Bypassing AppLocker with PowerShell Scripts

Several years ago, Microsoft announced a new tool – AppLocker, which, according to the developers, was designed to increase the level of security when working in Windows. Unfortunately, the way was uncovered, in which you can run any application in the system bypassing AppLocker and without administrator rights.

This article discusses how you can execute commands and bypass AppLocker using PowerShell diagnostic scripts. Casey Smith successfully detected an AppLocker crawl by using load assemblies in PowerShell by URL, file location, and byte code. The verification of this method is described in this article.

For more information about the AppLocker workarounds, I highly recommend checking the Ultimate AppLocker workaround, created and maintained by Oddvar Moe (@Oddvarmoe).

More.

DISCLAIMER: THIS POST IS FOR INFORMATIONAL PURPOSES ONLY AND IS NOT TO BE CONSIDERED LEGAL ADVICE ON ANY SUBJECT MATTER. DIGITAL FORENSICS CORP. IS NOT A LAWFIRM AND DOES NOT PROVIDE LEGAL ADVICE OR SERVICES. By viewing posts, the reader understands there is no attorney-client relationship, the post should not be used as a substitute for legal advice from a licensed professional attorney, and readers are urged to consult their own legal counsel on any specific legal questions concerning a specific situation.