api0cradle / ultimateapplockerbypasslist Goto Github PK

https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/md/Wmic.exe.md#wmicexe

https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html

Blog has been removed
Sorry, the blog at subt0x11.blogspot.com has been removed. This address is not available for new blogs.
Did you expect to see your blog here? See: 'I can't find my blog on the web, where is it?'

some case from https://pentestlab.blog did not list

https://pentestlab.blog/2017/06/12/applocker-bypass-file-extensions/
https://pentestlab.blog/2017/06/06/applocker-bypass-assembly-load/
https://pentestlab.blog/2017/05/22/applocker-bypass-weak-path-rules/
https://pentestlab.blog/2017/07/07/applocker-bypass-createrestrictedtoken/

does it mean they work against the non-default rules ?

AppLocker policies here seem to be a bit outdated. Consider updating it according to
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

Currently https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb (Workflows compiler) bypasses that ruleset.

Just an Update for the documentation.

This technique is no vallid applocker bypass ;-)

https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md#urldll---fileprotocolhandler

• dnx.exe --> sadly it should go for the path blocking rules

• fsianycpu.exe: it's a component for Visual Studio Professional
  Publisher: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
  Product: FSIANYCPU
  BinaryName: FSIANYCPU.EXE
  LowVersion: *
  HighVersion: *

• lxssmanager.dll
  Publisher: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
  Product: MICROSOFT® WINDOWS® OPERATING SYSTEM
  BinaryName: LXSSMANAGER.DLL
  LowVersion: *
  HighVersion: *

• rcsi.exe --> sadly it should go for the path blocking rules

You might want to add this:

powershell -v 2 -ep bypass
cd C:\windows\diagnostics\system\AERO
import-module .\CL_LoadAssembly.ps1
LoadAssemblyFromPath ........\temp\funrun.exe
[funrun.hashtag]::winning()

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: Yes
Bypasses Constrained Language mode by invoking PowerShell version 2
Notes: Requires PowerShell version 2

Links:
https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/

These links,

https://gist.github.com/subTee/6b236083da2fd6ddff216e434f257614
http://subt0x10.blogspot.no/2017/04/bypassing-application-whitelisting.html
https://www.youtube.com/watch?v=aSDEAPXaz28
https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Trusted_Developer_Utilities.md

under msbuild.exe are broken

heads up for me blocking %SYSTEM32%\RUNDLL32.EXE by publisher caused pinned items to stop working on win10 1809.

thanks for all your work on these rules.