One of the Default Rules in AppLocker allows everyone to execute everything in the folder C:\Windows:
The reasoning behind this must have been that a non-admin Windows-user should not have write permissions anywhere in that folder. But as it turns out that is not the case.
I wrote a PowerShell script that tries to copy an executable to every folder in Windows and (if the copy succeeds) tries to execute it. At the end it will show what folders are at risk for AppLocker bypass and must be managed accordingly. Preferably by creating exceptions in the default Allow Rule or by adding a new Deny Rule that includes these folders. I would not recommend messing with the NTFS permissions on folders in C:\Windows (or where your %systemroot% is located).
I chose mstsc.exe as the executable (it’s short for Microsoft Terminal Services Client), since it is small, built-in and can run multiple instances. During the test you will see instances of this showing up:
Do not close them manually, as they are enumerated by the script at the end. They will be closed automatically by the script.
Remember to run the script as a user. Admins have another Default Rule that enables them to run anything anywhere. And if you wanted to bypass AppLocker as an admin (in case the default Admin Rule was removed) you could just stop the service “Application Identity” that AppLocker relies on to function properly.
You might have an Execution Policy that prevents you from running the script. In that case you have (at least) two simple options:
- Open the script in Windows PowerShell ISE (by right-clicking the script and choosing Edit), select the entire script with Crtl-A and then press F8 to run the selected code.
- Run Powershell with the option “-ExecutionPolicy Bypass”:
This is also a good reminder that Execution Policy is NOT a security feature. It is meant to prevent accidental execution of scripts. Here are 13 additional ways to bypass it: https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
I did notice that I got these warnings when bypassing Execution Policy (but not when changing the Execution Policy to RemoteSigned). Just ignore them as well:
At the end you should see something like this (in this case it was run on a Windows 10 build 10565):
Download the script here:
Don’t forget you might need to validate all the Program Files subfolders in a similar fashion if you keep that Default Rule.
Standard Disclaimer: I am NOT a coder. I am not responsible for what this script does. Do a code audit of the script if you run it in a sensitive environment.
Please leave any feedback you have as a comment to this post.