Evasion Techniques

Windows Applocker

AppLocker is an application whitelisting technology introduced with Windows 7. It allows restricting which programs users can execute based on the programs path, publisher and hash.

Bypassing by Placing Executeable in Whitelisted Directory

If AppLocker is configured with default AppLocker rules, we can bypass it by placing our executable in the following directory: C:\Windows\System32\spool\drivers\color - This is whitelisted by default.

Use Powershell to download an executable of your choice locally, place it the whitelisted directory and execute it.