Windows 10: AppLocker Allowed Executable Runs Denied DLL

I am testing AppLocker's functionality to assess suitability for protecting a windows application from tampering. My goal is to test the robustness of its rules in the face of DLL hijacking. As a test I have a simple executable compiled from C# that displays a window and button. When the button is clicked it uses a single DLL dependency to pull the system time and IP and return it as a string. The window then updates with a message stating the returned string. An AppLocker executable rule was added to allow the executable based on its hash. Additionally, I have generic DLL rules that allow execution of all DLLs in the Windows folder and the Program Files folder. My test executable and its dependency are both in a folder on the desktop not a valid DLL execution folder.

After ensuring the AppIdSvc is running and doing a gpupdate on the client PC, I was able to run the executable as expected but the executable was also able to run its DLL dependency even though the dependency was outside of the Windows/Program Files directories. This was also the case after I replaced that DLL with a tampered one to ensure it wasn't somehow related to the rule created for the executable and to prove that my executable is actually running that dependency it is. Even after I added an explicit rule to deny both the legitimate and tampered DLLs based on their hash, it's still able to run. Reviewing the AppLocker logs I don't see any message saying the DLL was or was not allowed to run it's as if AppLocker never saw it even though I am able to see that the DLL was accessed by the executable in Process Monitor. Other AppLocker logs show that the executable was allowed to run letting me know my rules are working - I also ran many other AppLocker tests to ensure it is actually running and it was.



Is AppLocker not able to protect the integrity of dependency DLLs based on their hash? Can an allowed executable run ANY DLL? I've read some articles that rundll32 circumvents the DLL rules by being allowed to run from its safe location while loading and executing DLLs from unsafe locations and may perhaps be the culprit here. Any information is greatly appreciated.

:)

 

How to set up AppLocker restrictions on Windows 10 Pro?

Hello @ahmd, *Smile

If you like, here are out AppLocker tutorials below that may be able to help with this for you.

• Use AppLocker to Allow or Block DLL Files from Running in Windows 10
• Use AppLocker to Allow or Block Executable Files in Windows 10
• Use AppLocker to Allow or Block Script Files in Windows 10
• Use AppLocker to Allow or Block Windows Installer Files in Windows 10
• Use AppLocker to Block Microsoft Store Apps in Windows 10
• Export and Import AppLocker Policy for Rules in Windows 10
• Clear AppLocker Policy in Windows 10
• Delete AppLocker Rule in Windows 10

 

Applocker not blocking -- Win10Pro, Applocker configured, AppIDsvc run

• OS: Win10Pro
• Applocker: configured blocking of apps and executables
• Applocker rules: set to enforcing
• Service: AppIDSvc is running

I've been trying to get Edge and a couple other utilities blocked on the laptop to keep distractions to a minimum for my child who uses the computer to study.
However, even after rules are defined, and they are set to enforcing as blocked, the apps and executables are still available to them -- even after a reboot.

I have followed the instructions here: https://social.technet.microsoft.com...10itprogeneral
However, there is still no blocking of the apps or the executables.
Thank you for your consideration.

 

Block a DLL with Applocker

Hi all,

On my organization we want to implement Applocker to block unauthorized DLLs. So far, I've created a very simple test, I've created an exe file that loads a function stored on a DLL. I created the program using visual studio and C#.





I followed the instructions posted here to block the DLL that my EXE file uses to work using Applocker.
This are my settings









For my surprise this don't stop my program from loading the function in the DLL. Is there a way to achieve this using Applocker?

OS: Windows Server 2012 R2