The applocker module allows you to easily parse and create Windows AppLocker Policy XML files and/or strings in Python.
To install the applocker module via pip, run the command:
$ pip install applockerStart by importing the applocker module.
>>> import applockerThe function applocker.load, loads an AppLocker Policy XML file.
>>> with open('example.xml', 'r') as file:
... applocker.load(file)The function applocker.loads, loads an AppLocker Policy XML string.
>>> applocker.loads('<AppLockerPolicy Version="1" />')In addition to loading an existing AppLocker Policy, policies created using the relevant Conditions, Rules and Rule Collections can be dumped to an XML file using the applocker.dump function.
>>> with open('example.xml', 'w') as file:
... applocker.dump(policy, file)Or, an XML string using the applocker.dumps function.
>>> applocker.dumps(policy)To create a file publisher AppLocker rule to allow or deny digitally signed files, a applocker.conditions.FilePublisherCondition must be created optionally specifying a applocker.conditions.BinaryVersionRange.
This condition can then be used to create a applocker.rules.FilePublisherRule.
>>> from applocker.conditions import BinaryVersionRange, FilePublisherCondition
>>> from applocker.rules import FilePublisherRule
>>> binary_version_range = BinaryVersionRange(low_section='10.0.19041.1', high_section='10.0.19041.1')
>>> condition = FilePublisherCondition(
... publisher_name='O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US',
... product_name='MICROSOFT® WINDOWS® OPERATING SYSTEM',
... binary_name='CMD.EXE',
... binary_version_range=binary_version_range
... )
>>> rule = FilePublisherRule(
... id='00000000-0000-0000-0000-000000000000',
... name='Deny everyone execution of cmd.exe',
... description='',
... user_or_group_sid='S-1-1-0',
... action='Deny',
... conditions=[
... condition
... ]
... )To create a file path AppLocker rule to allow or deny files based upon their path, a applocker.conditions.FilePathCondition condition must be created.
This condition can then be used to create a applocker.rules.FilePathRule.
>>> from applocker.conditions import FilePathCondition
>>> from applocker.rules import FilePathRule
>>> condition = FilePathCondition(path='C:\Windows\System32\cmd.exe')
>>> rule = FilePathRule(
... id='00000000-0000-0000-0000-000000000000',
... name='Deny everyone execution of cmd.exe',
... description='',
... user_or_group_sid='S-1-1-0',
... action='Deny',
... conditions=[
... condition
... ]
... )To create a file hash AppLocker rule to allow or deny files based upon their hash, one or more applocker.conditions.FileHash objects and a applocker.conditions.FileHashCondition condition must be created.
This condition can then be used to create a applocker.rules.FileHashRule.
>>> from applocker.conditions import FileHash, FileHashCondition
>>> from applocker.rules import FileHashRule
>>> hash = FileHash(
... type='SHA256',
... data='0x9BB897814C6E1A2A2701D2ADB59AAC2BCACB9CF265DDF3F61B9056EA6FFE04C7',
... source_file_name='cmd.exe',
... source_file_length='289792'
... )
>>> condition = FileHashCondition(file_hashes=[hash])
>>> rule = FileHashRule(
... id='00000000-0000-0000-0000-000000000000',
... name='Deny everyone execution of cmd.exe',
... description='',
... user_or_group_sid='S-1-1-0',
... action='Deny',
... conditions=[
... condition
... ]
... )To create a rule collection one or more rules must be created as described above.
These rules can then be used to create a applocker.rules.RuleCollection.
>>> from applocker.rules import RuleCollection
>>> rule_collection = RuleCollection(
... type='Exe',
... enforcement_mode='Enforcing',
... rules=[
... rule
... ]
... )To create an AppLocker Policy one or more rule collections must be created as described above.
These rule collections can then be used to create an applocker.policy.AppLockerPolicy.
>>> from applocker.policy import AppLockerPolicy
>>> policy = AppLockerPolicy(
... version='1',
... rule_collections=[
... rule_collection
... ]
... )