{"id":6309,"date":"2022-12-02T03:36:20","date_gmt":"2022-12-02T03:36:20","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=6309"},"modified":"2023-01-30T05:09:47","modified_gmt":"2023-01-30T05:09:47","slug":"applocker","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/applocker","title":{"rendered":"AppLocker"},"content":{"rendered":"\n<p>For severs look at <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/defender-for-cloud\/adaptive-application-controls\">https:\/\/learn.microsoft.com\/en-us\/azure\/defender-for-cloud\/adaptive-application-controls<\/a><br><a href=\"https:\/\/dailysysadmin.com\/KB\/Article\/6773\/configuring-windows-applocker-to-protect-against-ransomware-attacks\/\">https:\/\/dailysysadmin.com\/KB\/Article\/6773\/configuring-windows-applocker-to-protect-against-ransomware-attacks\/<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/microsoft\/AaronLocker\">GitHub \u2013 microsoft\/AaronLocker: Robust and practical application control for Windows<\/a><\/p>\n\n\n\n<p>&lt;AppLockerPolicy Version=\u201d1?&gt;<br>&lt;RuleCollection Type=\u201dAppx\u201d EnforcementMode=\u201dEnabled\u201d&gt;<br>&lt;FilePublisherRule Id=\u201d041c480f-6af0-44b6-b712-ebc33913a055? Name=\u201dAll signed packaged apps\u201d Description=\u201dAllows members of the Everyone group to run packaged apps that are signed.\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePublisherCondition PublisherName=\u201d*\u201d ProductName=\u201d*\u201d BinaryName=\u201d*\u201d&gt;<br>&lt;BinaryVersionRange LowSection=\u201d0.0.0.0? HighSection=\u201d*\u201d \/&gt;<br>&lt;\/FilePublisherCondition&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePublisherRule&gt;<br>&lt;\/RuleCollection&gt;<br>&lt;RuleCollection Type=\u201dDll\u201d EnforcementMode=\u201dEnabled\u201d&gt;<br>&lt;FilePublisherRule Id=\u201d077ff552-89db-4a1b-b96f-69a2029a87c5? Name=\u201dAllow TeamViewer Signed DLLs\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePublisherCondition PublisherName=\u201dO=TEAMVIEWER GMBH, L=G\u00d6PPINGEN, S=BADEN-W\u00dcRTTEMBERG, C=DE\u201d ProductName=\u201d*\u201d BinaryName=\u201d*\u201d&gt;<br>&lt;BinaryVersionRange LowSection=\u201d*\u201d HighSection=\u201d*\u201d \/&gt;<br>&lt;\/FilePublisherCondition&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePublisherRule&gt;<br>&lt;FilePublisherRule Id=\u201d0b988045-bfc3-4743-af15-15befe6481ac\u201d Name=\u201dAllow Google Chome SWReport\u201d Description=\u201dAllow Google Chome SWReport\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePublisherCondition PublisherName=\u201dO=ESET, SPOL. S R.O., L=BRATISLAVA, C=SK\u201d ProductName=\u201d*\u201d BinaryName=\u201d*\u201d&gt;<br>&lt;BinaryVersionRange LowSection=\u201d*\u201d HighSection=\u201d*\u201d \/&gt;<br>&lt;\/FilePublisherCondition&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePublisherRule&gt;<br>&lt;FilePublisherRule Id=\u201d162b11dc-5354-45b5-bffb-c5cf90e80ed6? Name=\u201dSigned by O=LOGMEIN, INC., L=BOSTON, S=MASSACHUSETTS, C=US\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePublisherCondition PublisherName=\u201dO=LOGMEIN, INC., L=BOSTON, S=MASSACHUSETTS, C=US\u201d ProductName=\u201d*\u201d BinaryName=\u201d*\u201d&gt;<br>&lt;BinaryVersionRange LowSection=\u201d*\u201d HighSection=\u201d*\u201d \/&gt;<br>&lt;\/FilePublisherCondition&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePublisherRule&gt;<br>&lt;FilePublisherRule Id=\u201dfefe4e2f-ffdd-41af-a6db-3c76cfd1258d\u201d Name=\u201dAllow Microsoft Teams DLL\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-1-0? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePublisherCondition PublisherName=\u201dO=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\u201d ProductName=\u201dMICROSOFT TEAMS\u201d BinaryName=\u201d*\u201d&gt;<br>&lt;BinaryVersionRange LowSection=\u201d*\u201d HighSection=\u201d*\u201d \/&gt;<br>&lt;\/FilePublisherCondition&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePublisherRule&gt;<br>&lt;FilePathRule Id=\u201d005965d8-fab3-4cfb-9abe-d5275b4590dc\u201d Name=\u201dAllow Webroot DLLs located in Programdata\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201dC:\\PROGRAMDATA\\WRDATA\\PKG\\*\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d09beea3d-5937-4385-b20d-b3c986099728? Name=\u201dAll DLLs located in the Program Files folder\u201d Description=\u201dAllows members of the Everyone group to load DLLs that are located in the Program Files folder.\u201d UserOrGroupSid=\u201dS-1-1-0? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201d%PROGRAMFILES%\\*\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d23087465-767b-4c19-8ec4-b9a2906a2dd6? Name=\u201dAllow TeamViewer DLLs\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201dC:\\USERS\\*\\APPDATA\\LOCAL\\TEMP\\*\\TVGETVERSION.DLL\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d53d22ff2-8117-41de-8997-e352abab4ea4? Name=\u201dAll DLLs in Windows Defender folder\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201d%OSDRIVE%\\ProgramData\\Microsoft\\Windows Defender\\platform\\*\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d56e2719d-6f11-4380-a728-d9602272a3d7? Name=\u201dAllow Custom GOTOMEETING G2M.DLL\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201dC:\\USERS\\*\\APPDATA\\LOCAL\\GOTOMEETING\\*\\G2M.DLL\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d5b88a1bc-ac98-4fb1-b91b-a61a254f27f4? Name=\u201dAllow GoToMeeting G2MOUTLOOKADDIN\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201dC:\\USERS\\*\\APPDATA\\LOCAL\\GOTOMEETING\\*\\G2MOUTLOOKADDIN*.DLL\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201dd4ccb108-e99c-401a-ab56-3dbe9689ef2b\u201d Name=\u201dMicrosoft Windows DLLs\u201d Description=\u201dAllows members of the Everyone group to load DLLs located in the Windows folder.\u201d UserOrGroupSid=\u201dS-1-1-0? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\*\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;Exceptions&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\catroot2\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\com\\dmp\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\Debug\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\FxsTmp\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\spool\\drivers\\color\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\spool\\PRINTERS\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\spool\\SERVERS\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\tasks\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\PCHEALTH\\ERRORREP\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\Registration\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\SysWOW64\\com\\dmp\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\SysWOW64\\FxsTmp\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\SysWOW64\\Tasks\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\Tasks\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\TEMP\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\Tracing\\*\u201d \/&gt;<br>&lt;\/Exceptions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201dd8cf414d-4874-45e1-95b6-dd5fcfab14bb\u201d Name=\u201dAllow Custom DEVEXPRESS LIBJPEGTURBO.DLL\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201dC:\\USERS\\*\\APPDATA\\ROAMING\\DEVEXPRESS\\*\\LIBJPEGTURBO.DLL\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201dfe64f59f-6fca-45e5-a731-0f6715327c38? Name=\u201d(Default Rule) All DLLs\u201d Description=\u201dAllows members of the local Administrators group to load all DLLs.\u201d UserOrGroupSid=\u201dS-1-5-32-544? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201d*\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;\/RuleCollection&gt;<br>&lt;RuleCollection Type=\u201dExe\u201d EnforcementMode=\u201dEnabled\u201d&gt;<br>&lt;FilePublisherRule Id=\u201d1dff3373-4c7b-4859-a5e8-389ce7df7e70? Name=\u201dAllow Microsoft Teams\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePublisherCondition PublisherName=\u201dO=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\u201d ProductName=\u201d*\u201d BinaryName=\u201d*\u201d&gt;<br>&lt;BinaryVersionRange LowSection=\u201d*\u201d HighSection=\u201d*\u201d \/&gt;<br>&lt;\/FilePublisherCondition&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePublisherRule&gt;<br>&lt;FilePublisherRule Id=\u201d3d98c373-77c0-478a-97cc-671834ba3891? Name=\u201dAllow Google Signed executables\u201d Description=\u201dAllow Google Signed exxcutables\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePublisherCondition PublisherName=\u201dO=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\u201d ProductName=\u201d*\u201d BinaryName=\u201d*\u201d&gt;<br>&lt;BinaryVersionRange LowSection=\u201d*\u201d HighSection=\u201d*\u201d \/&gt;<br>&lt;\/FilePublisherCondition&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePublisherRule&gt;<br>&lt;FilePublisherRule Id=\u201d702f2b86-afca-46d4-a4ab-c5d994ddd995? Name=\u201dAllow LogMeIn Signed certificate\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePublisherCondition PublisherName=\u201dO=LOGMEIN, INC., L=BOSTON, S=MASSACHUSETTS, C=US\u201d ProductName=\u201d*\u201d BinaryName=\u201d*\u201d&gt;<br>&lt;BinaryVersionRange LowSection=\u201d*\u201d HighSection=\u201d*\u201d \/&gt;<br>&lt;\/FilePublisherCondition&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePublisherRule&gt;<br>&lt;FilePublisherRule Id=\u201de69c0dde-bfd0-4361-93b3-b45355bed6d4? Name=\u201dAllow TeamViewer Signed executables\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePublisherCondition PublisherName=\u201dO=TEAMVIEWER GMBH, L=G\u00d6PPINGEN, S=BADEN-W\u00dcRTTEMBERG, C=DE\u201d ProductName=\u201d*\u201d BinaryName=\u201d*\u201d&gt;<br>&lt;BinaryVersionRange LowSection=\u201d*\u201d HighSection=\u201d*\u201d \/&gt;<br>&lt;\/FilePublisherCondition&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePublisherRule&gt;<br>&lt;FilePathRule Id=\u201d193aeb68-2beb-40a2-a422-dba103a2bb0b\u201d Name=\u201dAllow GoToMeeting G2MINSTALLER\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201dC:\\USERS\\*\\APPDATA\\LOCAL\\GOTOMEETING\\*\\*G2MINSTALLER*.EXE\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d1be4f25f-9183-4f05-a5de-519ced4dd49a\u201d Name=\u201dAllow GoToMeeting Opener\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201dC:\\USERS\\*\\APPDATA\\LOCAL\\MICROSOFT\\WINDOWS\\*\\GOTOMEETING*OPENER*.exe\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d37e7b76f-ad3c-4725-a9cf-b1a2ed1d5a94? Name=\u201dAll files in Peak Case Manager folder\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201d%OSDRIVE%\\CASEMANAGER\\PEAK\\*\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d39c2cc79-1283-420d-977a-c81e4748995e\u201d Name=\u201dAllow GoToMeeting G2MCOREINSTEXTRACTOR\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201dC:\\USERS\\*\\APPDATA\\LOCAL\\TEMP\\*\\*G2MCOREINSTEXTRACTOR*.EXE\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d46ecf224-d5c3-40e0-8411-4be995e25d5c\u201d Name=\u201dAll files in Pinnacle Case Manager folder\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201d%OSDRIVE%\\CASEMANAGER\\PINNACLE\\*\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d5180cd73-9ea8-4928-9d5f-66e81c557d29? Name=\u201dAll files located in the Program Files folder\u201d Description=\u201dAllows members of the Everyone group to run applications that are located in the Program Files folder.\u201d UserOrGroupSid=\u201dS-1-1-0? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201d%PROGRAMFILES%\\*\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d5d592aaa-b3c0-4b4b-9759-84d0050dc6bc\u201d Name=\u201dAllow Case manager Test in User profile direcotry\u201d Description=\u201dRequested by Roman 4\/12\/2020? UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201dC:\\Users\\*\\Desktop\\*\\casemanager\\casemanager.exe\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d6e7eb7c8-b6b7-4c40-8fb1-a51bec0c4474? Name=\u201dAll files located in the Windows folder\u201d Description=\u201dAllows members of the Everyone group to run applications that are located in the Windows folder.\u201d UserOrGroupSid=\u201dS-1-1-0? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\*\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;Exceptions&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\catroot2\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\com\\dmp\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\FxsTmp\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\spool\\drivers\\color\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\spool\\PRINTERS\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\spool\\SERVERS\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\tasks\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\Debug\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\PCHEALTH\\ERRORREP\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\Registration\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\SysWOW64\\com\\dmp\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\SysWOW64\\FxsTmp\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\SysWOW64\\Tasks\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\Tasks\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\TEMP\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\tracing\\*\u201d \/&gt;<br>&lt;\/Exceptions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d73ef62fd-9cb5-4887-8e04-7a4c08aa4d56? Name=\u201dAllow GRAMMARLY executable\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201dC:\\USERS\\*\\APPDATA\\ROAMING\\GRAMMARLY\\UPDATES\\GRAMMARLY*.EXE\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d93b3da8c-5e5f-4074-804e-57a4ca4af866? Name=\u201dAllow GoToMeeting G2MUPLOAD\u201d Description=\u201dAllows Users to RUn GoToMeeting\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201dC:\\USERS\\*\\APPDATA\\LOCAL\\GOTOMEETING\\15939\\G2MUPLOAD.EXE\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d9d49c931-5766-4510-b8de-47a81d38988d\u201d Name=\u201dAllow GoToMeeting G2MCOMM\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201dC:\\USERS\\*\\APPDATA\\LOCAL\\GOTOMEETING\\*\\G2MCOMM*.EXE\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201dc893e557-3ee2-42a8-a512-86105f35f27a\u201d Name=\u201dAllow GoToMeeting G2MSTART\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201dC:\\USERS\\*\\APPDATA\\LOCAL\\GOTOMEETING\\*\\G2MSTART*.EXE\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201dfd686d83-a829-4351-8ff4-27c7de5755d2? Name=\u201d(Default Rule) All files\u201d Description=\u201dAllows members of the local Administrators group to run all applications.\u201d UserOrGroupSid=\u201dS-1-5-32-544? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201d*\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;\/RuleCollection&gt;<br>&lt;RuleCollection Type=\u201dMsi\u201d EnforcementMode=\u201dEnabled\u201d&gt;<br>&lt;FilePublisherRule Id=\u201d2db49047-d2d2-4468-bd68-02abfedee6d2? Name=\u201dAll digitally signed Windows Installer files\u201d Description=\u201dAllows members of the Everyone group to run digitally signed Windows Installer files.\u201d UserOrGroupSid=\u201dS-1-1-0? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePublisherCondition PublisherName=\u201d*\u201d ProductName=\u201d*\u201d BinaryName=\u201d*\u201d&gt;<br>&lt;BinaryVersionRange LowSection=\u201d0.0.0.0? HighSection=\u201d*\u201d \/&gt;<br>&lt;\/FilePublisherCondition&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePublisherRule&gt;<br>&lt;FilePathRule Id=\u201d09866951-f7e1-4208-8a7e-2819cc95a1b7? Name=\u201dAll Windows Installer files in %systemdrive%\\Windows\\Installer\u201d Description=\u201dAllows members of the Everyone group to run all Windows Installer files located in %systemdrive%\\Windows\\Installer.\u201d UserOrGroupSid=\u201dS-1-1-0? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\Installer\\*\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d64ad46ff-0d71-4fa0-a30b-3f3d30c5433d\u201d Name=\u201d(Default Rule) All Windows Installer files\u201d Description=\u201dAllows members of the local Administrators group to run all Windows Installer files.\u201d UserOrGroupSid=\u201dS-1-5-32-544? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201d*.*\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;\/RuleCollection&gt;<br>&lt;RuleCollection Type=\u201dScript\u201d EnforcementMode=\u201dEnabled\u201d&gt;<br>&lt;FilePathRule Id=\u201d0095abbc-984c-45fb-91e6-d417362e55e6? Name=\u201dAllow scripts from NETLOGON-Teams\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201d\\\\aha.local\\NETLOGON\\Teams\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d2f4f4c88-d1af-4b39-8122-c0e16e12b370? Name=\u201dAllow Batch file in GPO\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201d\\\\AHA.LOCAL\\SYSVOL\\AHA.LOCAL\\POLICIES\\{F88EDDB1-7AB8-4100-9A48-5DF9593332D8}\\USER\\SCRIPTS\\LOGON\\WINDOWSSHELL-CORTANAPACKAGE.BAT\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d2f76f808-26ba-4e27-971f-009f676e47e8? Name=\u201dAll scripts located in the Program Files folder\u201d Description=\u201dAllows members of the Everyone group to run scripts that are located in the Program Files folder.\u201d UserOrGroupSid=\u201dS-1-1-0? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201d%PROGRAMFILES%\\*\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d3d0ac270-2034-4d78-9162-fff433181327? Name=\u201dAllow getpaths.cmd\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201d%OSDRIVE%\\users\\*\\temp\\*\\getpaths.cmd\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d488e53c2-bfbd-4f7c-8589-fc468f614860? Name=\u201dAll scripts located in the Windows folder\u201d Description=\u201dAllows members of the Everyone group to run scripts that are located in the Windows folder.\u201d UserOrGroupSid=\u201dS-1-1-0? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\*\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;Exceptions&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\catroot2\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\com\\dmp\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\FxsTmp\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\spool\\drivers\\color\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\spool\\PRINTERS\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\spool\\SERVERS\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%SYSTEM32%\\Tasks\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\Debug\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\PCHEALTH\\ERRORREP\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\Registration\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\SysWOW64\\com\\dmp\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\SysWOW64\\FxsTmp\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\SysWOW64\\Tasks\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\Tasks\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\TEMP\\*\u201d \/&gt;<br>&lt;FilePathCondition Path=\u201d%WINDIR%\\Tracing\\*\u201d \/&gt;<br>&lt;\/Exceptions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d4dc7e394-c5e3-49e8-a407-073fb2b666a4? Name=\u201dAllow WNDOWSSHELL.PS1? Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201d\\\\AHA-FILE-01\\STARTMENUFIX$\\WNDOWSSHELL.PS1? \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d7575089f-a7ac-442d-89a9-90a327d5e954? Name=\u201dAllow CORTANAPACKAGE.PS1? Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201d\\\\AHA-FILE-01\\STARTMENUFIX$\\CORTANAPACKAGE.PS1? \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201d8261561e-7e4a-4b91-b5c0-2e0b8ccf4d86? Name=\u201dAllow NETWORKDIAGNOSTICSTROUBLESHOOT Script\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201dC:\\USERS\\*\\APPDATA\\LOCAL\\TEMP\\*\\NETWORKDIAGNOSTICSTROUBLESHOOT.PS1? \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201ddefca77e-cc0e-4cd7-a439-46fc0d1946ee\u201d Name=\u201dAllow Powershell Script to run in non-contrained mode\u201d Description=\u201d\u201d UserOrGroupSid=\u201dS-1-5-21-1552540602-1968448591-1667663741-513? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201d%OSDRIVE%\\USERS\\*\\TEMP\\*PSSCRIPTPOLICYTEST*.ps1? \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;FilePathRule Id=\u201ded97d0cb-15ff-430f-b82c-8d7832957725? Name=\u201d(Default Rule) All scripts\u201d Description=\u201dAllows members of the local Administrators group to run all scripts.\u201d UserOrGroupSid=\u201dS-1-5-32-544? Action=\u201dAllow\u201d&gt;<br>&lt;Conditions&gt;<br>&lt;FilePathCondition Path=\u201d*\u201d \/&gt;<br>&lt;\/Conditions&gt;<br>&lt;\/FilePathRule&gt;<br>&lt;\/RuleCollection&gt;<br>&lt;\/AppLockerPolicy&gt;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>For severs look at https:\/\/learn.microsoft.com\/en-us\/azure\/defender-for-cloud\/adaptive-application-controlshttps:\/\/dailysysadmin.com\/KB\/Article\/6773\/configuring-windows-applocker-to-protect-against-ransomware-attacks\/ GitHub \u2013 microsoft\/AaronLocker: Robust and practical application control for Windows &lt;AppLockerPolicy Version=\u201d1?&gt;&lt;RuleCollection Type=\u201dAppx\u201d EnforcementMode=\u201dEnabled\u201d&gt;&lt;FilePublisherRule Id=\u201d041c480f-6af0-44b6-b712-ebc33913a055? Name=\u201dAll signed packaged apps\u201d Description=\u201dAllows members of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-6309","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6309","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=6309"}],"version-history":[{"count":5,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6309\/revisions"}],"predecessor-version":[{"id":6601,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6309\/revisions\/6601"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=6309"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=6309"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=6309"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}