0

Since 2 days I try to create a VisualStudio application, which should be trusted inside of applocker rule. Unfortunatelly if I sign my exe with own created signature, it cannot be used within applocker wizard, there is a error message that the publisher informations cannot be extracted from my exe file.

Creating a rule based on Microsoft files unter C:\Windows\ works for all exe, ps1 files independend if the files are signed or not.

I figured out, there is a poweshell command: Get-AppLockerFileInformation to get the publisher information more easier.

e.g. If I copy the C:\Windows\WinSxS\wow64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_9478227a478f23d5\Add-Numbers.ps1 to C:\Temp\ folder and run the

Get-AppLockerFileInformation -Directory C:\Temp -Recurse -FileType exe, script

command, then the result is:

Path                                                                  Publisher                                                                                                                    Hash
----                                                                  ---------                                                                                                                    ----
%OSDRIVE%\TEMP\ADD-NUMBERS.PS1                                        O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\,0.0.0.0                                                             S...

For all exe, ps1 files created by myself the publisher is empty. Please note that the ADD-NUMBERS.PS1 has only 55 bytes and is not signed at all. So the publisher information has to be somehow hidden...

borecki
  • 1
  • 2
  • Just curious. Did you read the PowerShell help files and the examples before trying this to set your expectations? Signing script and Applocaker settings are separate use cases. PS scripts use certs of course self-signed or CA issues for signing. You are not showing how you are signing your code. If you are saying you don't want see records where the publisher property is $null or vice versa, then you need to filter for that with a Where statement. and comparison operator. – postanote Aug 12 '20 at 04:50

1 Answers1

1

Continuation from my comment about guided knowledge from the help files...

'signing PowerShell script'

Hits

About Signing Explains how to sign scripts so that they comply with the PowerShell execution policies.

makecert -n "CN=PowerShell Local Certificate Root" -a sha1 `
-eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer `
-ss Root -sr localMachine

makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 `
-eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer

Get-ChildItem cert:\CurrentUser\my -codesigning

Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject
----------                                -------
4D4917CB140714BA5B81B96E0B18AAF2C4564FDF  CN=PowerShell User ]


# To use this script, copy the following text into a text file, and name it Add-Signature.ps1.
## Signs a file
param([string] $file=$(throw "Please specify a filename."))
$cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
Set-AuthenticodeSignature $file $cert


# To sign the Add-Signature.ps1 script file, type the following commands at the $cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
Set-AuthenticodeSignature add-signature.ps1 $cert

Signing PowerShell Scripts

Get-Help -Name Get-AppLockerFileInformation -Examples

<#
 Get-Help -Name Get-AppLockerFileInformation -Examples

NAME
    Get-AppLockerFileInformation
    
SYNOPSIS
    Gets the file information necessary to create AppLocker rules from a list of files or an event log.
    
    
    EXAMPLE 1
#>
    
    Get-AppLockerFileInformation -Directory C:\Windows\system32\ -Recurse -FileType exe, script
    

<#
    This example gets the file information for all the .exe files and scripts under %windir%\system32.
    
    
    EXAMPLE 2
#>
    
    Get-AppLockerFileInformation -Path "C:\Program Files (x86)\Internet Explorer\iexplore.exe" | Format-List

<#
    Path      : %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE 
    Publisher : CN=WINDOWS MAIN BUILD LAB ACCOUNT\WINDOWS® INTERNET EXPLORER\IEXPLORE.EXE,10.0.8421.0 
    Hash      : SHA256 0x5F374C2DD91A6F9E9E96F149EE221EC0454649F50E1AF6D3DAEFB849FB7C551C 
    AppX      : False
#> 
    
    
    Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe" | Format-List

<#
    Path      : %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE 
    Publisher : CN=WINDOWS MAIN BUILD LAB ACCOUNT\WINDOWS® INTERNET EXPLORER\IEXPLORE.EXE,10.0.8421.0 
    Hash      : SHA256 0x5F374C2DD91A6F9E9E96F149EE221EC0454649F50E1AF6D3DAEFB849FB7C551C 
    AppX      : False
    
    This example gets the file information for the file specified by the path.
    
    
    EXAMPLE 3
#>
    
    Get-AppXPackage –AllUsers | Get-AppLockerFileInformation

<#
    Path      : windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy.appx 
    Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, 
                C=US\windows.immersivecontrolpanel\APPX,6.2.0.0 
    Hash      : 
    AppX      : True 
    
    Path      : windows.RemoteDesktop_1.0.0.0_neutral_neutral_cw5n1h2txyewy.appx 
    Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, 
                C=US\windows.RemoteDesktop\APPX,1.0.0.0 
    Hash      : 
    AppX      : True 
    
    Path      : WinStore_1.0.0.0_neutral_neutral_cw5n1h2txyewy.appx 
    Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US\WinStore\APPX,1.0.0.0 
    Hash      : 
    AppX      : True
    
    This example outputs the file information for all the packaged applications installed on this machine for all users.
    
    
    EXAMPLE 4
#>
    
    Get-AppLockerFileInformation -EventLog -EventType Audited
    

<#
    This example outputs the file information for all the Audited events in the local event log. Audited events correspond to the Warning event in the 
    AppLocker audit log.
    
    
    EXAMPLE 5
#>
    
    Get-AppLockerFileInformation -EventLog -EventType Allow -Statistics
    

<#
    This example displays statistics for all the Allowed events in the local event log. For each file in the event log, the cmdlet will sum the number of 
    times the event type occurred.
    
    
    EXAMPLE 6
#>
    
    Get-AppLockerFileInformation -EventLog -EventType Audited | 
    New-AppLockerPolicy -RuleType Publisher, Hash, Path -User Everyone -Optimize | 
    Set-AppLockerPolicy -LDAP LDAP://TestGPO
<#    
    This example creates a new AppLocker policy from the warning events in the local event log and sets the policy of a test Group Policy Object (GPO).
#>

Clear-Host
Get-AppLockerFileInformation -Directory 'D:\Scripts' -FileType exe, script | 
Select Path, Publisher, Hash | 
Where Publisher -NE $null | 
Format-List

# Results
<#
Path      : D:\SCRIPTS\SCRIPTS_POWERSHELL_WINDOWSXP-KB926139-X86-ENU.EXE
Publisher : O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS XP FAMILY\SFXCAB.EXE,1.0.0.0
Hash      : SHA256 0xCC11045CB14501C530FF6D3A65154517B8A8E0791E99049BD6CFA349EFA003F6

...

Path      : D:\SCRIPTS\AREMYSERVERSONLINE.PS1
Publisher : O=EXCHANGEMASTER GMBH, L=KLOTEN, S=ZH, C=CH\\,0.0.0.0
Hash      : SHA256 0x093C4586412C9B5FD942E298FA02A6809ABD886C67B8831EB0293FB15476AA0B

...
#>

Get-Content -Path 'D:\SCRIPTS\AREMYSERVERSONLINE.PS1'
# Results
<#
 Get-Content -Path 'D:\SCRIPTS\AREMYSERVERSONLINE.PS1'
<#
.NAME
   AreMyServersOnline v1.0
...

# SIG # Begin signature block
# MIIc2gYJKoZIhvcNAQcCoIIcyzCCHMcCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB
...
# SIG # End signature block
#>
postanote
  • 15,138
  • 2
  • 14
  • 25