What is this changing
Notes
NotesSome other stuff
test
Notes
NotesSome other stuff
  • Mixing...
  • General
    • Transferring Files
      • Serving Your Files
      • Transferring Files To Linux
      • Transferring Files To Windows
    • File Types
      • .vhd
    • Password Cracking
      • Hashcat
        • Wordlists
        • Wordlist + Rules
        • Masks
        • Mask Files
        • Combinator
        • Hybrid
        • Keyboard Walks
    • Trash to sift through
      • Cookie 3.1.24.ctd
  • OSINT
  • Enumeration
  • Web Applications
    • Web Vulnerabilities
      • Web App Red Team Checklist
      • SSRF (Server Side Request Forgery)
      • Blind Data Exfiltration via DNS
      • XSS
      • XXE
      • XPath Injection
    • APIs
      • Web API Indicators
      • Passive Reconnaissance
      • Active API Reconnaissance
  • Active Directory
    • Reconnaissance
      • PowerView
      • SharpView
      • ADSearch
    • User Impersonation
      • Pass the Hash
      • Pass the Ticket
      • Overpass the Hash
      • Token Impersonation
      • Token Store
      • Make Token
      • Process Injection
    • Lateral Movement
      • Windows Remote Management
      • PsExec
      • Windows Management Instrumentation (WMI)
      • CoInitializeSecurity
      • DCOM
    • Kerberos
      • Kerberoasting
      • ASREP Roasting
      • Unconstrained Delegation
      • Constrained Delegation
      • Alternate Service Name
      • S4U2Self Abuse
      • Resource-Based Constrained Delegation
      • Shadow Credentials
      • Kerberos Relay Attacks
    • Pivoting
      • SOCKS Proxies
      • Linux Tools For Proxies
      • Windows Tools For Proxies
      • Pivoting with Kerberos
      • Pivoting A Browser
      • Reverse Port Forwards
      • NTLM Relaying
      • Relaying WebDAV
    • AD Certificate Services
      • Find Certificate Authorities
      • Misconfigured Certificate Templates
      • NTLM Relaying to ADCS HTTP Endpoints
      • User & Computer Persistence
    • Group Policy
      • Modify Existing GPO
      • Create & Link a GPO
    • MS SQL Servers
      • MS SQL Impersonation
      • MS SQL Command Execution
      • MS SQL Lateral Movement
      • MS SQL Privilege Escalation
    • Configuration Manager
      • Enumeration
      • Network Access Account Credentials
      • Lateral Movement
    • Domain Dominance
      • Silver Tickets
      • Golden Ticket
      • Diamond Tickets
      • Forged Certificates
    • Forest & Domain Trusts
      • Parent/Child
      • One-Way Inbound
      • One-Way Outbound
    • LAPS (Local Administrator Password Solution)
      • Reading ms-Mcs-AdmPwd
      • Password Expiration Protection
      • LAPS Backdoors
  • Report Writing
    • Wireless Pentesting
  • Cobalt Strike
    • Starting
      • Start CS as a Service
      • Listener Management
      • Generating Payloads
      • Pivot Listeners
    • Take Screenshot
    • Mimikatz
      • NTLM Hashes
      • Kerberos Encryption Keys
      • Security Account Manager
      • Domain Cached Credentials
    • Extracting Kerberos Tickets
    • DCSync
    • Session Passing
      • Beacon Passing
      • Foreign Listener
      • Spawn & Inject
    • Credentials
      • Credential Manager
      • Scheduled Task Credentials
    • Evading Windows Defender
      • Artifact Kit
      • Malleable C2
      • Resource Kit
      • AMSI vs Post-Exploitation
      • Manual AMSI Bypasses
      • Behavioural Detections
      • Parent/Child Relationships
      • Command Line Detections
    • Application Whitelisting
      • Policy Enumeration
      • Writeable Paths
      • Binaries, Scripts, and Libraries
      • PowerShell CLM
      • Beacon DLL
Powered by GitBook
On this page
Edit on GitHub

Last updated 8 hours ago

The policy can be read from two places - directly from the GPO or from the local registry of a machine they're applied to. Reading from the GPO is the same process as with LAPS - find the GPO, download the Registry.pol file from the gpcfilesyspath and parse with Parse-PolFile.

There's an example of one of the executable rules, contained in the ValueData field.

They're fairly self-explanatory - this rule will allow everybody to run executables that are located within the Windows directory. If on a local machine, you can query the registry at HKLM:Software\Policies\Microsoft\Windows\SrpV2 to obtain the same.

Note that DLL rules are not enforced. This is commonly the case because Microsoft say it can impact system performance.

The Get-ChildItem cmdlet is permitted under CLM.

beacon> powershell Get-DomainGPO -Domain dev-studio.com | ? { $_.DisplayName -like "*AppLocker*" } | select displayname, gpcfilesyspath

displayname gpcfilesyspath                                                                        
----------- --------------                                                                        
AppLocker   \\dev-studio.com\SysVol\dev-studio.com\Policies\{7E1E1636-1A59-4C35-895B-3AEB1CA8CFC2}

beacon> download \\dev-studio.com\SysVol\dev-studio.com\Policies\{7E1E1636-1A59-4C35-895B-3AEB1CA8CFC2}\Machine\Registry.pol
[*] started download of \\dev-studio.com\SysVol\dev-studio.com\Policies\{7E1E1636-1A59-4C35-895B-3AEB1CA8CFC2}\Machine\Registry.pol (7616 bytes)
[*] download of Registry.pol is complete
KeyName     : Software\Policies\Microsoft\Windows\SrpV2\Exe\a61c8b2c-a319-4cd0-9690-d2177cad7b51
ValueName   : Value
ValueType   : REG_SZ
ValueLength : 700
ValueData   : <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the
              Windows folder" Description="Allows members of the Everyone group to run applications that are located
              in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition
              Path="%WINDIR%\*"/></Conditions></FilePathRule>
PS C:\Users\Administrator> Get-ChildItem "HKLM:Software\Policies\Microsoft\Windows\SrpV2"

    Hive: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2

Name                           Property
----                           --------
Appx                           EnforcementMode : 1
                               AllowWindows    : 0
Dll                            AllowWindows : 0
Exe                            EnforcementMode : 1
                               AllowWindows    : 0
Msi                            EnforcementMode : 1
                               AllowWindows    : 0
Script                         EnforcementMode : 1
                               AllowWindows    : 0
PS C:\Users\Administrator> Get-ChildItem "HKLM:Software\Policies\Microsoft\Windows\SrpV2\Exe"

    Hive: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe

Name                           Property
----                           --------
921cc481-6e17-4653-8f75-050b80 Value : <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows
acca20                         members of the Everyone group to
                                       run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition
                                       Path="%PROGRAMFILES%\*"/></Conditions></FilePathRule>
a61c8b2c-a319-4cd0-9690-d2177c Value : <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members
ad7b51                         of the Everyone group to run
                                       applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition
                               Path="%WINDIR%\*"/></Conditions></FilePathRule>
PS C:\Users\Administrator> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage
PreviousApplication WhitelistingNextWriteable Paths
  1. Cobalt Strike
  2. Application Whitelisting

Policy Enumeration