“AaronLocker” updates (12 May 2019)


Just committed some changes to the "AaronLocker" repo on GitHub and its documentation. Changes include:

Rule-generation for files in unsafe paths: always used to create one publisher or hash rule for each file in the directory hierarchy. New granularity options enable rules tied only to publisher name or publisher+product name instead of one-rule-per-file. Can dramatically reduce the number of rules generated, and increases flexibility/resilience when product updates might introduce new files and reduce the likelihood that the AppLocker rules also need to be updated. See the documentation for details, as well as the special handling for Microsoft-signed files.

UnsafePaths... - called out in rule name and description when hash rule is created for a signed file that doesn't have version information needed for a publisher rule;
Used new lower-granularity rules for provided OneDrive XML rules; dramatically reduces number of rules required.
Small difference in inert timestamp rule so that Compare-Policies shows it as a rule change instead of an added rule + a deleted rule
Scan-Directories.ps1 - fixed bug in -SearchAllUsersProfiles
Scan-Directories.ps1 also outputs BinaryName and BinaryVersion
Exe files to blacklist: added Microsoft.Workflow.Compiler.exe

Skip to main content