├── AppLocker Event Forwarding
├── AppLocker Event Forwarding Subscription Query Filter.xml
├── AppLocker Events grouped by File.ps1
└── AppLocker Events to CSV.ps1
├── AppLocker Starter Policy
├── Windows10_AppLocker Starter Policy.xml
└── Windows11_AppLocker Starter Policy.xml
├── Create AppLocker Meta Events
├── AppLocker Event Forwarding Subscription Meta Event Query Filter xml
├── AppLocker Meta Events Custom View.xml
├── AppLocker Meta Events grouped by File.ps1
├── AppLocker Meta Events to CSV.ps1
├── Create AppLocker Meta Event Task.bat
├── Create AppLocker Meta Event Task.xml
└── Create AppLocker Meta Event.ps1
├── Create AppLocker Popup Task
├── AppLocker Popup Alert Task.xml
└── Create AppLocker Popup Task.bat
├── DISCLAIMER.md
├── Event Viewer AppLocker Custom View
└── AppLocker Event Viewer Custom View.xml
├── LICENSE.md
└── README.md
/AppLocker Event Forwarding/AppLocker Event Forwarding Subscription Query Filter.xml:
--------------------------------------------------------------------------------
1 | When setting up an event forwarding subscription, it is necessary to tell the subscription
2 | which events are desired for forwarding. The following event query can be used within an
3 | event subscription to select only the AppLocker warning and error events for forwarding:
4 |
5 |
6 |
7 |
8 |
9 |
10 |
--------------------------------------------------------------------------------
/AppLocker Event Forwarding/AppLocker Events grouped by File.ps1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nsacyber/AppLocker-Guidance/f04b3c3d2c3b2dad6048bb898f11bffcb567d8cc/AppLocker Event Forwarding/AppLocker Events grouped by File.ps1
--------------------------------------------------------------------------------
/AppLocker Event Forwarding/AppLocker Events to CSV.ps1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nsacyber/AppLocker-Guidance/f04b3c3d2c3b2dad6048bb898f11bffcb567d8cc/AppLocker Event Forwarding/AppLocker Events to CSV.ps1
--------------------------------------------------------------------------------
/AppLocker Starter Policy/Windows10_AppLocker Starter Policy.xml:
--------------------------------------------------------------------------------
1 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
180 |
181 |
182 |
183 |
184 |
185 |
186 |
187 |
188 |
189 |
190 |
191 |
192 |
193 |
194 |
195 |
196 |
197 |
198 |
199 |
200 |
201 |
202 |
203 |
204 |
205 |
206 |
207 |
208 |
209 |
210 |
211 |
212 |
213 |
214 |
215 |
216 |
217 |
218 |
219 |
220 |
221 |
222 |
223 |
224 |
225 |
226 |
227 |
228 |
229 |
230 |
231 |
232 |
233 |
234 |
235 |
236 |
237 |
238 |
239 |
240 |
241 |
242 |
243 |
244 |
245 |
246 |
247 |
248 |
249 |
250 |
251 |
252 |
253 |
254 |
255 |
256 |
257 |
258 |
259 |
260 |
261 |
262 |
263 |
264 |
265 |
266 |
267 |
268 |
269 |
270 |
271 |
272 |
273 |
274 |
275 |
276 |
277 |
278 |
279 |
280 |
281 |
282 |
283 |
284 |
285 |
286 |
287 |
288 |
289 |
290 |
291 |
292 |
293 |
294 |
295 |
296 |
297 |
298 |
299 |
300 |
301 |
302 |
303 |
304 |
305 |
306 |
307 |
308 |
309 |
310 |
311 |
312 |
313 |
314 |
315 |
316 |
317 |
318 |
319 |
320 |
321 |
322 |
323 |
324 |
325 |
326 |
327 |
328 |
329 |
330 |
331 |
332 |
333 |
334 |
335 |
336 |
337 |
338 |
339 |
340 |
341 |
342 |
343 |
344 |
345 |
346 |
347 |
348 |
349 |
350 |
351 |
352 |
353 |
354 |
355 |
356 |
357 |
358 |
359 |
360 |
361 |
362 |
363 |
364 |
365 |
366 |
367 |
368 |
369 |
370 |
371 |
372 |
373 |
374 |
375 |
376 |
377 |
378 |
379 |
380 |
381 |
382 |
383 |
384 |
385 |
386 |
387 |
388 |
389 |
390 |
391 |
392 |
393 |
394 |
395 |
396 |
397 |
398 |
399 |
400 |
401 |
402 |
403 |
404 |
405 |
406 |
407 |
408 |
409 |
410 |
411 |
412 |
413 |
414 |
415 |
416 |
417 |
418 |
419 |
420 |
421 |
422 |
423 |
424 |
425 |
426 |
427 |
428 |
429 |
430 |
431 |
432 |
433 |
434 |
435 |
436 |
437 |
438 |
439 |
440 |
441 |
442 |
443 |
444 |
445 |
446 |
447 |
448 |
449 |
450 |
451 |
452 |
453 |
454 |
455 |
456 |
457 |
458 |
459 |
460 |
461 |
462 |
463 |
464 |
465 |
466 |
467 |
468 |
469 |
470 |
471 |
472 |
473 |
474 |
475 |
476 |
477 |
478 |
479 |
480 |
481 |
482 |
483 |
484 |
485 |
486 |
487 |
488 |
489 |
490 |
491 |
492 |
493 |
494 |
495 |
496 |
497 |
498 |
499 |
500 |
501 |
502 |
503 |
504 |
505 |
506 |
507 |
508 |
509 |
510 |
511 |
512 |
513 |
514 |
515 |
516 |
517 |
518 |
519 |
520 |
521 |
522 |
523 |
524 |
525 |
526 |
527 |
528 |
529 |
530 |
531 |
532 |
533 |
534 |
535 |
536 |
537 |
538 |
539 |
540 |
541 |
542 |
543 |
544 |
545 |
546 |
547 |
548 |
549 |
550 |
551 |
552 |
553 |
554 |
555 |
556 |
557 |
558 |
559 |
560 |
561 |
562 |
563 |
564 |
565 |
566 |
567 |
568 |
569 |
570 |
571 |
572 |
573 |
574 |
575 |
576 |
577 |
578 |
579 |
580 |
581 |
582 |
583 |
584 |
585 |
586 |
587 |
588 |
589 |
590 |
591 |
592 |
593 |
594 |
595 |
596 |
597 |
598 |
599 |
600 |
601 |
602 |
603 |
604 |
605 |
606 |
607 |
608 |
609 |
610 |
611 |
612 |
613 |
614 |
615 |
616 |
617 |
618 |
619 |
620 |
621 |
622 |
623 |
624 |
625 |
626 |
627 |
628 |
629 |
630 |
631 |
632 |
633 |
634 |
635 |
636 |
637 |
638 |
639 |
640 |
641 |
642 |
643 |
644 |
645 |
646 |
647 |
648 |
649 |
650 |
651 |
652 |
653 |
654 |
655 |
656 |
657 |
658 |
659 |
660 |
661 |
662 |
663 |
664 |
665 |
666 |
667 |
668 |
669 |
670 |
671 |
672 |
673 |
674 |
675 |
676 |
677 |
678 |
679 |
680 |
681 |
682 |
683 |
684 |
685 |
686 |
687 |
688 |
689 |
690 |
691 |
692 |
693 |
694 |
695 |
696 |
697 |
698 |
699 |
700 |
701 |
702 |
703 |
704 |
705 |
706 |
707 |
708 |
709 |
710 |
711 |
712 |
713 |
714 |
715 |
716 |
717 |
718 |
719 |
720 |
721 |
722 |
723 |
724 |
725 |
726 |
727 |
728 |
729 |
730 |
731 |
732 |
733 |
734 |
735 |
736 |
737 |
738 |
739 |
740 |
741 |
742 |
743 |
744 |
745 |
746 |
747 |
748 |
749 |
750 |
751 |
752 |
753 |
754 |
755 |
756 |
757 |
758 |
759 |
760 |
761 |
762 |
763 |
764 |
765 |
766 |
767 |
768 |
769 |
770 |
771 |
772 |
773 |
774 |
775 |
776 |
777 |
778 |
779 |
780 |
781 |
782 |
783 |
784 |
785 |
786 |
787 |
788 |
789 |
790 |
791 |
792 |
793 |
794 |
795 |
796 |
797 |
798 |
799 |
800 |
801 |
802 |
803 |
804 |
805 |
806 |
807 |
808 |
809 |
810 |
811 |
812 |
813 |
814 |
815 |
816 |
817 |
818 |
819 |
820 |
821 |
822 |
823 |
824 |
825 |
826 |
827 |
828 |
829 |
830 |
831 |
832 |
833 |
834 |
835 |
836 |
837 |
838 |
839 |
840 |
841 |
842 |
843 |
844 |
845 |
846 |
847 |
848 |
849 |
850 |
851 |
852 |
853 |
854 |
855 |
856 |
857 |
858 |
859 |
860 |
861 |
862 |
863 |
864 |
865 |
866 |
867 |
868 |
869 |
870 |
871 |
872 |
873 |
874 |
875 |
876 |
877 |
878 |
879 |
880 |
881 |
882 |
883 |
884 |
885 |
886 |
887 |
888 |
889 |
890 |
891 |
892 |
893 |
894 |
895 |
896 |
897 |
898 |
899 |
900 |
901 |
902 |
903 |
904 |
905 |
906 |
907 |
908 |
909 |
910 |
911 |
912 |
913 |
914 |
915 |
916 |
917 |
918 |
919 |
920 |
921 |
922 |
923 |
924 |
925 |
926 |
927 |
928 |
929 |
930 |
931 |
932 |
933 |
934 |
935 |
936 |
937 |
938 |
939 |
940 |
941 |
942 |
943 |
944 |
945 |
946 |
947 |
948 |
949 |
950 |
951 |
952 |
953 |
954 |
955 |
956 |
957 |
958 |
959 |
960 |
961 |
962 |
963 |
964 |
965 |
966 |
967 |
968 |
969 |
970 |
971 |
972 |
973 |
974 |
975 |
976 |
977 |
978 |
979 |
980 |
981 |
982 |
983 |
984 |
985 |
986 |
987 |
988 |
989 |
990 |
991 |
992 |
993 |
994 |
995 |
996 |
997 |
998 |
999 |
1000 |
1001 |
1002 |
1003 |
1004 |
1005 |
1006 |
1007 |
1008 |
1009 |
1010 |
1011 |
1012 |
1013 |
1014 |
1015 |
1016 |
1017 |
1018 |
1019 |
1020 |
1021 |
1022 |
1023 |
1024 |
1025 |
1026 |
1027 |
1028 |
1029 |
1030 |
1031 |
1032 |
1033 |
1034 |
1035 |
1036 |
1037 |
1038 |
1039 |
1040 |
1041 |
1042 |
1043 |
1044 |
1045 |
1046 |
1047 |
1048 |
1049 |
1050 |
1051 |
1052 |
1053 |
1054 |
1055 |
1056 |
1057 |
1058 |
1059 |
1060 |
1061 |
1062 |
1063 |
1064 |
1065 |
1066 |
1067 |
1068 |
1069 |
--------------------------------------------------------------------------------
/AppLocker Starter Policy/Windows11_AppLocker Starter Policy.xml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nsacyber/AppLocker-Guidance/f04b3c3d2c3b2dad6048bb898f11bffcb567d8cc/AppLocker Starter Policy/Windows11_AppLocker Starter Policy.xml
--------------------------------------------------------------------------------
/Create AppLocker Meta Events/AppLocker Event Forwarding Subscription Meta Event Query Filter xml:
--------------------------------------------------------------------------------
1 | When setting up an event forwarding subscription, it is necessary to tell the subscription
2 | which events are desired for forwarding. The following event query can be used within an
3 | event subscription to select the AppLocker Meta Events for forwarding:
4 |
5 |
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/Create AppLocker Meta Events/AppLocker Meta Events Custom View.xml:
--------------------------------------------------------------------------------
1 |
5 | 1,2,3AppLocker0FalseAppLocker Meta Events
--------------------------------------------------------------------------------
/Create AppLocker Meta Events/AppLocker Meta Events grouped by File.ps1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nsacyber/AppLocker-Guidance/f04b3c3d2c3b2dad6048bb898f11bffcb567d8cc/Create AppLocker Meta Events/AppLocker Meta Events grouped by File.ps1
--------------------------------------------------------------------------------
/Create AppLocker Meta Events/AppLocker Meta Events to CSV.ps1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nsacyber/AppLocker-Guidance/f04b3c3d2c3b2dad6048bb898f11bffcb567d8cc/Create AppLocker Meta Events/AppLocker Meta Events to CSV.ps1
--------------------------------------------------------------------------------
/Create AppLocker Meta Events/Create AppLocker Meta Event Task.bat:
--------------------------------------------------------------------------------
1 | REM *******************
2 | REM This script looks up the computer's domain and then registers the "Create AppLocker Meta Event" task
3 | REM to trigger when an AppLocker event is created and run a script to create the new AppLocker meta event
4 | REM with additional calling process and user information.
5 | REM
6 | REM This script can be pushed out as a computer startup script to create the "Create AppLocker Meta Event"
7 | REM task on each computer to trigger when an AppLocker event is created and run a script to create a new
8 | REM AppLocker meta event with additional calling process and user information. This file should be placed
9 | REM in the \\\SYSVOL\\Scripts file share along with the "Create AppLocker Meta
10 | REM Event.ps1.txt" powershell script file and the "Create AppLocker Meta Event Task.xml" file in order to
11 | REM create the task successfully.
12 | REM *******************
13 |
14 | REM Get domain name
15 | FOR /F "tokens=1* delims=REG_SZ " %%A IN ('REG QUERY HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain') DO (
16 | SET COMPUTERDOMAIN=%%B
17 | )
18 |
19 | schtasks.exe /query /tn "Create AppLocker Meta Event"
20 | IF ERRORLEVEL 1 (
21 | mkdir C:\Windows\Scripts
22 | copy /y "\\%COMPUTERDOMAIN%\sysvol\%COMPUTERDOMAIN%\scripts\Create AppLocker Meta Event.ps1" C:\Windows\Scripts
23 | schtasks.exe /create /tn "Create AppLocker Meta Event" /xml "\\%COMPUTERDOMAIN%\sysvol\%COMPUTERDOMAIN%\scripts\Create AppLocker Meta Event Task.xml"
24 | )
25 |
--------------------------------------------------------------------------------
/Create AppLocker Meta Events/Create AppLocker Meta Event Task.xml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nsacyber/AppLocker-Guidance/f04b3c3d2c3b2dad6048bb898f11bffcb567d8cc/Create AppLocker Meta Events/Create AppLocker Meta Event Task.xml
--------------------------------------------------------------------------------
/Create AppLocker Meta Events/Create AppLocker Meta Event.ps1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nsacyber/AppLocker-Guidance/f04b3c3d2c3b2dad6048bb898f11bffcb567d8cc/Create AppLocker Meta Events/Create AppLocker Meta Event.ps1
--------------------------------------------------------------------------------
/Create AppLocker Popup Task/AppLocker Popup Alert Task.xml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nsacyber/AppLocker-Guidance/f04b3c3d2c3b2dad6048bb898f11bffcb567d8cc/Create AppLocker Popup Task/AppLocker Popup Alert Task.xml
--------------------------------------------------------------------------------
/Create AppLocker Popup Task/Create AppLocker Popup Task.bat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nsacyber/AppLocker-Guidance/f04b3c3d2c3b2dad6048bb898f11bffcb567d8cc/Create AppLocker Popup Task/Create AppLocker Popup Task.bat
--------------------------------------------------------------------------------
/DISCLAIMER.md:
--------------------------------------------------------------------------------
1 | ## Disclaimer of Warranty
2 | This Work is provided "as is". Any express or implied warranties, including but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the United States Government be liable for any direct, indirect, incidental, special, exemplary or consequential damages (including, but not limited to, procurement of substitute goods or services, loss of use, data or profits, or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this Work, even if advised of the possibility of such damage.
3 |
4 | The User of this Work agrees to hold harmless and indemnify the United States Government, its agents and employees from every claim or liability (whether in tort or in contract), including attorneys' fees, court costs, and expenses, arising in direct consequence of Recipient's use of the item, including but not limited to, claims or liabilities made for injury to or death of personnel of User or third parties, damage to or destruction of property of User or third parties, infringement or other violations of intellectual property or technical data rights.
5 |
6 | Nothing in this Work is intended to constitute an endorsement, explicit or implied, by the United States Government of any particular manufacturer's product or service.
7 |
8 | ## Disclaimer of Endorsement
9 | Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, in this Work does not constitute an endorsement, recommendation, or favoring by the United States Government and shall not be used for advertising or product endorsement purposes.
--------------------------------------------------------------------------------
/Event Viewer AppLocker Custom View/AppLocker Event Viewer Custom View.xml:
--------------------------------------------------------------------------------
1 |
5 | TrueMicrosoft-Windows-AppLocker/EXE and DLL,Microsoft-Windows-AppLocker/MSI and ScriptMicrosoft-Windows-AppLocker01,2,3AppLocker Warnings and ErrorsAppLocker Warnings and Errors Custom View
--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
1 | This Work was prepared by a United States Government employee and, therefore, is excluded from copyright by Section 105 of the Copyright Act of 1976.
2 |
3 | Copyright and Related Rights in the Work worldwide are waived through the [CC0 1.0 Universal license](https://creativecommons.org/publicdomain/zero/1.0/).
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # AppLocker Guidance
2 |
3 | Microsoft AppLocker is an application control feature built into Windows. Application control is one of [Information Assurance top 10 mitigation strategies](https://media.defense.gov/2019/Jul/16/2002158046/-1/-1/0/DDD-190716-666-071.PDF).
4 |
5 | This project contains scripts and configuration files for aiding administrators in implementing Microsoft AppLocker as outlined in the Application Control using Microsoft AppLocker paper.
6 |
7 | **The starter policy provided in this repository is for Windows 11**.
8 |
9 | ## Guidance
10 | NSA Information Assurance has a security guide for AppLocker called Application Control Using Microsoft AppLocker. For more detailed instructions and additional information, please see the [wiki](https://github.com/nsacyber/AppLocker-Guidance/wiki).
11 |
12 | ## Addressing Living Off the Land Binaries and Scripts (LOLBAS)
13 | For the past several years, Living Off the Land techniques have been seeing an increase in usage by threat actors. These techniques often utilize binaries, scripts, and libraries that come pre installed on Windows or see high usage on most Windows systems, which allow threat actors to operate very stealthily in those environments. LOLBAS threats can be partially mitigated using Applocker or other application control solutions. To that end, The security community has created and maintains a repository of well known LOLBAS, called the LOLBAS Project, to help defenders and admins be aware and to develop application control policies addressing LOLBAS. Microsoft has additionally put out a list of binaries that they recommend be blocked due to frequent abuse. The default policies within this repository have been updated with explicit deny rules for the respective LOLBAS and MS recommendations, but administrators should still evaluate their own networks for usage of LOLBAS and adjust the AppLocker policies accordingly.
14 |
15 | ## Resources
16 |
17 | * [AppLocker Technical Reference](https://learn.microsoft.com/en-us/windows/device-security/applocker/applocker-technical-reference)
18 | * [Requirements to use AppLocker](https://learn.microsoft.com/en-us/windows/device-security/applocker/requirements-to-use-applocker)
19 | * [AppLocker Policies Deployment Guide](https://learn.microsoft.com/en-us/windows/device-security/applocker/applocker-policies-deployment-guide)
20 | * [Microsoft Recommended Block Rules for WDAC](https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)
21 | * [Living Off the Land Binaries, Scripts, and Libraries](https://lolbas-project.github.io/)
22 |
23 | ## License
24 | See [LICENSE](LICENSE.md).
25 |
26 | ## Disclaimer
27 | See [DISCLAIMER](DISCLAIMER.md).
28 |
--------------------------------------------------------------------------------