ANNOUNCING: Application whitelisting with "AaronLocker"
[Update 11 Oct 2018: "AaronLocker" v0.91 released]
Announcing the pre-release (v0.9) of "AaronLocker:" robust and practical application whitelisting for Windows.
AaronLocker is designed to make the creation and maintenance of robust, strict, AppLocker-based whitelisting rules as easy and practical as possible. The entire solution involves a small number of PowerShell scripts. You can easily customize rules for your specific requirements with simple text-file edits. AaronLocker includes scripts that document AppLocker policies and capture event data into Excel workbooks that facilitate analysis and policy maintenance.
AaronLocker is designed to restrict program and script execution by non-administrative users. Note that AaronLocker does not try to stop administrative users from running anything they want – and AppLocker cannot meaningfully restrict administrative actions anyway. A determined user with administrative rights can easily bypass AppLocker rules.
AaronLocker’s strategy can be summed up as: if a non-admin could have put a program or script onto the computer – i.e., it is in a user-writable directory – don’t allow it to execute unless it has already been specifically allowed by an administrator. This will stop execution if a user is tricked into downloading malware, if an exploitable vulnerability in a program the user is running tries to put malware on the computer, or if a user intentionally tries to download and run unauthorized programs.
AaronLocker works on all supported versions of Windows that can provide AppLocker.
A personal note: the name “AaronLocker” was Chris (@appcompatguy) Jackson’s idea – not mine – and I resisted it for a long time. I finally gave in because I couldn’t come up with a better name.
For now, download AaronLocker here from the updated page (I will move it to GitHub sometime soon). The zip file contains full documentation, all the scripts, and sample outputs.
Comments
- Anonymous
June 26, 2018
Awesome work and nice to see that it is being shared in public. This will help a lot of customers!Thank you very much, Aaron,David - Anonymous
June 26, 2018
This is great! This totally eases the implementation of an immensely useful security feature. Thanks for the hard work Aaron! - Anonymous
June 29, 2018
The comment has been removed- Anonymous
July 20, 2018
Aaron, I believe our PFE, Yong, was IM'ing you throughout the week with our suggestions.- Anonymous
July 20, 2018
Suggestion: Have you considered re-engineering these scripts for a Sysmon engagement?
- Anonymous
- Anonymous