For anyone who may not be familiar, Windows AppLocker is an application whitelisting technology that allows administrators to control which executable files are allowed to be executed. With AppLocker, administrators create rules that allow or disallow the execution of certain files based on file names, publishers, file locations or hashes.
Today, we are going to discuss ways to bypass AppLocker black/white rules and present a new tool, developed by the CyberArk Labs team, called Evasor, which automatically implements those techniques – which will make penetration testing both much more effective and efficient.
We can use the allowed executables on the machine to run our DLL’s, which implement an application that the AppLocker is supposed to block and uses it to bypass AppLocker.
We can use the running process on the machine to inject (using mavinject.exe) our DLL’s, which implements an application that the AppLocker is supposed to block and uses it to bypass AppLocker.