In this short teaser, we want to demonstate a simple AppLocker bypass. AppLocker, which will be the main focus of the ‘Windows Breakout’ (Day 1) section of the BruCON spring training, is the de-facto standard for locking down Windows machines in an enterprise environment.
It is the successor to SRP (Software Restriction Policies) and allows definition of fine-grained rules to allow or deny execution based on the path, file hash or publisher of the executable or script.
For this post, let us consider a scenario where the system administrator of a company has deployed the following AppLocker rules on all company machines through Group Policy:
The executable rules permit Administrators to run anything, while users which are part of the ‘Employees‘ group are only allowed to run Microsoft signed binaries, with a few exceptions.
The explicitly-blocked binaries are the usual suspects; each of them would allow users to run arbitrary commands on their corporate machine if not blocked by AppLocker. The training course will go into detail on how to attaining code execution through regsvr32, rundll32 and InstallUtil.
The aim of this exercise is to run PowerShell and subsequently launch any binary on this box, such as a Meterpreter reverse shell.
Trying to run PowerShell directly is a no go: