• Stars
    star
    352
  • Rank 120,622 (Top 3 %)
  • Language
  • Created about 4 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A centralized resource for previously documented WDAC bypass techniques

Ultimate WDAC Bypass List

A centralized resource for previously documented WDAC/Device Guard/UMCI bypass techniques as well for building/managing/testing WDAC policies

*Many of the LOLBINs are included on the Microsoft Recommended Block Rules List

*This repository was inspired by Oddvar Moe's Ultimate AppLocker Bypass List

*This is a work in progress...


Microsoft Recommended Block Rules - "LOLBIN" Write-Ups

addinprocess.exe

addinprocess32.exe

aspnet_compiler.exe

bginfo.exe

cdb.exe

csi.exe

dbghost.exe

dnx.exe

dotnet.exe

fsi.exe

fsiAnyCpu.exe

infdefaultinstall.exe

InstallUtil.exe

kill.exe

microsoft.Workflow.Compiler.exe

msbuild.exe

mshta.exe

powershellcustomhost.exe

rcsi.exe

runscripthelper.exe

visualuiaverifynative.exe

wfc.exe

windbg.exe

wmic.exe

WSL Family - bash.exe, lxrun.exe, wsl.exe, wslconfig.exe, wslhost.exe

On Block List - Not Documented Yet...

  • addinutil.exe
  • dbgsvc.exe
  • IntuneWindowsAgent.exe
  • kd.exe
  • ntkd.exe
  • ntsd.exe
  • texttransform.exe

Libraries On List (Independent usage may/may not be interesting)

  • Microsoft.Build.dll
  • Microsoft.Build.Framework.dll
  • msbuild.dll
  • lxssmanager.dll
  • system.management.automation.dll

Other "Unsigned Code Execution" LOLBINs (not on list)

dbgsrv.exe


PowerShell

UMCI BYPASS USING PSWORKFLOWUTILITY: CVE-2017-0215

DEFEATING DEVICE GUARD: A LOOK INTO CVE-2017-0007

Exploiting PowerShell Code Injection Vulnerabilities to Bypass Constrained Language Mode

A LOOK AT CVE-2017-8715: BYPASSING CVE-2017-0218 USING POWERSHELL MODULE MANIFESTS

CVE-2018-8212: DEVICE GUARD/CLM BYPASS USING MSFT_SCRIPTRESOURCE

Invoke-History Constrained Language Mode Bypass


Novel Living-Of-The-Land/COM/Microsoft Office/Active Scripting Languages (jscript.dll, msxml3.dll, msxml6.dll)

Bypassing Device Guard with .NET Assembly Compilation Methods

Sneaking Past Device Guard (+ CVE-2018-8417)

WLDP CLSID policy .NET COM Instantiation UMCI Bypass

WSH INJECTION: A CASE STUDY

Application Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique in winrm.vbs

COM XSL Transformation: Bypassing Microsoft Application Control Solutions (CVE-2018-8492)

Abusing Catalog Hygiene to Bypass Application Whitelisting

BYPASSING DEVICE GUARD UMCI USING CHM – CVE-2017-8625

UMCI VS INTERNET EXPLORER: EXPLORING CVE-2017-8625

Bypassing WDAC with Previous Versions of Signed Script Hosts & Signature Catalog Files


Defense, Policy Creation, Testing, & Research

WDAC Twitch Stream

WDAC Policy Wizard

WDACTools

WDACPolicies

Building a Windows Defender Application Control Lab

Documenting and Attacking a Windows Defender Application Control Feature the Hard Way — A Case Study in Security Research Methodology

WinAWL

Exploit Monday Blog

Quick Steps for Deploying a Policy & Setting Up a WDAC Test Machine