When Microsoft AppLocker checks a signed executable, it appears to check whether the certificate is valid (e.g. not expired, signed by a trusted CA etc) and particular attributes within the certificate.
Does that mean you could create an executable, get it signed by a public and trusted CA, and ensure the relevant attributes match those outlined in the particular whitelist entry, and that would be enough to get around the restriction?
If so, that seems to be a less secure feature when comparing directly with Software Restriction Policies (now no longer developed by Microsoft), where it was possible to whitelist an actual certificate and only files/scripts signed using that certificate were permitted to run.
I’m fully aware there are many other ways (and much simpler ways) to get around AppLocker/SRP, but I’m specifically trying to understand the way AppLocker works in regards to it’s Publisher conditions.
This is arguably a question for a Microsoft forum, but I figured I try my luck with a more security focused audience, who may have previously dissected AppLockers functionality in more depth than most.