Policy Enumeration

Get current applied policy

Get-AppLockerPolicy -Effective -Xml

Applockers purpose is to restrict applications and scripts that are allowed to run on a machine, defined through a set of policies which are pushed via GPO

AppLocker will also change the PowerShell Language Mode from FullLanguage to ConstrainedLanguage. Preventing Add-Type with any arbitrary C# as well as New-Object on types that are not specifically permitted.

The policy can be read from two places - directly from the GPO or from the local registry of a machine they're applied to.

Default policy location (Registry.pol files):

\\DC.company.local\SYSVOL\company.local\Policies

From GPO

Find and download GPO

powershell Get-DomainGPO -Domain dev-studio.com | ? { $_.DisplayName -like "*AppLocker*" } | select displayname, gpcfilesyspath

AppLocker   \\dev-studio.com\SysVol\dev-studio.com\Policies\{7E1E1636-1A59-4C35-895B-3AEB1CA8CFC2}

download \\dev-studio.com\SysVol\dev-studio.com\Policies\{7E1E1636-1A59-4C35-895B-3AEB1CA8CFC2}\Machine\Registry.pol

Parse .pol file

Parse-PolFile Registry.pol

KeyName     : Software\Policies\Microsoft\Windows\SrpV2\Exe\a61c8b2c-a319-4cd0-9690-d2177cad7b51
ValueName   : Value
ValueType   : REG_SZ
ValueLength : 700
ValueData   : <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the
              Windows folder" Description="Allows members of the Everyone group to run applications that are located
              in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition
              Path="%WINDIR%\*"/></Conditions></FilePathRule>

This rule will allow everybody to run executables that are located within the Windows directory

From registry

Get-ChildItem "HKLM:Software\Policies\Microsoft\Windows\SrpV2"

Net tools

Do you have a domain-joined system? Net tools easiest way to enumerate:

DownloadNetTools

Tooling

https://github.com/PowerShell/GPRegistryPolicyParser

Last updated 17 days ago