Skip to content

bohops/UltimateWDACBypassList

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

README.md

Ultimate WDAC Bypass List

A centralized resource for previously documented WDAC/Device Guard/UMCI bypass techniques as well for building/managing/testing WDAC policies

*Many of the LOLBINs are included on the Microsoft Recommended Block Rules List

*This repository was inspired by Oddvar Moe's Ultimate AppLocker Bypass List

*This is a work in progress...


Microsoft Recommended Block Rules - "LOLBIN" Write-Ups

addinprocess.exe

addinprocess32.exe

aspnet_compiler.exe

bginfo.exe

cdb.exe

csi.exe

dbghost.exe

dnx.exe

dotnet.exe

fsi.exe

fsiAnyCpu.exe

infdefaultinstall.exe

InstallUtil.exe

kill.exe

microsoft.Workflow.Compiler.exe

msbuild.exe

mshta.exe

powershellcustomhost.exe

rcsi.exe

runscripthelper.exe

visualuiaverifynative.exe

wfc.exe

windbg.exe

wmic.exe

WSL Family - bash.exe, lxrun.exe, wsl.exe, wslconfig.exe, wslhost.exe

On Block List - Not Documented Yet...

  • addinutil.exe
  • dbgsvc.exe
  • IntuneWindowsAgent.exe
  • kd.exe
  • ntkd.exe
  • ntsd.exe
  • texttransform.exe

Libraries On List (Independent usage may/may not be interesting)

  • Microsoft.Build.dll
  • Microsoft.Build.Framework.dll
  • msbuild.dll
  • lxssmanager.dll
  • system.management.automation.dll

Other "Unsigned Code Execution" LOLBINs (not on list)

dbgsrv.exe


PowerShell

UMCI BYPASS USING PSWORKFLOWUTILITY: CVE-2017-0215

DEFEATING DEVICE GUARD: A LOOK INTO CVE-2017-0007

Exploiting PowerShell Code Injection Vulnerabilities to Bypass Constrained Language Mode

A LOOK AT CVE-2017-8715: BYPASSING CVE-2017-0218 USING POWERSHELL MODULE MANIFESTS

CVE-2018-8212: DEVICE GUARD/CLM BYPASS USING MSFT_SCRIPTRESOURCE

Invoke-History Constrained Language Mode Bypass


Novel Living-Of-The-Land/COM/Microsoft Office/Active Scripting Languages (jscript.dll, msxml3.dll, msxml6.dll)

Bypassing Device Guard with .NET Assembly Compilation Methods

Sneaking Past Device Guard (+ CVE-2018-8417)

WLDP CLSID policy .NET COM Instantiation UMCI Bypass

WSH INJECTION: A CASE STUDY

Application Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique in winrm.vbs

COM XSL Transformation: Bypassing Microsoft Application Control Solutions (CVE-2018-8492)

Abusing Catalog Hygiene to Bypass Application Whitelisting

BYPASSING DEVICE GUARD UMCI USING CHM – CVE-2017-8625

UMCI VS INTERNET EXPLORER: EXPLORING CVE-2017-8625

Bypassing WDAC with Previous Versions of Signed Script Hosts & Signature Catalog Files


Defense, Policy Creation, Testing, & Research

WDAC Twitch Stream

WDAC Policy Wizard

WDACTools

WDACPolicies

Building a Windows Defender Application Control Lab

Documenting and Attacking a Windows Defender Application Control Feature the Hard Way — A Case Study in Security Research Methodology

WinAWL

Exploit Monday Blog

Quick Steps for Deploying a Policy & Setting Up a WDAC Test Machine

About

A centralized resource for previously documented WDAC bypass techniques

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published