Last active
December 21, 2022 00:35
-
-
Save egre55/6b91444b8da8ccff65a9670a334fc05d to your computer and use it in GitHub Desktop.
applocker bypass checker
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| REM Influenced by the Powershell-based AppLocker Bypass Checker (created by Tom Aafloen), which attempts to find folder that are both writable | |
| REM and executable under C:\Windows (whitelisted by AppLocker default rules). | |
| REM | |
| REM However, environments implementing application whitelisting may also block powershell.exe. | |
| REM | |
| REM This intends to be a non-PowerShell method of finding AppLocker bypasses under the entire C:\. Replace puttygen.exe as appropriate. Run as a | |
| REM standard (non-admin) user ;D. Bypasses listed in bypasses.txt | |
| C: | |
| cd C:\TEMP\ | |
| echo Creating list of all directories and sub-directories | |
| dir C:\ /s /b /o:n /a:d > C:\Temp\dirs.txt | |
| echo Attempting to copy puttygen.exe to all folders | |
| for /F "tokens=*" %%A in (dirs.txt) do copy "C:\Temp\puttygen.exe" "%%A" /Y | |
| echo Attempting to execute puttygen.exe (find whitelisted locations) | |
| for /F "tokens=*" %%A in (dirs.txt) do if exist "%%A\puttygen.exe" icacls "%%A\puttygen.exe" /grant %USERNAME%:f & start "" "%%A\puttygen.exe" && tasklist /v | findstr "puttygen.exe" > executed.txt && for %%B in (executed.txt) do if not %%~zB==0 echo %%A >> bypasses.txt && taskkill /IM puttygen.exe /F && del /F executed.txt | |
| echo Deleting puttygen.exe from all locations | |
| for /F "tokens=*" %%A in (dirs.txt) do del /F "%%A\puttygen.exe" | |
| echo Done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment