AppLocker’s blind spot

Application whitelisting remains one of the most effective protections against malicious applications. You don’t have to care about identifying all potentially harmful apps. If you do not allow specific application explicitly, it will not run, even if it uses the most unusual obfuscating technique and no single antivirus has seen it previously.

Within Windows, administrators can pick one of two built-in features responsible for whitelisting: AppLocker and WDAC (Windows Defender Application Control). It is a never-ending discussion which one works better in a specific scenario.

One of the big advantages of AppLocker is the user context awareness. AppLocker pays attention to the user context for each process, and it may be very useful in your whitelisting rules. For example, one of the default EXE rules allows to run everything if it is run by one of administrators. It may be useful or not so much, but it is technically possible.

But there is more! Regardless of the user context specified in AppLocker rules, the mechanism itself looks at the process token and literally ignores processes having "NT AUTHORITY\SERVICE" (S-1-5-6) in their token. Ignoring means such processes are never denied and (what may be even worse) not logged in the "Microsoft-Windows-AppLocker/EXE and DLL" event log. It turns into an obvious question: How do we get such SID in the token? There are a couple of ways: run your process as a Windows Service or its child, duplicate an existing token having such SID, or just create new SID from scratch.

Advanced techniques may require a custom app, leading effectively into a chicken and egg deadlock: you can bypass AppLocker using SID, but you must run a non-whitelisted app first to have such SID. You can also compile your code as a DLL and load it from well-known and whitelisted applications such as rundll32 or regsvr32. If you don’t whitelist DLLs, it will work nicely and you can find a working PoC at https://github.com/gtworek/PSBits/tree/master/AppLockerBypass

Should you really be afraid of such a "feature"? Not too much, actually. Each way of getting S-1-5-6 in your app token requires administrative privileges, and when you have it, you may reconfigure or disable AppLocker anyway. On the other hand, knowing one technique more never hurts.