├── README.md
└── TheList.txt


/README.md:
--------------------------------------------------------------------------------
 1 | Application Whitelist Bypass Techniques
 2 | ====================================
 3 | 
 4 | A Catalog of Application Whitelisting Bypass Techniques
 5 | 
 6 | Feel free to send me all your ideas and techniques
 7 | 
 8 | Casey Smith @subTee
 9 | 
10 | 


--------------------------------------------------------------------------------
/TheList.txt:
--------------------------------------------------------------------------------
 1 | # The List
 2 | #
 3 | # As many organizations adopt a Whitelisting Strategy, this list seeks to compile known bypass techniques that can be used
 4 | # by the security community.
 5 | #
 6 | # There are many various ways to WhiteList Applications
 7 | # Future release will attempt to catalog what works against specific techniques.
 8 | 
 9 | # Version .0.0.2
10 | 
11 | 1. IEExec
12 | 
13 | This technique may work in certain envirionments.  Its relies on the fact that many organizations trust executables signed
14 | by Microsoft.  We can misuse this trust by launching a specially crafted .NET application. 
15 | Example Here: http://www.room362.com/blog/2014/01/16/application-whitelist-bypass-using-ieexec-dot-exe/
16 | 
17 | 2.  Rundll32.exe
18 | 
19 | 3.  ClickOnce Applications dfsvc.exe dfshim.dll
20 | 
21 | 4.  XBAP - XML Browser Applications WPF PresentationHost.exe
22 | 
23 | 5.  MD5 Hash Collision 
24 | http://www.mathstat.dal.ca/~selinger/md5collision/
25 | 
26 | 6.  PowerShell
27 | Specifically Reflective Execution
28 | http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/
29 | https://www.defcon.org/images/defcon-21/dc-21-presentations/Bialek/DEFCON-21-Bialek-PowerPwning-Post-Exploiting-by-Overpowering-Powershell.pdf
30 | 
31 | 7. .HTA Application Invoke PowerShell Scripts
32 |     Launched by mshta.exe, bypasses IE security settings as well.
33 | 
34 | 8.  bat, vbs, ps1
35 |     1. cmd.exe /k < script.txt
36 |     2. cscript.exe //E:vbscript script.txt
37 |     3. Get-Content script.txt | iex
38 | 
39 | 
40 | I'd love to hear other techniques
41 | 


--------------------------------------------------------------------------------