AppLocker

AppLocker is a Windows feature present on systems since Windows 7.

<aside> ❗ By default, AppLocker it is turned off !

</aside>

In short, it allows to restrict executable content that can be launched by a machine or domain users.

It can be set at the GPO or local machine level.

AppLocker applies these restrictions using rules named policies. They can apply to several basic kinds of files, that AppLocker can identify. These are Executables (e.g. .com, .exe), Windows installer files (e.g. .msi, .msp, mst), Scripts (e.g. .js, .vba, .vbs, .bat, .ps1), App installers (e.g. .appx), and DLL Files (e.g. .dll)

Rule conditions are criteria that help AppLocker identify the apps to which the rule applies. The three primary rule conditions:

• File Path Condition - Identifies an application by its location on the system. (easily bypassed since it would only take moving the file to a different path to allow execution)
• File Publisher Condition - Identifies an application by its properties or digital signature.
• File Hash Condition -Identifies an application based by its hash. (very good and secure but not very scalable as for example every time an application is updated the hash would change)

PS Constrained language mode (CLM)

Constrained language mode limits the capability of PowerShell to base functionality .NET or COM access and Win32 API calls through PowerShell are not possible when constrained language mode is enforced.

If an environment has PowerShell version 5 and AppLocker in allow mode, PowerShell locks down to constrained language mode automatically.

The same will happen if Device Guard with UMCI is deployed. Here you can see constrained language mode in action:

PS Enhanced Logging