When Microsoft AppLocker checks a signed executable, it appears to check whether the certificate is valid (e.g. not expired, signed by a trusted CA etc) and particular attributes within the certificate.
Does that mean you could create an executable, get it signed by a public and trusted CA, and ensure the relevant attributes match those outlined in the particular whitelist entry, and that would be enough to get around the restriction?
If so, that seems to be a less secure feature when comparing directly with Software Restriction Policies (now no longer developed by Microsoft), where it was possible to whitelist an actual certificate and only files/scripts signed using that certificate were permitted to run.
I’m fully aware there are many other ways (and much simpler ways) to get around AppLocker/SRP, but I’m specifically trying to understand the way AppLocker works in regards to it’s Publisher conditions.
This is arguably a question for a Microsoft forum, but I figured I try my luck with a more security focused audience, who may have previously dissected AppLockers functionality in more depth than most.
isn’t that the point of a trusted CA though? That you trust anything signed by them is legitimate. You don’t have to trust individual website SSL certificates when you visit them do you, because your machine trusts that certificate automatically because it was signed by a trusted root CA.
Having said that, it is insanely easy to get a code signing certificate issued by a public trusted CA. I remember the first time I got one from Thawte I was expecting them to ask me all sorts of questions and they literally just ring you and say “can you confirm your name and address” and that was it lol
Also from reading the documentation here: Understanding the publisher rule condition in AppLocker (Windows) | Microsoft Learn
I would say the idea is that you’re meant to trust a specific software company’s certificate. Not just an entire root CA.
So like you might create a certificate rule that says any software signed with the Autodesk publisher certificate is allowed to run. Yes the certificate has to have been issued by a trusted root CA, but that’s not saying all certificates issued by that root CA are now allowed to run. Its just saying any executable signed with the Autodesk certificate to run.