ANNOUNCING: Application whitelisting with “AaronLocker”


Announcing the pre-release (v0.9) of "AaronLocker:" robust and practical application whitelisting for Windows.

AaronLocker is designed to make the creation and maintenance of robust, strict, AppLocker-based whitelisting rules as easy and practical as possible. The entire solution involves a small number of PowerShell scripts. You can easily customize rules for your specific requirements with simple text-file edits. AaronLocker includes scripts that document AppLocker policies and capture event data into Excel workbooks that facilitate analysis and policy maintenance.

AaronLocker is designed to restrict program and script execution by non-administrative users. Note that AaronLocker does not try to stop administrative users from running anything they want – and AppLocker cannot meaningfully restrict administrative actions anyway. A determined user with administrative rights can easily bypass AppLocker rules.

AaronLocker’s strategy can be summed up as: if a non-admin could have put a program or script onto the computer – i.e., it is in a user-writable directory – don’t allow it to execute unless it has already been specifically allowed by an administrator. This will stop execution if a user is tricked into downloading malware, if an exploitable vulnerability in a program the user is running tries to put malware on the computer, or if a user intentionally tries to download and run unauthorized programs.

AaronLocker works on all supported versions of Windows that can provide AppLocker.

A personal note: the name “AaronLocker” was Chris (@appcompatguy) Jackson’s idea – not mine – and I resisted it for a long time. I finally gave in because I couldn’t come up with a better name.

For now, download AaronLocker here (I will move it to GitHub sometime soon). The zip file contains full documentation, all the scripts, and sample outputs.

 

Comments (5)

  1. Awesome work and nice to see that it is being shared in public. This will help a lot of customers!

    Thank you very much, Aaron,
    David

  2. Steve_Cody says:

    This is great! This totally eases the implementation of an immensely useful security feature. Thanks for the hard work Aaron!

  3. Bjarni2007 says:

    We implemented it this week in an Applocker engagement. Very cool stuff.
    Now we have to figure out how to get $$$’s for our SIEM’s EPS License increase. 😉

    [Aaron Margosis] Implemented already! That was fast! Please post here any tips/tricks or opportunities for improvement that you see. Thanks!
    1. Bjarni2007 says:

      Aaron, I believe our PFE, Yong, was IM’ing you throughout the week with our suggestions.

      1. Bjarni2007 says:

        Suggestion: Have you considered re-engineering these scripts for a Sysmon engagement?

Skip to main content