Skip to content

A centralized resource for previously documented WDAC bypass techniques

Notifications You must be signed in to change notification settings

bohops/UltimateWDACBypassList

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits
 
 

Repository files navigation

Ultimate WDAC Bypass List

A centralized resource for previously documented WDAC/Device Guard/UMCI bypass techniques as well for building/managing/testing WDAC policies

*Many of the LOLBINs are included on the Applications that can bypass WDAC List formerly called the "Microsoft Recommended Block Rules List"

*This repository was inspired by Oddvar Moe's Ultimate AppLocker Bypass List

*As always, this is a work in progress...


Applications that can bypass WDAC - "LOLBIN" Write-Ups

addinprocess.exe

addinprocess32.exe

addinutil.exe

aspnet_compiler.exe

bginfo.exe

cdb.exe

csi.exe

dbghost.exe

dnx.exe

dotnet.exe

fsi.exe

fsiAnyCpu.exe

infdefaultinstall.exe

InstallUtil.exe

IntuneWindowsAgent.exe (Microsoft.Management.Services.IntuneWindowsAgent.exe)

  • By Kim Oppalfens (@TheWMIGuy)
  • Intune Windows Agent Bypass Explanation

kill.exe

microsoft.Workflow.Compiler.exe

msbuild.exe

mshta.exe

powershellcustomhost.exe

rcsi.exe

runscripthelper.exe

visualuiaverifynative.exe

wfc.exe

windbg.exe

wmic.exe

WSL Family - bash.exe, lxrun.exe, wsl.exe, wslconfig.exe, wslhost.exe

On Block List - Not Documented Yet...

  • dbgsvc.exe
  • kd.exe
  • ntkd.exe
  • ntsd.exe
  • texttransform.exe
  • HVCIScan.exe

Libraries On List (Independent usage may/may not be interesting)

  • Microsoft.Build.dll
  • Microsoft.Build.Framework.dll
  • msbuild.dll
  • lxssmanager.dll
  • system.management.automation.dll
  • webclnt.dll/davsvc.dll
  • mfc40.dll

Other "Unsigned Code Execution" LOLBINs (not on list)

dbgsrv.exe


PowerShell

UMCI BYPASS USING PSWORKFLOWUTILITY: CVE-2017-0215

DEFEATING DEVICE GUARD: A LOOK INTO CVE-2017-0007

Exploiting PowerShell Code Injection Vulnerabilities to Bypass Constrained Language Mode

A LOOK AT CVE-2017-8715: BYPASSING CVE-2017-0218 USING POWERSHELL MODULE MANIFESTS

CVE-2018-8212: DEVICE GUARD/CLM BYPASS USING MSFT_SCRIPTRESOURCE

Invoke-History Constrained Language Mode Bypass


Novel Living-Of-The-Land/COM/Microsoft Office/Active Scripting Languages (jscript.dll, msxml3.dll, msxml6.dll)

Bypassing Device Guard with .NET Assembly Compilation Methods

Sneaking Past Device Guard (+ CVE-2018-8417)

WLDP CLSID policy .NET COM Instantiation UMCI Bypass

WSH INJECTION: A CASE STUDY

Application Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique in winrm.vbs

COM XSL Transformation: Bypassing Microsoft Application Control Solutions (CVE-2018-8492)

Abusing Catalog Hygiene to Bypass Application Whitelisting

BYPASSING DEVICE GUARD UMCI USING CHM – CVE-2017-8625

UMCI VS INTERNET EXPLORER: EXPLORING CVE-2017-8625

Bypassing WDAC with Previous Versions of Signed Script Hosts & Signature Catalog Files


Defense, Policy Creation, Testing, & Research

WDAC Twitch Stream

WDAC Policy Wizard

WDACTools

WDACPolicies

Building a Windows Defender Application Control Lab

Documenting and Attacking a Windows Defender Application Control Feature the Hard Way — A Case Study in Security Research Methodology

WinAWL

Exploit Monday Blog

Quick Steps for Deploying a Policy & Setting Up a WDAC Test Machine

Windows Defender Application Control (WDAC) Updates in 20H2 and Building a Simple, Secure Windows-only Policy

Harden Windows Security: WDAC Notes

WDAC Notes

About

A centralized resource for previously documented WDAC bypass techniques

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published