Share via


"AaronLocker" update (v0.91) -- and see "AaronLocker" in action on Channel 9!

"AaronLocker" is a robust, practical, PowerShell-based application whitelisting solution for Windows. See it in action in this new Defrag Tools episode on Channel 9!

[Update 28 January 2019: content moved to GitHub ]

This update to the original 0.9 release includes these improvements:

  • Documentation updates, particularly in the area of Group Policy control;
  • Blocks execution from writable alternate data streams on user-writable directories under the Windows and Program Files directories;
  • Blocks older versions of Sysinternals BgInfo.exe that were not AppLocker-aware and allowed execution of unapproved VBScript files (N.B., release of an AppLocker-aware BgInfo.exe is imminent -- subscribe to the Sysinternals blog for notifications);
  • Improvements to the information retrieved from event logs, including an additional date/time column that Excel can filter on, a file extension column that can help track files with non-standard extensions, and a label for when an event is associated with the built-in local administrator account;
  • Additional info in the event workbook's Summary tab, and a new "Users and event counts" tab;
  • Performance improvements in Generate-EventWorkbook.ps1;
  • PowerShell v2 DLLs blocked with explicit deny rules instead of exceptions;
  • Minor bug fixes.

I still intend to put it on GitHub but haven't gotten to it yet. In the meantime, I want to get the update out, so you can download the updated AaronLocker here from GitHub . (I also need to create new sample event content, but don't want to hold this up any longer.)

Brief description of "AaronLocker" repeated from original post:

AaronLocker is designed to make the creation and maintenance of robust, strict, AppLocker-based whitelisting rules as easy and practical as possible. The entire solution involves a small number of PowerShell scripts. You can easily customize rules for your specific requirements with simple text-file edits. AaronLocker includes scripts that document AppLocker policies and capture event data into Excel workbooks that facilitate analysis and policy maintenance.

AaronLocker is designed to restrict program and script execution by non-administrative users. Note that AaronLocker does not try to stop administrative users from running anything they want – and AppLocker cannot meaningfully restrict administrative actions anyway. A determined user with administrative rights can easily bypass AppLocker rules.

AaronLocker’s strategy can be summed up as: if a non-admin could have put a program or script onto the computer – i.e., it is in a user-writable directory – don’t allow it to execute unless it has already been specifically allowed by an administrator. This will stop execution if a user is tricked into downloading malware, if an exploitable vulnerability in a program the user is running tries to put malware on the computer, or if a user intentionally tries to download and run unauthorized programs.

AaronLocker works on all supported versions of Windows that can provide AppLocker.

A personal note: the name “AaronLocker” was Chris (@appcompatguy) Jackson’s idea – not mine – and I resisted it for a long time. I finally gave in because I couldn’t come up with a better name.

The zip file contains full documentation, all the scripts, and sample outputs.

By the way, I'd also like to point out that AaronLocker addresses many of the AppLocker bypasses that various sites have published.

Comments

  • Anonymous
    November 18, 2018
    The comment has been removed
  • Anonymous
    January 04, 2019
    "AppLocker cannot meaningfully restrict administrative actions anyway. A determined user with administrative rights can easily bypass AppLocker rules."is this still true in latest windows 10? I heard other wise. (service can't be disabled and regkey doesn't work anymore)[Aaron Margosis] Yes, still true in Windows 10.