Check AppLocker Policy
Check if Enforced
| Mode | Meaning |
|---|---|
NotConfigured | Not active |
AuditOnly | Logs but doesn’t block |
Enabled | Actively blocking |
Default Writable Paths
AppLocker default rules allow execution from these paths:Find Writable + Executable Paths
LOLBAS (Living Off the Land)
Signed Microsoft binaries that can execute code.MSBuild
InstallUtil
Regsvr32
MSHTA
Rundll32
WMIC
CertUtil
Alternate Execution Methods
PowerShell Constrained Language Mode Bypass
Check mode:ConstrainedLanguage:
DLL Execution
AppLocker may not block DLLs (not enabled by default):Script Rules Bypass
If only.ps1 blocked, use .bat or .vbs:
Quick Reference
| Technique | Binary |
|---|---|
| MSBuild | Microsoft.NET\...\MSBuild.exe |
| InstallUtil | Microsoft.NET\...\InstallUtil.exe |
| Regsvr32 | regsvr32.exe |
| MSHTA | mshta.exe |
| Rundll32 | rundll32.exe |
| WMIC | wmic.exe |
| CertUtil | certutil.exe |
| Writable paths | C:\Windows\Tasks\, C:\Windows\Temp\ |