AppLocker
AppLocker
AppLocker is Microsoft’s application whitelisting solution, built into Windows and widely deployed across enterprise environments. When misconfigured, or relying entirely on default rules, it becomes an attack surface rather than a control.
This series covers AppLocker bypass techniques from a red team perspective alongside the detection and hardening guidance a blue teamer needs to close each gap. Each post documents a specific bypass, explains why it works at a technical level, and covers the telemetry it generates and how to detect or prevent it.
Abusing trusted .NET COM registration utilities to execute arbitrary code.
Loading COM scriptlets via a signed Microsoft binary to execute arbitrary JScript or VBScript.
Executing .NET payloads in-memory via Assembly.Load(), InstallUtil, and MSBuild inline tasks.
Embedding VBScript payloads in OLE .bgi files executed by a Microsoft-signed binary.
Six extension-based vectors AppLocker never evaluates — HTA, WSF, XSL, INF, CPL, and ADS.
Dropping payloads into writable AppLocker-trusted directories such as C:\Windows\Tasks.
Planting malicious DLLs inside trusted application directories to hijack the search order.
DLL injection, PE injection, APC injection, and process hollowing into AppLocker-trusted processes.
Escalating from medium to high integrity via auto-elevating binaries and COM object hijacking.
Last updated on