Modern malware like CryptoLocker frequently leverages standard Windows directories for execution because:
- These locations have write permissions by default (no admin rights required)
- Path randomization makes detection harder (%appdata% resolves differently per user)
- Temporary folders naturally avoid scrutiny from users and some security tools
// Example malware persistence technique using %appdata%
string payloadPath = Environment.ExpandEnvironmentVariables(
"%appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\malware.exe");
File.Copy(currentProcessPath, payloadPath);
Common technical approaches to enforce these restrictions:
Via Group Policy (GPO):
Computer Configuration → Policies → Windows Settings
→ Security Settings → Software Restriction Policies
→ Additional Rules → New Path RuleUsing PowerShell automation:
# Block execution from Temp directories
$ruleAction = "Deny"
$tempPaths = @(
"$env:appdata\*",
"$env:localappdata\*",
"$env:temp\*"
)
foreach ($path in $tempPaths) {
New-SmbClientBlockRule -Name "Block_$($path.Replace('\','_'))"
-Action $ruleAction -RemotePath $path
}
While effective against malware, these restrictions may break:
| Legitimate Use Case | Impact Example |
|---|---|
| Browser updates | Chrome/Firefox self-updaters run from %localappdata% |
| Java applications | JNLP files often execute from temp directories |
| Development tools | VS Code extensions may run helper processes from %appdata% |
More surgical approaches that reduce collateral damage:
// Example: Allowlisting known good publisher certificates
$allowedCerts = @(
"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond",
"CN=Google LLC, O=Google LLC, L=Mountain View"
)
Get-ChildItem -Path "$env:appdata\*.exe" -Recurse | ForEach-Object {
$cert = (Get-AuthenticodeSignature $_).SignerCertificate
if ($cert -and ($allowedCerts -notcontains $cert.Subject)) {
Write-Warning "Untrusted execution: $_"
# Take mitigation action
}
}
Additional layers to consider:
- Controlled Folder Access (Windows Defender feature)
- SRP (Software Restriction Policies) with hash rules
- Memory-based detection for suspicious process injections
For organizations implementing these restrictions:
- Phase the rollout with test groups
- Maintain detailed audit logs of blocked executions
- Create exception processes for validated business needs
- Combine with application control solutions like AppLocker
Modern ransomware like CryptoLocker frequently exploits writable user directories as execution points. These locations provide:
- Write permissions for non-admin users
- Low visibility for casual monitoring
- Path variability that bypasses simple path rules
Using Group Policy Objects (GPO):
Computer Configuration → Policies → Windows Settings →
Security Settings → Software Restriction Policies → Additional Rules
Example GPO path rule for AppData:
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Block EXE execution from AppData
Common applications affected by such restrictions:
| Application | Behavior | Workaround |
|---|---|---|
| Chrome Updater | Runs from %localappdata% | Enterprise MSI install |
| Python pip | Creates temp executables | Use --no-clean flag |
Most enterprise AV solutions provide similar controls:
- Symantec: Application and Device Control policies
- McAfee: Access Protection Rules
- CrowdStrike: Execution Prevention policies
PowerShell script to audit potential conflicts:
# Find executables in protected paths
$paths = @("%AppData%","%LocalAppData%","%Temp%")
foreach ($path in $paths) {
Get-ChildItem -Path $path -Filter *.exe -Recurse -ErrorAction SilentlyContinue |
Select-Object FullName,LastWriteTime,Length |
Export-Csv -Path "$env:USERPROFILE\Desktop\AppExecutionAudit.csv" -Append
}
For legitimate applications requiring execution from these paths:
- Certificate-based allowlisting (preferred)
- Hash-based rules (for static executables)
- Path exceptions with strict ACLs