications use CHM for a help file - that is why it is not active in my script. The classic SRP has the advantage over Applocker (and WDAC) of selectively blocking CHM files in UserSpace.
MD Exploit Protection can block hh.exe, too. But, this block will not work after copying hh.exe to another location and renaming it.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
In my previous posts, I proposed the Applocker settings similar to Smart App Control (but more usable).
Anyway, there exists even more usable setup for Microsoft Defender and Avast. Both AVs can be tweaked for very strong EXE protection. In Microsoft Defender, one can enable the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria". Avast can be tweaked to use Hardened Mode. Also, the recently improved SmartScreen for Explorer can prevent most attacks via EXE files (including EXE embedded in archives and disk images).

The idea is simple. Allow in Applocker all EXE files everywhere, except some blocked LOLBins. The protection for MSI, DLL, and packaged apps can still rely on signed files. Scripts are mostly blocked in UserSpace. This protection for MSI, DLL, and Script file types can nicely cover some holes in the protection of Avast and Microsoft Defender.

Now, most applications can be installed and used without turning off the Applocker protection. One can expect some blocks from the AV, especially for unsigned niche programs. This setup can be applied on the computers of casual users, but the occasional help from the advanced user will be still required.

Code:
<#
.SYNOPSIS

    This function creates new AppLocker settings using MDM WMI Bridge.
    All previous rules will be deleted.

    **  EXE - all EXE allowed everywhere except LOLBins (blocked as Administrator too)
    **  DLL and MSI - blocked in some user folders (Documents, Favorites, Music, Pictures, Videos).
    The settings include the below block rules:
        <FilePathCondition Path="%OSDRIVE%\Users\*\Documents\*"/>
        <FilePathCondition Path="%OSDRIVE%\Users\*\Favorites\*"/>
        <FilePathCondition Path="%OSDRIVE%\Users\*\Music\*"/>
        <FilePathCondition Path="%OSDRIVE%\Users\*\Pictures\*"/>
        <FilePathCondition Path="%OSDRIVE%\Users\*\Videos\*"/>
    The paths must be corrected if one or more user folders are redirected to OneDrive
    or another location.
    **  DLL rules block also Administrators. Allow and Deny rules for DLL:
    Allow all files located in the Program Files folder
    Allow all files located in the Windows folder (with some exceptions for blocked writable folders)
    Allow all signed files located in UserSpace (with some exceptions for blocked folders; can be
          edited by the user)
    Allow some paths for unsigned files located in UserSpace (can be edited by the user)
    ** MSI rules do not block Administrators. Allow rules:
    Allow all files in the folder %systemdrive%\Windows\Installer
    Allow all signed files everywhere (with some exceptions in Windows folder and UserSpace)
    ** Script rules do not block Administrators. Allow rules:
    Allow all files located in the Program Files folder
    Allow all files located in the Windows folder (with some exceptions for blocked writable folders)
    ** StoreApps rule blocks also Administrators. Allow rule:
    Allow all signed files everywhere (with some exceptions in Windows folder and UserSpace)

--------------------------------------------------------------------------------------------------
 
    The script uses some fake rules that are inactive. The fake path rules are:

    A:\DLL_FakeWhitelistedPath\*
    A:\DLL_FakeBlockedPath\*
    A:\MSI_FakeBlockedPath\*

    These rules have got the unused drive letter (A:), so they are always inactive, except when
    the fake path is replaced by the real folder/file path.
    Fake whitelisting rules require unique GUIDs.
 
        The fake publisher block rule for LOLBins will be active after replacing the fake ProductName
    with the asterisk, for example:
    ProductName="HomeApplocker:POWERSHELL.EXE" ----> ProductName="*"
    Similar fake rules are for powershell_ise.exe, and  HH.exe .
    The fake publisher block rule requires a unique GUID and the correct publisher info.

---------------------------------------------------------------------------------------------------
How to install applications.

Most of the EXE installers (signed or not) can be installed and used with enabled protection.
The signed MSI installers can be installed and used with enabled protection.
Some applications can still refuse to work properly after the installation if they try
to run some unsigned DLL libraries in UserSpace. This should be checked via Windows Event Log
(Applocker IDs: 8007, 8004).
---------------------------------------------------------------------------------------------------

.CREDITS
    These scripts are based on the script for EXE files made by Sandy Zeng (Sandy Tsang).
    https://github.com/sandytsang/MSIntune/tree/master/Intune-PowerShell/AppLocker
#>

# Deleting all previous policies
$namespaceName = "root\cimv2\mdm\dmmap" #Do not change this
$GroupName = "AppLocker001" #Your own groupName
$parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName"

$classNameDLL = "MDM_AppLocker_DLL03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameDLL -Filter "ParentID=`'$parentID`' and InstanceID='DLL'"  | Remove-CimInstance

$classNameEXE = "MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameEXE -Filter "ParentID=`'$parentID`' and InstanceID='EXE'"  | Remove-CimInstance

$classNameMSI = "MDM_AppLocker_MSI03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameMSI -Filter "ParentID=`'$parentID`' and InstanceID='MSI'"  | Remove-CimInstance

$classNameScript = "MDM_AppLocker_Script03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameScript -Filter "ParentID=`'$parentID`' and InstanceID='Script'"  | Remove-CimInstance

$classNameStoreApps = "MDM_AppLocker_ApplicationLaunchRestrictions01_StoreApps03"
Get-CimInstance -Namespace $namespaceName -ClassName $classNameStoreApps -Filter "ParentID=`'$parentID`' and InstanceID='Storeapps'"  | Remove-CimInstance

Add-Type -AssemblyName System.Web


#This is example Rule Collection for EXE (*.exe, *.com)
$obj = [System.Net.WebUtility]::HtmlEncode(@"
  <RuleCollection Type="Exe" EnforcementMode="Enabled">
    <FilePathRule Id="9cff703a-6dbd-48f5-8ce3-94f8228b6ac4" Name="Allow all files everywhere" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
     <Conditions>
       <FilePathCondition Path="*"/>
     </Conditions>
   </FilePathRule>
#   Publisher block rules for LOLBins
#   ***********************
    <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96000" Name="POWERSHELL.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="HomeApplocker:POWERSHELL.EXE" BinaryName="POWERSHELL.EXE">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96001" Name="POWERSHELL_ISE.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="HomeApplocker:POWERSHELL_ISE.EXE" BinaryName="POWERSHELL_ISE.EXE">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
     <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96003" Name="RUNAS.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="RUNAS.EXE">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96004" Name="CIPHER.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="CIPHER.EXE">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96005" Name="MSBUILD.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="MSBUILD.EXE">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96006" Name="InstallUtil.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="InstallUtil.exe">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96007" Name="REGSVCS.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="REGSVCS.EXE">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96008" Name="WMIC.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="WMIC.EXE">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96009" Name="PRESENTATIONHOST.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="PRESENTATIONHOST.EXE">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600a" Name="JSC.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="JSC.EXE">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600b" Name="MSHTA.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="MSHTA.EXE">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600c" Name="MICROSOFT.WORKFLOW.COMPILER.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="MICROSOFT.WORKFLOW.COMPILER.EXE">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600d" Name="HH.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="HomeApplocker:HH.EXE" BinaryName="HH.EXE">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
  </RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameEXE -Property @{ParentID=$parentID;InstanceID="EXE";Policy=$obj}


#This is example Rule Collection for MSI (*.msi, *.msp, *.mst)
$obj = [System.Net.WebUtility]::HtmlEncode(@"
  <RuleCollection Type="Msi" EnforcementMode="Enabled">
    <FilePublisherRule Id="b7af7102-efde-4369-8a89-7a6a392d1473" Name="Allow all signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
          <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
      <Exceptions>
#       Writable folders
        <FilePathCondition Path="%WINDIR%\debug\wia\*" />
        <FilePathCondition Path="%WINDIR%\registration\crmlog\*" />
        <FilePathCondition Path="%SYSTEM32%\com\dmp\*" />
        <FilePathCondition Path="%SYSTEM32%\config\systemprofile\appdata\local\packages\wdagrdpclientappcontainer\ac\*" />
        <FilePathCondition Path="%SYSTEM32%\drivers\driverdata\*" />
        <FilePathCondition Path="%SYSTEM32%\fxstmp\*" />
        <FilePathCondition Path="%SYSTEM32%\microsoft\crypto\rsa\machinekeys\*" />
        <FilePathCondition Path="%SYSTEM32%\spool\drivers\color\*" />
        <FilePathCondition Path="%SYSTEM32%\spool\printers\*" />
        <FilePathCondition Path="%SYSTEM32%\spool\servers\*" />
        <FilePathCondition Path="%SYSTEM32%\tasks\*" />
        <FilePathCondition Path="%SYSTEM32%\tasks_migrated\*" />
        <FilePathCondition Path="%WINDIR%\tasks\*" />
        <FilePathCondition Path="%WINDIR%\temp\*" />
        <FilePathCondition Path="%WINDIR%\tracing\*" />
#      Custom Block path rules in UserSpace for MSI (signed and unsigned)
#      *****************************************************************
        <FilePathCondition Path="%OSDRIVE%\Users\*\Documents\*"/>
        <FilePathCondition Path="%OSDRIVE%\Users\*\Favorites\*"/>
        <FilePathCondition Path="%OSDRIVE%\Users\*\Music\*"/>
        <FilePathCondition Path="%OSDRIVE%\Users\*\Pictures\*"/>
        <FilePathCondition Path="%OSDRIVE%\Users\*\Videos\*"/>
#       Fake paths that can be edited by the user (replace A:\MSI_FakeBlockedPath with a real path)::
        <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/>
        <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/>
        <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/>
        <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/>
        <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/>
        <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/>
        <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/>
        <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/>
        <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/>
        <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/>
#    End of Block path rules in UserSpace for MSI.
      </Exceptions>
    </FilePublisherRule>
    <FilePathRule Id="5b290184-345a-4453-b184-45305f6d9a54" Name="Allow files in the folder %systemdrive%\Windows\Installer." Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\Installer\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="64ad46ff-0d71-4fa0-a30b-3f3d30c5433d" Name="Allow for Administrators" Description="" UserOrGroupSid="S-1-5-32-544" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*" />
      </Conditions>
    </FilePathRule>
  </RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameMSI -Property @{ParentID=$parentID;InstanceID="MSI";Policy=$obj}


#This is example Rule Collection for scripts (*.bat, *.cmd, *.vbe, *.vbs, *.jse, *js, *.wsf, *.wsh)
$obj = [System.Net.WebUtility]::HtmlEncode(@"
  <RuleCollection Type="Script" EnforcementMode="Enabled">
    <FilePathRule Id="06dce67b-934c-454f-a263-2515c8796a5d" Name="Allow scripts in Program Files folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="9428c672-5fc3-47f4-808a-a0011f36dd2c" Name="Allow scripts in Windows folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\*" />
      </Conditions>
     <Exceptions>
#       Writable folders
        <FilePathCondition Path="%WINDIR%\debug\wia\*" />
        <FilePathCondition Path="%WINDIR%\registration\crmlog\*" />
        <FilePathCondition Path="%SYSTEM32%\com\dmp\*" />
        <FilePathCondition Path="%SYSTEM32%\config\systemprofile\appdata\local\packages\wdagrdpclientappcontainer\ac\*" />
        <FilePathCondition Path="%SYSTEM32%\drivers\driverdata\*" />
        <FilePathCondition Path="%SYSTEM32%\fxstmp\*" />
        <FilePathCondition Path="%SYSTEM32%\microsoft\crypto\rsa\machinekeys\*" />
        <FilePathCondition Path="%SYSTEM32%\spool\drivers\color\*" />
        <FilePathCondition Path="%SYSTEM32%\spool\printers\*" />
        <FilePathCondition Path="%SYSTEM32%\spool\servers\*" />
        <FilePathCondition Path="%SYSTEM32%\tasks\*" />
        <FilePathCondition Path="%SYSTEM32%\tasks_migrated\*" />
        <FilePathCondition Path="%WINDIR%\tasks\*" />
        <FilePathCondition Path="%WINDIR%\temp\*" />
        <FilePathCondition Path="%WINDIR%\tracing\*" />
     </Exceptions>
    </FilePathRule>
    <FilePathRule Id="ed97d0cb-15ff-430f-b82c-8d7832957725" Name="Allow for Administrators" Description="" UserOrGroupSid="S-1-5-32-544" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*" />
      </Conditions>
    </FilePathRule>
  </RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameScript -Property @{ParentID=$parentID;InstanceID="Script";Policy=$obj}


#This is example Rule Collection for DLL (*.cpl, *.dll, *.ocx, *.rll)
$obj = [System.Net.WebUtility]::HtmlEncode(@"
  <RuleCollection Type="Dll" EnforcementMode="Enabled">
    <FilePathRule Id="bac4b0bf-6f1b-40e8-8627-8545fa89c8b6" Name="Allow DLLs in Windows folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\*" />
      </Conditions>
     <Exceptions>
#       Writable folders
        <FilePathCondition Path="%WINDIR%\debug\wia\*" />
        <FilePathCondition Path="%WINDIR%\registration\crmlog\*" />
        <FilePathCondition Path="%SYSTEM32%\com\dmp\*" />
        <FilePathCondition Path="%SYSTEM32%\config\systemprofile\appdata\local\packages\wdagrdpclientappcontainer\ac\*" />
        <FilePathCondition Path="%SYSTEM32%\drivers\driverdata\*" />
        <FilePathCondition Path="%SYSTEM32%\fxstmp\*" />
        <FilePathCondition Path="%SYSTEM32%\microsoft\crypto\rsa\machinekeys\*" />
        <FilePathCondition Path="%SYSTEM32%\spool\drivers\color\*" />
        <FilePathCondition Path="%SYSTEM32%\spool\printers\*" />
        <FilePathCondition Path="%SYSTEM32%\spool\servers\*" />
        <FilePathCondition Path="%SYSTEM32%\tasks\*" />
        <FilePathCondition Path="%SYSTEM32%\tasks_migrated\*" />
        <FilePathCondition Path="%WINDIR%\tasks\*" />
        <FilePathCondition Path="%WINDIR%\temp\*" />
        <FilePathCondition Path="%WINDIR%\tracing\*" />
     </Exceptions>
    </FilePathRule>
    <FilePathRule Id="3737732c-99b7-41d4-9037-9cddfb0de0d0" Name="Allow DLLs in Program Files folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\*" />
      </Conditions>
    </FilePathRule>
#   Global Allow rule in UserSpace for signed DLL
    <FilePublisherRule Id="1f0d0ec5-8523-4aa0-976a-ad2d2c21eed7" Name="Allow all Signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
     <Exceptions>
#       Writable folders
        <FilePathCondition Path="%WINDIR%\debug\wia\*" />
        <FilePathCondition Path="%WINDIR%\registration\crmlog\*" />
        <FilePathCondition Path="%SYSTEM32%\com\dmp\*" />
        <FilePathCondition Path="%SYSTEM32%\config\systemprofile\appdata\local\packages\wdagrdpclientappcontainer\ac\*" />
        <FilePathCondition Path="%SYSTEM32%\drivers\driverdata\*" />
        <FilePathCondition Path="%SYSTEM32%\fxstmp\*" />
        <FilePathCondition Path="%SYSTEM32%\microsoft\crypto\rsa\machinekeys\*" />
        <FilePathCondition Path="%SYSTEM32%\spool\drivers\color\*" />
        <FilePathCondition Path="%SYSTEM32%\spool\printers\*" />
        <FilePathCondition Path="%SYSTEM32%\spool\servers\*" />
        <FilePathCondition Path="%SYSTEM32%\tasks\*" />
        <FilePathCondition Path="%SYSTEM32%\tasks_migrated\*" />
        <FilePathCondition Path="%WINDIR%\tasks\*" />
        <FilePathCondition Path="%WINDIR%\temp\*" />
        <FilePathCondition Path="%WINDIR%\tracing\*" />
#      Custom Block path rules in UserSpace for DLL (signed and unsigned)
#      *****************************************************************
        <FilePathCondition Path="%OSDRIVE%\Users\*\Documents\*"/>
        <FilePathCondition Path="%OSDRIVE%\Users\*\Favorites\*"/>
        <FilePathCondition Path="%OSDRIVE%\Users\*\Music\*"/>
        <FilePathCondition Path="%OSDRIVE%\Users\*\Pictures\*"/>
        <FilePathCondition Path="%OSDRIVE%\Users\*\Videos\*"/>
#       Fake paths that can be edited by the user (replace A:\DLL_FakeBlockedPath with a real path)::
        <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/>
        <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/>
        <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/>
        <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/>
        <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/>
        <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/>
        <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/>
        <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/>
        <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/>
        <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/>
#    End of Block path rules in UserSpace for DLL.
      </Exceptions>
    </FilePublisherRule>
#   Custom Allow path rules in UserSpace for DLL (replace A:\DLL_FakeWhitelistedPath , by the real path)
#   ***************************************************************************************************
   <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6001" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
     <Conditions>
       <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/>
     </Conditions>
   </FilePathRule>
   <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6002" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
     <Conditions>
       <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/>
     </Conditions>
   </FilePathRule>
   <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6003" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
     <Conditions>
       <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/>
     </Conditions>
   </FilePathRule>
   <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6004" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
     <Conditions>
       <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/>
     </Conditions>
   </FilePathRule>
   <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6005" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
     <Conditions>
       <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/>
     </Conditions>
   </FilePathRule>
   <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6006" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
     <Conditions>
       <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/>
     </Conditions>
   </FilePathRule>
   <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6007" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
     <Conditions>
       <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/>
     </Conditions>
   </FilePathRule>
   <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6008" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
     <Conditions>
       <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/>
     </Conditions>
   </FilePathRule>
   <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6009" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
     <Conditions>
       <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/>
     </Conditions>
   </FilePathRule>
   <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b600a" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
     <Conditions>
       <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/>
     </Conditions>
   </FilePathRule>
#   End of whitelisting path rules for DLL
  </RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameDLL -Property @{ParentID=$parentID;InstanceID="DLL";Policy=$obj}

# Rule required to prevent blocking packaged apps when rules for EXE are enforced.
$obj = [System.Net.WebUtility]::HtmlEncode(@"
  <RuleCollection Type="Appx" EnforcementMode="Enabled">
    <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="All signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
          <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
  </RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameStoreApps -Property @{ParentID=$parentID;InstanceID="Storeapps";Policy=$obj}

Write-Host "The script has finished the work. The console can be closed or it will be closed automatically after 5 minutes."
start-sleep 300

Warning!!!
I strongly recommend making a System Restore Point before applying the Applocker rules.

Post updated.
 
Last edited:
F

ForgottenSeer 97327

@Andy Ful Thanks

Do you use the New-Guid powershell cmdlet to generate GUIDs?

1669506814475.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@Andy Ful Thanks

Do you use the New-Guid powershell cmdlet to generate GUIDs?
No, it is not necessary - GUIDs should be unique (different rules should have different GUIDs). From the practical viewpoint, one has to decide whether to consequently apply random GUIDs or custom GUIDs. In HomeApplocker and my other applications (H_C, SWH, FH), I use custom GUIDs.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I added additional fake rules in the configuration script:
A:\DLL_FakeWhitelistedPath\*
A:\DLL_FakeBlockedPath\*
A:\MSI_FakeBlockedPath\*

These rules had got the unused drive letter A: , so they are always inactive, except when the fake path is replaced by the real folder/file path. Fake whitelisting rules require unique GUIDs. Fake blocked rules are added via exceptions (new GUID is not required).
I think that for casual users, one can add block DLL rules for users' folders like Downloads, Desktop, Documents, and maybe also for USB drives. This will not block the application installers.

In my real system, I use also a block rule to block the command prompt, but I had to remove it in my post because Malware Tips rejects posts that include cmd[.]exe . :)

Post updated.
 
Last edited:
F

ForgottenSeer 97327

@Andy Ful

What kind to add exception folders, I can use this for the unsigned DLL's of the photo book application. I will take away write access to that folder for users (keep the full access rights for admins). When that photo book program updates it requires admin elevation although it installs in user space. The program itself is signed,

I will add deny execute for Downloads folder and shared user, I probably won't block Poweshell with your Applocker scripts. I use ConfigureDeefender on MAX. I trust the ASR for malicious scripts plus signed scripts requirement, will keep my wife's laptop safe, I might add Powershell block after a few months, for now it feels like jumping without a second safety parachute.

Thanks for all your efforts
 
F

ForgottenSeer 97327

@tsunami

The block all is enforced on folders where NO application should ever place DLL's in (only malicious appstore would store something there), so NO

The ge.ne.ric requirement to allow only signed DLL's could block portable apps.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Will this block signed/unsigned dlls from portable apps breaking the app?
If you would like to keep portable apps in the blocked user folders (Favorites, Music, Pictures, Videos, etc.), then the apps will be blocked. If you will keep the portable apps in other UserSpace folders then some of them will work well and some not, depending on what DLLs are used. So, simply whitelist one folder for portable apps or keep them in the Program Files folder (whitelisted by default).
The same can be done for the folder with games. Most games use some unsigned DLLs.
 

eonline

Level 21
Verified
Well-known
Nov 15, 2017
1,064
In my real system, I use also a block rule to block the command prompt, but I had to remove it in my post because Malware Tips rejects posts that include cmd[.]exe
How would the rule be? because I am trying and I don't get cmd block.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
How would the rule be? because I am trying and I don't get cmd block.
There is no rule for cmd[.]exe - I had to remove it from my post due to Malware Tips restrictions. The posts that use the name of the CMD executable (as a part of the code ) are rejected for security reasons.
You can use the fake rule for HH.EXE:

Code:
    <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600d" Name="HH.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="HomeApplocker:HH.EXE" BinaryName="HH.EXE">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>


After editing the above rule, the rule for cmd[.]exe should look as follows (skip the brackets [ ] in the Name and BinaryName of CMD executable):
Code:
    <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600d" Name="CMD[.]EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="CMD[.]EXE">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>

Warning!!!
I strongly recommend making a System Restore Point before applying the Applocker rules.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I get this error when I run the script.
View attachment 270999
You have made a mistake (probably in EXE section) and Windows rejected the policies for EXE. Look carefully at the last rule in the EXE section (line 198). You can also post the content of the script here or make a PM. I may look into it.
 

eonline

Level 21
Verified
Well-known
Nov 15, 2017
1,064
Thank you very much as always.
<# .SYNOPSIS This function creates new AppLocker settings using MDM WMI Bridge. All previous rules will be deleted. ** EXE - all EXE allowed everywhere except LOLBins (blocked as Administrator too) ** DLL and MSI - blocked in some user folders (Documents, Favorites, Music, Pictures, Videos). The settings include the below block rules: <FilePathCondition Path="%OSDRIVE%\Users\*\Documents\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Favorites\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Music\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Pictures\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Videos\*"/> The paths must be corrected if one or more user folders are redirected to OneDrive or another location. ** DLL rules block also Administrators. Allow and Deny rules for DLL: Allow all files located in the Program Files folder Allow all files located in the Windows folder (with some exceptions for blocked writable folders) Allow all signed files located in UserSpace (with some exceptions for blocked folders; can be edited by the user) Allow some paths for unsigned files located in UserSpace (can be edited by the user) ** MSI rules do not block Administrators. Allow rules: Allow all files in the folder %systemdrive%\Windows\Installer Allow all signed files everywhere (with some exceptions in Windows folder and UserSpace) ** Script rules do not block Administrators. Allow rules: Allow all files located in the Program Files folder Allow all files located in the Windows folder (with some exceptions for blocked writable folders) ** StoreApps rule blocks also Administrators. Allow rule: Allow all signed files everywhere (with some exceptions in Windows folder and UserSpace) -------------------------------------------------------------------------------------------------- The script uses some fake rules that are inactive. The fake path rules are: A:\DLL_FakeWhitelistedPath\* A:\DLL_FakeBlockedPath\* A:\MSI_FakeBlockedPath\* These rules have got the unused drive letter (A:), so they are always inactive, except when the fake path is replaced by the real folder/file path. Fake whitelisting rules require unique GUIDs. The fake publisher block rule for LOLBins will be active after replacing the fake ProductName with the asterisk, for example: ProductName="HomeApplocker:POWERSHELL.EXE" ----> ProductName="*" Similar fake rules are for powershell_ise.exe, and HH.exe . The fake publisher block rule requires a unique GUID and the correct publisher info. --------------------------------------------------------------------------------------------------- How to install applications. Most of the EXE installers (signed or not) can be installed and used with enabled protection. The signed MSI installers can be installed and used with enabled protection. Some applications can still refuse to work properly after the installation if they try to run some unsigned DLL libraries in UserSpace. This should be checked via Windows Event Log (Applocker IDs: 8007, 8004). --------------------------------------------------------------------------------------------------- .CREDITS These scripts are based on the script for EXE files made by Sandy Zeng (Sandy Tsang). https://github.com/sandytsang/MSIntune/tree/master/Intune-PowerShell/AppLocker #> # Deleting all previous policies $namespaceName = "root\cimv2\mdm\dmmap" #Do not change this $GroupName = "AppLocker001" #Your own groupName $parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName" $classNameDLL = "MDM_AppLocker_DLL03" #Do not change this Get-CimInstance -Namespace $namespaceName -ClassName $classNameDLL -Filter "ParentID=`'$parentID`' and InstanceID='DLL'" | Remove-CimInstance $classNameEXE = "MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03" #Do not change this Get-CimInstance -Namespace $namespaceName -ClassName $classNameEXE -Filter "ParentID=`'$parentID`' and InstanceID='EXE'" | Remove-CimInstance $classNameMSI = "MDM_AppLocker_MSI03" #Do not change this Get-CimInstance -Namespace $namespaceName -ClassName $classNameMSI -Filter "ParentID=`'$parentID`' and InstanceID='MSI'" | Remove-CimInstance $classNameScript = "MDM_AppLocker_Script03" #Do not change this Get-CimInstance -Namespace $namespaceName -ClassName $classNameScript -Filter "ParentID=`'$parentID`' and InstanceID='Script'" | Remove-CimInstance $classNameStoreApps = "MDM_AppLocker_ApplicationLaunchRestrictions01_StoreApps03" Get-CimInstance -Namespace $namespaceName -ClassName $classNameStoreApps -Filter "ParentID=`'$parentID`' and InstanceID='Storeapps'" | Remove-CimInstance Add-Type -AssemblyName System.Web #This is example Rule Collection for EXE (*.exe, *.com) $obj = [System.Net.WebUtility]::HtmlEncode(@" <RuleCollection Type="Exe" EnforcementMode="Enabled"> <FilePathRule Id="9cff703a-6dbd-48f5-8ce3-94f8228b6ac4" Name="Allow all files everywhere" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="*"/> </Conditions> </FilePathRule> # Publisher block rules for LOLBins # *********************** <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600d" Name="CMD[.]EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="CMD[.]EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96000" Name="POWERSHELL.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="HomeApplocker:POWERSHELL.EXE" BinaryName="POWERSHELL.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96001" Name="POWERSHELL_ISE.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="HomeApplocker:POWERSHELL_ISE.EXE" BinaryName="POWERSHELL_ISE.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96003" Name="RUNAS.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="RUNAS.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96004" Name="CIPHER.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="CIPHER.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96005" Name="MSBUILD.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="MSBUILD.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96006" Name="InstallUtil.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="InstallUtil.exe"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96007" Name="REGSVCS.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="REGSVCS.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96008" Name="WMIC.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="WMIC.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96009" Name="PRESENTATIONHOST.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="PRESENTATIONHOST.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600a" Name="JSC.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="JSC.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600b" Name="MSHTA.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="MSHTA.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600c" Name="MICROSOFT.WORKFLOW.COMPILER.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="MICROSOFT.WORKFLOW.COMPILER.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600d" Name="HH.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="HomeApplocker:HH.EXE" BinaryName="HH.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> </RuleCollection> "@) New-CimInstance -Namespace $namespaceName -ClassName $classNameEXE -Property @{ParentID=$parentID;InstanceID="EXE";Policy=$obj} #This is example Rule Collection for MSI (*.msi, *.msp, *.mst) $obj = [System.Net.WebUtility]::HtmlEncode(@" <RuleCollection Type="Msi" EnforcementMode="Enabled"> <FilePublisherRule Id="b7af7102-efde-4369-8a89-7a6a392d1473" Name="Allow all signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> </FilePublisherCondition> </Conditions> <Exceptions> # Writable folders <FilePathCondition Path="%WINDIR%\debug\wia\*" /> <FilePathCondition Path="%WINDIR%\registration\crmlog\*" /> <FilePathCondition Path="%SYSTEM32%\com\dmp\*" /> <FilePathCondition Path="%SYSTEM32%\config\systemprofile\appdata\local\packages\wdagrdpclientappcontainer\ac\*" /> <FilePathCondition Path="%SYSTEM32%\drivers\driverdata\*" /> <FilePathCondition Path="%SYSTEM32%\fxstmp\*" /> <FilePathCondition Path="%SYSTEM32%\microsoft\crypto\rsa\machinekeys\*" /> <FilePathCondition Path="%SYSTEM32%\spool\drivers\color\*" /> <FilePathCondition Path="%SYSTEM32%\spool\printers\*" /> <FilePathCondition Path="%SYSTEM32%\spool\servers\*" /> <FilePathCondition Path="%SYSTEM32%\tasks\*" /> <FilePathCondition Path="%SYSTEM32%\tasks_migrated\*" /> <FilePathCondition Path="%WINDIR%\tasks\*" /> <FilePathCondition Path="%WINDIR%\temp\*" /> <FilePathCondition Path="%WINDIR%\tracing\*" /> # Custom Block path rules in UserSpace for MSI (signed and unsigned) # ***************************************************************** <FilePathCondition Path="%OSDRIVE%\Users\*\Documents\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Favorites\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Music\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Pictures\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Videos\*"/> # Fake paths that can be edited by the user (replace A:\MSI_FakeBlockedPath with a real path):: <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> # End of Block path rules in UserSpace for MSI. </Exceptions> </FilePublisherRule> <FilePathRule Id="5b290184-345a-4453-b184-45305f6d9a54" Name="Allow files in the folder %systemdrive%\Windows\Installer." Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%WINDIR%\Installer\*" /> </Conditions> </FilePathRule> <FilePathRule Id="64ad46ff-0d71-4fa0-a30b-3f3d30c5433d" Name="Allow for Administrators" Description="" UserOrGroupSid="S-1-5-32-544" Action="Allow"> <Conditions> <FilePathCondition Path="*" /> </Conditions> </FilePathRule> </RuleCollection> "@) New-CimInstance -Namespace $namespaceName -ClassName $classNameMSI -Property @{ParentID=$parentID;InstanceID="MSI";Policy=$obj} #This is example Rule Collection for scripts (*.bat, *.cmd, *.vbe, *.vbs, *.jse, *js, *.wsf, *.wsh) $obj = [System.Net.WebUtility]::HtmlEncode(@" <RuleCollection Type="Script" EnforcementMode="Enabled"> <FilePathRule Id="06dce67b-934c-454f-a263-2515c8796a5d" Name="Allow scripts in Program Files folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%PROGRAMFILES%\*" /> </Conditions> </FilePathRule> <FilePathRule Id="9428c672-5fc3-47f4-808a-a0011f36dd2c" Name="Allow scripts in Windows folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%WINDIR%\*" /> </Conditions> <Exceptions> # Writable folders <FilePathCondition Path="%WINDIR%\debug\wia\*" /> <FilePathCondition Path="%WINDIR%\registration\crmlog\*" /> <FilePathCondition Path="%SYSTEM32%\com\dmp\*" /> <FilePathCondition Path="%SYSTEM32%\config\systemprofile\appdata\local\packages\wdagrdpclientappcontainer\ac\*" /> <FilePathCondition Path="%SYSTEM32%\drivers\driverdata\*" /> <FilePathCondition Path="%SYSTEM32%\fxstmp\*" /> <FilePathCondition Path="%SYSTEM32%\microsoft\crypto\rsa\machinekeys\*" /> <FilePathCondition Path="%SYSTEM32%\spool\drivers\color\*" /> <FilePathCondition Path="%SYSTEM32%\spool\printers\*" /> <FilePathCondition Path="%SYSTEM32%\spool\servers\*" /> <FilePathCondition Path="%SYSTEM32%\tasks\*" /> <FilePathCondition Path="%SYSTEM32%\tasks_migrated\*" /> <FilePathCondition Path="%WINDIR%\tasks\*" /> <FilePathCondition Path="%WINDIR%\temp\*" /> <FilePathCondition Path="%WINDIR%\tracing\*" /> </Exceptions> </FilePathRule> <FilePathRule Id="ed97d0cb-15ff-430f-b82c-8d7832957725" Name="Allow for Administrators" Description="" UserOrGroupSid="S-1-5-32-544" Action="Allow"> <Conditions> <FilePathCondition Path="*" /> </Conditions> </FilePathRule> </RuleCollection> "@) New-CimInstance -Namespace $namespaceName -ClassName $classNameScript -Property @{ParentID=$parentID;InstanceID="Script";Policy=$obj} #This is example Rule Collection for DLL (*.cpl, *.dll, *.ocx, *.rll) $obj = [System.Net.WebUtility]::HtmlEncode(@" <RuleCollection Type="Dll" EnforcementMode="Enabled"> <FilePathRule Id="bac4b0bf-6f1b-40e8-8627-8545fa89c8b6" Name="Allow DLLs in Windows folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%WINDIR%\*" /> </Conditions> <Exceptions> # Writable folders <FilePathCondition Path="%WINDIR%\debug\wia\*" /> <FilePathCondition Path="%WINDIR%\registration\crmlog\*" /> <FilePathCondition Path="%SYSTEM32%\com\dmp\*" /> <FilePathCondition Path="%SYSTEM32%\config\systemprofile\appdata\local\packages\wdagrdpclientappcontainer\ac\*" /> <FilePathCondition Path="%SYSTEM32%\drivers\driverdata\*" /> <FilePathCondition Path="%SYSTEM32%\fxstmp\*" /> <FilePathCondition Path="%SYSTEM32%\microsoft\crypto\rsa\machinekeys\*" /> <FilePathCondition Path="%SYSTEM32%\spool\drivers\color\*" /> <FilePathCondition Path="%SYSTEM32%\spool\printers\*" /> <FilePathCondition Path="%SYSTEM32%\spool\servers\*" /> <FilePathCondition Path="%SYSTEM32%\tasks\*" /> <FilePathCondition Path="%SYSTEM32%\tasks_migrated\*" /> <FilePathCondition Path="%WINDIR%\tasks\*" /> <FilePathCondition Path="%WINDIR%\temp\*" /> <FilePathCondition Path="%WINDIR%\tracing\*" /> </Exceptions> </FilePathRule> <FilePathRule Id="3737732c-99b7-41d4-9037-9cddfb0de0d0" Name="Allow DLLs in Program Files folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%PROGRAMFILES%\*" /> </Conditions> </FilePathRule> # Global Allow rule in UserSpace for signed DLL <FilePublisherRule Id="1f0d0ec5-8523-4aa0-976a-ad2d2c21eed7" Name="Allow all Signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> <Exceptions> # Writable folders <FilePathCondition Path="%WINDIR%\debug\wia\*" /> <FilePathCondition Path="%WINDIR%\registration\crmlog\*" /> <FilePathCondition Path="%SYSTEM32%\com\dmp\*" /> <FilePathCondition Path="%SYSTEM32%\config\systemprofile\appdata\local\packages\wdagrdpclientappcontainer\ac\*" /> <FilePathCondition Path="%SYSTEM32%\drivers\driverdata\*" /> <FilePathCondition Path="%SYSTEM32%\fxstmp\*" /> <FilePathCondition Path="%SYSTEM32%\microsoft\crypto\rsa\machinekeys\*" /> <FilePathCondition Path="%SYSTEM32%\spool\drivers\color\*" /> <FilePathCondition Path="%SYSTEM32%\spool\printers\*" /> <FilePathCondition Path="%SYSTEM32%\spool\servers\*" /> <FilePathCondition Path="%SYSTEM32%\tasks\*" /> <FilePathCondition Path="%SYSTEM32%\tasks_migrated\*" /> <FilePathCondition Path="%WINDIR%\tasks\*" /> <FilePathCondition Path="%WINDIR%\temp\*" /> <FilePathCondition Path="%WINDIR%\tracing\*" /> # Custom Block path rules in UserSpace for DLL (signed and unsigned) # ***************************************************************** <FilePathCondition Path="%OSDRIVE%\Users\*\Documents\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Favorites\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Music\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Pictures\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Videos\*"/> # Fake paths that can be edited by the user (replace A:\DLL_FakeBlockedPath with a real path):: <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> # End of Block path rules in UserSpace for DLL. </Exceptions> </FilePublisherRule> # Custom Allow path rules in UserSpace for DLL (replace A:\DLL_FakeWhitelistedPath , by the real path) # *************************************************************************************************** <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6001" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="E:\"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6002" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6003" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6004" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6005" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6006" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6007" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6008" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6009" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b600a" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> # End of whitelisting path rules for DLL </RuleCollection> "@) New-CimInstance -Namespace $namespaceName -ClassName $classNameDLL -Property @{ParentID=$parentID;InstanceID="DLL";Policy=$obj} # Rule required to prevent blocking packaged apps when rules for EXE are enforced. $obj = [System.Net.WebUtility]::HtmlEncode(@" <RuleCollection Type="Appx" EnforcementMode="Enabled"> <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="All signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> </RuleCollection> "@) New-CimInstance -Namespace $namespaceName -ClassName $classNameStoreApps -Property @{ParentID=$parentID;InstanceID="Storeapps";Policy=$obj} Write-Host "The script has finished the work. The console can be closed or it will be closed automatically after 5 minutes." start-sleep 300
 

eonline

Level 21
Verified
Well-known
Nov 15, 2017
1,064
Thank you very much as always.
<# .SYNOPSIS This function creates new AppLocker settings using MDM WMI Bridge. All previous rules will be deleted. ** EXE - all EXE allowed everywhere except LOLBins (blocked as Administrator too) ** DLL and MSI - blocked in some user folders (Documents, Favorites, Music, Pictures, Videos). The settings include the below block rules: <FilePathCondition Path="%OSDRIVE%\Users\*\Documents\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Favorites\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Music\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Pictures\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Videos\*"/> The paths must be corrected if one or more user folders are redirected to OneDrive or another location. ** DLL rules block also Administrators. Allow and Deny rules for DLL: Allow all files located in the Program Files folder Allow all files located in the Windows folder (with some exceptions for blocked writable folders) Allow all signed files located in UserSpace (with some exceptions for blocked folders; can be edited by the user) Allow some paths for unsigned files located in UserSpace (can be edited by the user) ** MSI rules do not block Administrators. Allow rules: Allow all files in the folder %systemdrive%\Windows\Installer Allow all signed files everywhere (with some exceptions in Windows folder and UserSpace) ** Script rules do not block Administrators. Allow rules: Allow all files located in the Program Files folder Allow all files located in the Windows folder (with some exceptions for blocked writable folders) ** StoreApps rule blocks also Administrators. Allow rule: Allow all signed files everywhere (with some exceptions in Windows folder and UserSpace) -------------------------------------------------------------------------------------------------- The script uses some fake rules that are inactive. The fake path rules are: A:\DLL_FakeWhitelistedPath\* A:\DLL_FakeBlockedPath\* A:\MSI_FakeBlockedPath\* These rules have got the unused drive letter (A:), so they are always inactive, except when the fake path is replaced by the real folder/file path. Fake whitelisting rules require unique GUIDs. The fake publisher block rule for LOLBins will be active after replacing the fake ProductName with the asterisk, for example: ProductName="HomeApplocker:POWERSHELL.EXE" ----> ProductName="*" Similar fake rules are for powershell_ise.exe, and HH.exe . The fake publisher block rule requires a unique GUID and the correct publisher info. --------------------------------------------------------------------------------------------------- How to install applications. Most of the EXE installers (signed or not) can be installed and used with enabled protection. The signed MSI installers can be installed and used with enabled protection. Some applications can still refuse to work properly after the installation if they try to run some unsigned DLL libraries in UserSpace. This should be checked via Windows Event Log (Applocker IDs: 8007, 8004). --------------------------------------------------------------------------------------------------- .CREDITS These scripts are based on the script for EXE files made by Sandy Zeng (Sandy Tsang). https://github.com/sandytsang/MSIntune/tree/master/Intune-PowerShell/AppLocker #> # Deleting all previous policies $namespaceName = "root\cimv2\mdm\dmmap" #Do not change this $GroupName = "AppLocker001" #Your own groupName $parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName" $classNameDLL = "MDM_AppLocker_DLL03" #Do not change this Get-CimInstance -Namespace $namespaceName -ClassName $classNameDLL -Filter "ParentID=`'$parentID`' and InstanceID='DLL'" | Remove-CimInstance $classNameEXE = "MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03" #Do not change this Get-CimInstance -Namespace $namespaceName -ClassName $classNameEXE -Filter "ParentID=`'$parentID`' and InstanceID='EXE'" | Remove-CimInstance $classNameMSI = "MDM_AppLocker_MSI03" #Do not change this Get-CimInstance -Namespace $namespaceName -ClassName $classNameMSI -Filter "ParentID=`'$parentID`' and InstanceID='MSI'" | Remove-CimInstance $classNameScript = "MDM_AppLocker_Script03" #Do not change this Get-CimInstance -Namespace $namespaceName -ClassName $classNameScript -Filter "ParentID=`'$parentID`' and InstanceID='Script'" | Remove-CimInstance $classNameStoreApps = "MDM_AppLocker_ApplicationLaunchRestrictions01_StoreApps03" Get-CimInstance -Namespace $namespaceName -ClassName $classNameStoreApps -Filter "ParentID=`'$parentID`' and InstanceID='Storeapps'" | Remove-CimInstance Add-Type -AssemblyName System.Web #This is example Rule Collection for EXE (*.exe, *.com) $obj = [System.Net.WebUtility]::HtmlEncode(@" <RuleCollection Type="Exe" EnforcementMode="Enabled"> <FilePathRule Id="9cff703a-6dbd-48f5-8ce3-94f8228b6ac4" Name="Allow all files everywhere" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="*"/> </Conditions> </FilePathRule> # Publisher block rules for LOLBins # *********************** <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600d" Name="CMD[.]EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="CMD[.]EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96000" Name="POWERSHELL.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="HomeApplocker:POWERSHELL.EXE" BinaryName="POWERSHELL.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96001" Name="POWERSHELL_ISE.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="HomeApplocker:POWERSHELL_ISE.EXE" BinaryName="POWERSHELL_ISE.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96003" Name="RUNAS.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="RUNAS.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96004" Name="CIPHER.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="CIPHER.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96005" Name="MSBUILD.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="MSBUILD.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96006" Name="InstallUtil.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="InstallUtil.exe"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96007" Name="REGSVCS.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="REGSVCS.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96008" Name="WMIC.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="WMIC.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96009" Name="PRESENTATIONHOST.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="PRESENTATIONHOST.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600a" Name="JSC.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="JSC.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600b" Name="MSHTA.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="MSHTA.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600c" Name="MICROSOFT.WORKFLOW.COMPILER.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="MICROSOFT.WORKFLOW.COMPILER.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600d" Name="HH.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="HomeApplocker:HH.EXE" BinaryName="HH.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> </RuleCollection> "@) New-CimInstance -Namespace $namespaceName -ClassName $classNameEXE -Property @{ParentID=$parentID;InstanceID="EXE";Policy=$obj} #This is example Rule Collection for MSI (*.msi, *.msp, *.mst) $obj = [System.Net.WebUtility]::HtmlEncode(@" <RuleCollection Type="Msi" EnforcementMode="Enabled"> <FilePublisherRule Id="b7af7102-efde-4369-8a89-7a6a392d1473" Name="Allow all signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> </FilePublisherCondition> </Conditions> <Exceptions> # Writable folders <FilePathCondition Path="%WINDIR%\debug\wia\*" /> <FilePathCondition Path="%WINDIR%\registration\crmlog\*" /> <FilePathCondition Path="%SYSTEM32%\com\dmp\*" /> <FilePathCondition Path="%SYSTEM32%\config\systemprofile\appdata\local\packages\wdagrdpclientappcontainer\ac\*" /> <FilePathCondition Path="%SYSTEM32%\drivers\driverdata\*" /> <FilePathCondition Path="%SYSTEM32%\fxstmp\*" /> <FilePathCondition Path="%SYSTEM32%\microsoft\crypto\rsa\machinekeys\*" /> <FilePathCondition Path="%SYSTEM32%\spool\drivers\color\*" /> <FilePathCondition Path="%SYSTEM32%\spool\printers\*" /> <FilePathCondition Path="%SYSTEM32%\spool\servers\*" /> <FilePathCondition Path="%SYSTEM32%\tasks\*" /> <FilePathCondition Path="%SYSTEM32%\tasks_migrated\*" /> <FilePathCondition Path="%WINDIR%\tasks\*" /> <FilePathCondition Path="%WINDIR%\temp\*" /> <FilePathCondition Path="%WINDIR%\tracing\*" /> # Custom Block path rules in UserSpace for MSI (signed and unsigned) # ***************************************************************** <FilePathCondition Path="%OSDRIVE%\Users\*\Documents\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Favorites\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Music\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Pictures\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Videos\*"/> # Fake paths that can be edited by the user (replace A:\MSI_FakeBlockedPath with a real path):: <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> # End of Block path rules in UserSpace for MSI. </Exceptions> </FilePublisherRule> <FilePathRule Id="5b290184-345a-4453-b184-45305f6d9a54" Name="Allow files in the folder %systemdrive%\Windows\Installer." Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%WINDIR%\Installer\*" /> </Conditions> </FilePathRule> <FilePathRule Id="64ad46ff-0d71-4fa0-a30b-3f3d30c5433d" Name="Allow for Administrators" Description="" UserOrGroupSid="S-1-5-32-544" Action="Allow"> <Conditions> <FilePathCondition Path="*" /> </Conditions> </FilePathRule> </RuleCollection> "@) New-CimInstance -Namespace $namespaceName -ClassName $classNameMSI -Property @{ParentID=$parentID;InstanceID="MSI";Policy=$obj} #This is example Rule Collection for scripts (*.bat, *.cmd, *.vbe, *.vbs, *.jse, *js, *.wsf, *.wsh) $obj = [System.Net.WebUtility]::HtmlEncode(@" <RuleCollection Type="Script" EnforcementMode="Enabled"> <FilePathRule Id="06dce67b-934c-454f-a263-2515c8796a5d" Name="Allow scripts in Program Files folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%PROGRAMFILES%\*" /> </Conditions> </FilePathRule> <FilePathRule Id="9428c672-5fc3-47f4-808a-a0011f36dd2c" Name="Allow scripts in Windows folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%WINDIR%\*" /> </Conditions> <Exceptions> # Writable folders <FilePathCondition Path="%WINDIR%\debug\wia\*" /> <FilePathCondition Path="%WINDIR%\registration\crmlog\*" /> <FilePathCondition Path="%SYSTEM32%\com\dmp\*" /> <FilePathCondition Path="%SYSTEM32%\config\systemprofile\appdata\local\packages\wdagrdpclientappcontainer\ac\*" /> <FilePathCondition Path="%SYSTEM32%\drivers\driverdata\*" /> <FilePathCondition Path="%SYSTEM32%\fxstmp\*" /> <FilePathCondition Path="%SYSTEM32%\microsoft\crypto\rsa\machinekeys\*" /> <FilePathCondition Path="%SYSTEM32%\spool\drivers\color\*" /> <FilePathCondition Path="%SYSTEM32%\spool\printers\*" /> <FilePathCondition Path="%SYSTEM32%\spool\servers\*" /> <FilePathCondition Path="%SYSTEM32%\tasks\*" /> <FilePathCondition Path="%SYSTEM32%\tasks_migrated\*" /> <FilePathCondition Path="%WINDIR%\tasks\*" /> <FilePathCondition Path="%WINDIR%\temp\*" /> <FilePathCondition Path="%WINDIR%\tracing\*" /> </Exceptions> </FilePathRule> <FilePathRule Id="ed97d0cb-15ff-430f-b82c-8d7832957725" Name="Allow for Administrators" Description="" UserOrGroupSid="S-1-5-32-544" Action="Allow"> <Conditions> <FilePathCondition Path="*" /> </Conditions> </FilePathRule> </RuleCollection> "@) New-CimInstance -Namespace $namespaceName -ClassName $classNameScript -Property @{ParentID=$parentID;InstanceID="Script";Policy=$obj} #This is example Rule Collection for DLL (*.cpl, *.dll, *.ocx, *.rll) $obj = [System.Net.WebUtility]::HtmlEncode(@" <RuleCollection Type="Dll" EnforcementMode="Enabled"> <FilePathRule Id="bac4b0bf-6f1b-40e8-8627-8545fa89c8b6" Name="Allow DLLs in Windows folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%WINDIR%\*" /> </Conditions> <Exceptions> # Writable folders <FilePathCondition Path="%WINDIR%\debug\wia\*" /> <FilePathCondition Path="%WINDIR%\registration\crmlog\*" /> <FilePathCondition Path="%SYSTEM32%\com\dmp\*" /> <FilePathCondition Path="%SYSTEM32%\config\systemprofile\appdata\local\packages\wdagrdpclientappcontainer\ac\*" /> <FilePathCondition Path="%SYSTEM32%\drivers\driverdata\*" /> <FilePathCondition Path="%SYSTEM32%\fxstmp\*" /> <FilePathCondition Path="%SYSTEM32%\microsoft\crypto\rsa\machinekeys\*" /> <FilePathCondition Path="%SYSTEM32%\spool\drivers\color\*" /> <FilePathCondition Path="%SYSTEM32%\spool\printers\*" /> <FilePathCondition Path="%SYSTEM32%\spool\servers\*" /> <FilePathCondition Path="%SYSTEM32%\tasks\*" /> <FilePathCondition Path="%SYSTEM32%\tasks_migrated\*" /> <FilePathCondition Path="%WINDIR%\tasks\*" /> <FilePathCondition Path="%WINDIR%\temp\*" /> <FilePathCondition Path="%WINDIR%\tracing\*" /> </Exceptions> </FilePathRule> <FilePathRule Id="3737732c-99b7-41d4-9037-9cddfb0de0d0" Name="Allow DLLs in Program Files folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%PROGRAMFILES%\*" /> </Conditions> </FilePathRule> # Global Allow rule in UserSpace for signed DLL <FilePublisherRule Id="1f0d0ec5-8523-4aa0-976a-ad2d2c21eed7" Name="Allow all Signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> <Exceptions> # Writable folders <FilePathCondition Path="%WINDIR%\debug\wia\*" /> <FilePathCondition Path="%WINDIR%\registration\crmlog\*" /> <FilePathCondition Path="%SYSTEM32%\com\dmp\*" /> <FilePathCondition Path="%SYSTEM32%\config\systemprofile\appdata\local\packages\wdagrdpclientappcontainer\ac\*" /> <FilePathCondition Path="%SYSTEM32%\drivers\driverdata\*" /> <FilePathCondition Path="%SYSTEM32%\fxstmp\*" /> <FilePathCondition Path="%SYSTEM32%\microsoft\crypto\rsa\machinekeys\*" /> <FilePathCondition Path="%SYSTEM32%\spool\drivers\color\*" /> <FilePathCondition Path="%SYSTEM32%\spool\printers\*" /> <FilePathCondition Path="%SYSTEM32%\spool\servers\*" /> <FilePathCondition Path="%SYSTEM32%\tasks\*" /> <FilePathCondition Path="%SYSTEM32%\tasks_migrated\*" /> <FilePathCondition Path="%WINDIR%\tasks\*" /> <FilePathCondition Path="%WINDIR%\temp\*" /> <FilePathCondition Path="%WINDIR%\tracing\*" /> # Custom Block path rules in UserSpace for DLL (signed and unsigned) # ***************************************************************** <FilePathCondition Path="%OSDRIVE%\Users\*\Documents\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Favorites\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Music\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Pictures\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Videos\*"/> # Fake paths that can be edited by the user (replace A:\DLL_FakeBlockedPath with a real path):: <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> # End of Block path rules in UserSpace for DLL. </Exceptions> </FilePublisherRule> # Custom Allow path rules in UserSpace for DLL (replace A:\DLL_FakeWhitelistedPath , by the real path) # *************************************************************************************************** <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6001" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="E:\"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6002" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6003" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6004" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6005" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6006" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6007" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6008" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6009" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b600a" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> # End of whitelisting path rules for DLL </RuleCollection> "@) New-CimInstance -Namespace $namespaceName -ClassName $classNameDLL -Property @{ParentID=$parentID;InstanceID="DLL";Policy=$obj} # Rule required to prevent blocking packaged apps when rules for EXE are enforced. $obj = [System.Net.WebUtility]::HtmlEncode(@" <RuleCollection Type="Appx" EnforcementMode="Enabled"> <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="All signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> </RuleCollection> "@) New-CimInstance -Namespace $namespaceName -ClassName $classNameStoreApps -Property @{ParentID=$parentID;InstanceID="Storeapps";Policy=$obj} Write-Host "The script has finished the work. The console can be closed or it will be closed automatically after 5 minutes." start-sleep 300
what is wrong with the script? @Andy Ful
applockertest.jpg
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
what is wrong with the script? @Andy Ful
View attachment 271031

The rules you have added are incorrect.
  1. In the EXE section, the Command prompt executable has got brackets. I assume that you did it due to Malware Tips restrictions and you remember that in CMD[.]EXE the [ ] brackets must be omitted.
  2. In the rules for CMD[.]EXE and HH.EXE you use the same GUIDs. So you have to change one of these GUIDs. For example in the rule for CMD[.]EXE :
    f493e22c-63a9-4811-ab94-c5d8a8a9600d -----> f493e22c-63a9-4811-ab94-c5d8a8a96002
    I checked and the changed GUID will be unique in your script.
  3. In the DLL section you have forgotten to add the asterisk in the path:
    <FilePathCondition Path="E:\"/> should be <FilePathCondition Path="E:\*"/>
Be safe. :)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top