AppLocker Policy parser and emitter for Python
Project description
AppLocker
The applocker module allows you to easily parse and create AppLocker Policy XML files and/or strings in Python.
Installation
To install the applocker module via pip, run the command:
$ pip install applocker
Usage
Start by importing the applocker module.
>>> import applocker
The function applocker.load, loads an AppLocker Policy XML file.
>>> with open('example.xml', 'r') as file:
... applocker.load(file)
The function applocker.loads, loads an AppLocker Policy XML string.
>>> applocker.loads('<AppLockerPolicy Version="1" />')
In addition to loading an existing AppLocker Policy, policies created using the relevant Conditions, Rules and Rule Collections can be dumped to an XML file using the applocker.dump function.
>>> with open('example.xml', 'w') as file:
... applocker.dump(policy, file)
Or, an XML string using the applocker.dumps function.
>>> applocker.dumps(policy)
FilePublisherRule
To create a file publisher AppLocker rule to allow or deny digitally signed files, a applocker.conditions.FilePublisherCondition must be created optionally specifying a applocker.conditions.BinaryVersionRange.
This condition can then be used to create a applocker.rules.FilePublisherRule.
>>> from applocker.conditions import BinaryVersionRange, FilePublisherCondition
>>> from applocker.rules import FilePublisherRule
>>> binary_version_range = BinaryVersionRange(low_section='10.0.19041.1', high_section='10.0.19041.1')
>>> condition = FilePublisherCondition(
... publisher_name='O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US',
... product_name='MICROSOFT® WINDOWS® OPERATING SYSTEM',
... binary_name='CMD.EXE',
... binary_version_range=binary_version_range
... )
>>> rule = FilePublisherRule(
... id='00000000-0000-0000-0000-000000000000',
... name='Deny everyone execution of cmd.exe',
... description='',
... user_or_group_sid='S-1-1-0',
... action='Deny',
... conditions=[
... condition
... ]
... )
FilePathRule
To create a file path AppLocker rule to allow or deny files based upon their path, a applocker.conditions.FilePathCondition condition must be created.
This condition can then be used to create a applocker.rules.FilePathRule.
>>> from applocker.conditions import FilePathCondition
>>> from applocker.rules import FilePathRule
>>> condition = FilePathCondition(path='C:\Windows\System32\cmd.exe')
>>> rule = FilePathRule(
... id='00000000-0000-0000-0000-000000000000',
... name='Deny everyone execution of cmd.exe',
... description='',
... user_or_group_sid='S-1-1-0',
... action='Deny',
... conditions=[
... condition
... ]
... )
FileHashRule
To create a file hash AppLocker rule to allow or deny files based upon their hash, one or more applocker.conditions.FileHash objects and a applocker.conditions.FileHashCondition condition must be created.
This condition can then be used to create a applocker.rules.FileHashRule.
>>> from applocker.conditions import FileHash, FileHashCondition
>>> from applocker.rules import FileHashRule
>>> hash = FileHash(
... type='SHA256',
... data='0x9BB897814C6E1A2A2701D2ADB59AAC2BCACB9CF265DDF3F61B9056EA6FFE04C7',
... source_file_name='cmd.exe',
... source_file_length='289792'
... )
>>> condition = FileHashCondition(file_hashes=[hash])
>>> rule = FileHashRule(
... id='00000000-0000-0000-0000-000000000000',
... name='Deny everyone execution of cmd.exe',
... description='',
... user_or_group_sid='S-1-1-0',
... action='Deny',
... conditions=[
... condition
... ]
... )
RuleCollection
To create a rule collection one or more rules must be created as described above.
These rules can then be used to create a applocker.rules.RuleCollection.
>>> from applocker.rules import RuleCollection
>>> rule_collection = RuleCollection(
... type='Exe',
... enforcement_mode='Enforcing',
... rules=[
... rule
... ]
... )
AppLockerPolicy
To create an AppLocker Policy one or more rule collections must be created as described above.
These rule collections can then be used to create an applocker.policy.AppLockerPolicy.
>>> from applocker.policy import AppLockerPolicy
>>> policy = AppLockerPolicy(
... version='1',
... rule_collections=[
... rule_collection
... ]
... )
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for applocker-1.1.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 8b8b84877a964e2d94ae5ef40eb433c020103331a77ce596614d94f2342654d6 |
|
| MD5 | c94fbcc6c0cd0f0c2f22f2e04c16ec97 |
|
| BLAKE2b-256 | 582ca6ceced4f6c508c1ee97d8ba856e3c3b5b97dba62f747e5953e943e806cb |
