Anthropic-Cybersecurity-Skills/skills/implementing-application-whitelisting-with-applocker/assets/template.md

AppLocker Application Whitelisting Template

Policy Information

Field	Value
Policy Name
Target OS	Windows 10/11 Enterprise
Profile	Workstation / Server / Kiosk
Enforcement Mode	Audit Only / Enforce
GPO Name
Target OU
Last Updated

Approved Application Inventory

Application	Publisher	Version	Rule Type	Justification
Microsoft Office	Microsoft Corporation	365	Publisher	Business productivity
Google Chrome	Google LLC	*	Publisher	Approved browser
Adobe Acrobat	Adobe Inc.	*	Publisher	PDF processing

Rule Collection Configuration

Executable Rules (EXE, COM)

Rule Name	Type	Action	Scope	Conditions
Default - Windows	Path	Allow	Everyone	%WINDIR%*
Default - Program Files	Path	Allow	Everyone	%PROGRAMFILES%*
Deny - LOLBins	Path	Deny	Standard Users	mshta.exe, wscript.exe, etc.

Script Rules (PS1, BAT, CMD, VBS, JS)

Rule Name	Type	Action	Scope	Conditions
Default - Windows scripts	Path	Allow	Everyone	%WINDIR%*
Default - Program Files scripts	Path	Allow	Everyone	%PROGRAMFILES%*
Deny - User profile scripts	Path	Deny	Standard Users	%USERPROFILE%*

Windows Installer Rules (MSI, MSP, MST)

Rule Name	Type	Action	Scope	Conditions
Default - Signed MSI	Publisher	Allow	Everyone	All signed installers

LOLBin Deny List

Binary	Path	ATT&CK Technique	Risk
mshta.exe	%SYSTEM32%	T1218.005	HTA execution for code delivery
wscript.exe	%SYSTEM32%	T1059.005	VBScript execution
cscript.exe	%SYSTEM32%	T1059.005	Command-line scripting
regsvr32.exe	%SYSTEM32%	T1218.010	COM scriptlet execution
certutil.exe	%SYSTEM32%	T1140	File download and decode
msbuild.exe	.NET Framework	T1127.001	Inline task execution

Audit Results Tracking

Audit Period	Blocked Events	Legitimate Blocks	Rules Added	Remaining Issues

Exception Register

Application	Reason for Exception	Compensating Control	Approved By	Review Date

Sign-Off

Role	Name	Date
Security Engineer
IT Operations Lead
Change Manager