How to clear a local Applocker policy

There are 3 main actions in this menu when you edit the local Applocker policy. You can Import, Export and Clear a policy.

Let’s see how one can clear a local Applocker policy.

If you use Windows PowerShell, you can directly access the built-in Applocker module.
In this case, you can use the following shortcut:

$null | New-AppLockerPolicy -User EveryOne -EA 0 | 
Set-AppLockerPolicy -Verbose

NB: EA is the Alias of ErrorAction and 0 means SilentlyContinue.
It’s required to avoid displaying a message saying:

New-AppLockerPolicy : Cannot validate argument on parameter ‘FileInformation’. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.

.
Even if there’s an error thrown, a Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.AppLockerPolicy is created and sent to the output stream.

Unfortunately, the same shortcut cannot be used within PowerShell 7.0.1 (current latest version).
You need the following 2 steps:

# step 1: write an empty policy to a file
$null | New-AppLockerPolicy -User EveryOne -EA 0 -Xml | 
Out-File ~/Documents/empty.xml

# step 2: import that file
Set-AppLockerPolicy ~/Documents/empty.xml

NB: Notice the addition of the -XML switch in the first step.

Here’s another approach for Windows PowerShell that looks like the example provided by Microsoft, named delete-an-applocker-rule that tells you actually how to clear *all* the rules.

The following example doesn’t write a file to disk and directly clears the local Applocker Policy

#Requires -Module Applocker
#Requires -PSEdition Desktop
#Requires -RunAsAdministrator
Function Clear-ApplockerLocalPolicy {
[CmdletBinding()]
Param()
Begin {}
Process {
Try {
$null = Get-AppLockerPolicy -Local -ErrorAction SilentlyContinue
[Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.AppLockerPolicy]::FromXml(
@'
<AppLockerPolicy Version="1">
<RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
<RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
<RuleCollection Type="Script" EnforcementMode="NotConfigured" />
<RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type="Appx" EnforcementMode="NotConfigured" />
</AppLockerPolicy>
'@
) |
Set-AppLockerPolicy -ErrorAction Stop
Write-Verbose -Message 'Successfully cleared local Applocker policy'
} catch {
Write-Error $_
}
}
End {}
}

NB: Notice the first call at line 11 to a built-in command from the Applocker module. It’s used to avoid this error message: Unable to find type [Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.AppLockerPolicy].
If that first call at line 11 is missing, when you do the following, you get:

Weird, isn’t? If you’ve an explanation, please add a comment 🙂

Check CVE-2020-1048 with AutoRuns

If you’ve seen what’s going on with CVE-2020-1048, it looks quite scary.

I’ve created an issue (#71) for this and added a detection in the Print Monitors category (see this commit)

I’ve published a digitally signed version of the AutoRuns module on the PowerShell Gallery as well.
(If you get started with AutoRuns, have a look at this README page.)

Now, if you do this,

Add-PrinterPort -Name "C:\windows\tracing\myport.txt"

You get it detected with the AutoRuns Module like this

Get-PSAutorun -PrintMonitorDLLs -VerifyDigitalSignature | 
Where { -not($_.Signed) }

Notice that there’s still an issue with the ImagePath property that needs to be fixed.
Anyway, it’s quick & dirty and detected 🙂
Happy hunting 😎

How to view an Applocker policy enforcement

When you edit an Applocker Group Policy either a local one or one stored in Active Directrory, you can view and configure what collections are active and what these should do.

Rule collections can be “not configured” or when they are “configured”, they can be set to “enforced” or “audit only”.

I’ve created a function to view the above settings.
Let’s see it in action first:

It can be used without parameters and will display the Effective policy

Get-AppLockerPolicyInfo | ft -AutoSize

You can also use the Local switch to view the local policy configuration:

Get-AppLockerPolicyInfo -Local | Format-Table -AutoSize

It accepts also a policy object sent into the pipeline.
In other words it can be bound with the built-in Applocker cmdlets:

Get-AppLockerPolicy -Local | 
Get-AppLockerPolicyInfo -Verbose | 
ft -AutoSize

It can be used to view the configuration in an Active Directory based Applocker policy.
In this case, I’ll use the cmdlets from the GroupPolicy module.

$gpo = Get-GPO -All | Out-GridView -OutputMode Single
Get-AppLockerPolicy -Ldap "LDAP://$(($gpo).path)" -Domain | 
Get-AppLockerPolicyInfo | ft -AutoSize

There’s another use for this function.
Using both the Effective and Local switches, it can help you diagnose how enforcement is configured if you’ve more than a local policy.
Here’s an example when there’s an overlap on Applocker policies:

In the above specific example, we can see the local policy is Enforced with a few rules (probably default rules) and is stricter than the AD policy that is set to Audit Only. If we want to keep to local policy to apply, an explicit deny can be set to so that the computer stops applying the Audit only GPO.

Here’s the code of this function:

#Requires -Module Applocker
#Requires -PSEdition Desktop
Function Get-AppLockerPolicyInfo {
<#
.SYNOPSIS
Display the rule collections info: type, enforcement mode, rules count...
.DESCRIPTION
Get the exetended info that applies to rule collections
.PARAMETER Effective
Swtich to get the effective Applocker policy
.PARAMETER Local
Swtich to get the local Applocker policy
.PARAMETER InputObject
To be used with the pipeline, see examples
.EXAMPLE
Get-AppLockerPolicyInfo | ft -AutoSize
Without parameter, it displays rule collections info from the effective policy
.EXAMPLE
Get-AppLockerPolicyInfo -Local | Format-Table -AutoSize
Use the 'local' switch to display rule collections info from the local policy
.EXAMPLE
Get-AppLockerPolicy -Local | Get-AppLockerPolicyInfo -Verbose | ft -AutoSize
Use the built-in Get-AppLockerPolicy with its local switch and pipe it to
Get-AppLockerPolicyInfo to display rule collections info
.EXAMPLE
Get-AppLockerPolicy -Ldap "LDAP://$((Get-GPO -Name 'myGPOName').path)" -Domain |
Get-AppLockerPolicyInfo | ft -AutoSize
Use the built-in Get-AppLockerPolicy and Get-GPO cmdlets to read an Applocker policy stored
in Active Directory and pipe it to Get-AppLockerPolicyInfo to display rule collections info
#>
[CmdletBinding(DefaultParameterSetName='Effective')]
Param(
[Parameter(ParameterSetName='Effective')]
[Switch]$Effective,
[Parameter(ParameterSetName='Local')]
[switch]$Local,
[Parameter(ParameterSetName='Piped',ValueFromPipeline)]
[Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.AppLockerPolicy]$InputObject
)
Begin {}
Process {
try {
$HT = @{ ErrorAction = 'Stop'}
Switch ($PSCmdlet.ParameterSetName) {
Effective {
$data = Get-AppLockerPolicy -Effective @HT
Write-Verbose 'Successfully read effective Applocker policy'
}
Local {
$data = Get-AppLockerPolicy -Local @HT
Write-Verbose 'Successfully read local Applocker policy'
}
Piped {
$data = $InputObject
Write-Verbose 'Successfully read piped Applocker policy'
}
default {}
}
if ($data) {
$data.RuleCollections | Select-Object -Property *
}
} catch {
Write-Warning -Message "Failed to get Applocker extended info because $($_.Exception.Message)"
}
}
End {}
}