Get-AppLockerConfig - Empire Module
This page contains detailed information about how to use the powershell/situational_awareness/host/applockerstatus Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Get-AppLockerConfig
Module: powershell/situational_awareness/host/applockerstatus
Source code:
empire/server/modules/powershell/situational_awareness/host/applockerstatus.yaml
MITRE ATT&CK:
T1012
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: No
The applockerstatus module is used to query the current AppLocker policy on the target and check the status of a user-defined executable or all executables in a path.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the applockerstatus module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the applockerstatus module:
Agent
Agent to run module on.
Executable
Full filepath of executable or folder to check.
Default value: c:\windows\system32\*.exe
.
Additional Module Options
This is a list of additional options that are supported by the applockerstatus module:
OutputFunction
PowerShell's output function to use ("Out-String", "ConvertTo-Json", "ConvertTo-Csv", "ConvertTo-Html", "ConvertTo-Xml").
Default value: Out-String
.
Suggested values: Out-String
, ConvertTo-Json
, ConvertTo-Csv
, ConvertTo-Html
, ConvertTo-Xml
.
User
Username to test the execution policy for.
Default value: Everyone
.
Applockerstatus Example Usage
Here's an example of how to use the applockerstatus module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/situational_awareness/host/applockerstatus
Author @matterpreter
Matt Hand
Background False
Comments comment
https://github.com/matterpreter/misc/blob/master/Get-
AppLockerConfig.ps1
Description This script is used to query the current AppLocker policy on the
target and check the status of a user-defined executable or all
executables in a path.
Language powershell
Name powershell/situational_awareness/host/applockerstatus
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1012
,Record Options--,---------------------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|----------------|---------------------------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|----------------|---------------------------|----------|-------------------------------------|
| Executable | c:\windows\system32\*.exe | True | Full filepath of executable or |
| | | | folder to check. |
|----------------|---------------------------|----------|-------------------------------------|
| OutputFunction | Out-String | False | PowerShell's output function to use |
| | | | ("Out-String", "ConvertTo-Json", |
| | | | "ConvertTo-Csv", "ConvertTo-Html", |
| | | | "ConvertTo-Xml"). |
|----------------|---------------------------|----------|-------------------------------------|
| User | Everyone | False | Username to test the execution |
| | | | policy for. |
'----------------'---------------------------'----------'-------------------------------------'
(Empire: usemodule/powershell/situational_awareness/host/applockerstatus) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/situational_awareness/host/applockerstatus) > set Executable c:\windows\system32\*.exe
[*] Set Executable to c:\windows\system32\*.exe
(Empire: usemodule/powershell/situational_awareness/host/applockerstatus) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Authors
- @matterpreter
- Matt Hand
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/situational_awareness/host/applockerstatus.yaml
- https://github.com/matterpreter/misc/blob/master/Get-AppLockerConfig.ps1
- http://attack.mitre.org/techniques/T1012
See Also
Check also the following modules related to this module:
- powershell/situational_awareness/host/hostrecon
- powershell/situational_awareness/host/winenum
- powershell/situational_awareness/host/get_uaclevel
- powershell/situational_awareness/host/dnsserver
- powershell/situational_awareness/host/antivirusproduct
- powershell/situational_awareness/host/get_pathacl
- powershell/situational_awareness/host/get_proxy
- powershell/situational_awareness/host/findtrusteddocuments
- powershell/situational_awareness/host/monitortcpconnections
- powershell/situational_awareness/host/seatbelt
- powershell/situational_awareness/host/paranoia
- powershell/situational_awareness/host/computerdetails
- python/situational_awareness/host/multi/WorldWriteableFileSearch
- python/situational_awareness/host/multi/SuidGuidSearch
- python/situational_awareness/host/osx/situational_awareness
- python/situational_awareness/host/osx/HijackScanner
- csharp/GhostPack/Rubeus
- csharp/GhostPack/SharpDPAPI
- csharp/GhostPack/SharpUp
- csharp/GhostPack/SharpDump
- csharp/GhostPack/Seatbelt
- csharp/GhostPack/SharpWMI
- python/situational_awareness/network/gethostbyname
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.