A centralized resource for previously documented WDAC/Device Guard/UMCI bypass techniques as well for building/managing/testing WDAC policies

*Many of the LOLBINs are included on the Microsoft Recommended Block Rules List

*This repository was inspired by Oddvar Moe's Ultimate AppLocker Bypass List

*This is a work in progress...

• By James Forshaw (@tiraniddo)
• DG on Windows 10 S: Executing Arbitrary Code
  • https://www.tiraniddo.dev/2017/07/dg-on-windows-10-s-executing-arbitrary.html

• By James Forshaw (@tiraniddo)
• DG on Windows 10 S: Executing Arbitrary Code
  • https://www.tiraniddo.dev/2017/07/dg-on-windows-10-s-executing-arbitrary.html

• By cpl (@cpl3h)
• The Curious Case of Aspnet_Compiler.exe
  • https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/

• By Oddvar Moe (@Oddvarmoe)
• Bypassing Application Whitelisting with BGInfo
  • https://msitpros.com/?p=3831

• By Matt Graeber (@mattifestation)
• Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner
  • http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html

• By Casey Smith (@subTee)
• Application Whitelisting Bypass - CSI.EXE C# Scripting
  • https://web.archive.org/web/20161008143428/http://subt0x10.blogspot.com/2016/09/application-whitelisting-bypass-csiexe.html

• By Matt Graeber (@mattifestation)
• dbghost.exe - Ghost And The Darkness
  • https://web.archive.org/web/20170926164017/http://subt0x10.blogspot.com/2017/09/dbghostexe-ghost-in-darkness.html

• By Matt Nelson (@enigma0x3)
• BYPASSING APPLICATION WHITELISTING BY USING DNX.EXE
  • https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/

• By Jimmy Bayne (@bohops)
• DotNet Core: A Vector For AWL Bypass & Defense Evasion
  • https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/

• By Nick Tyrer (@NickTyrer) [Write-up: Jimmy Bayne (@bohops)]
• GitHub Gist: fsi.exe inline execution
  • https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
  • https://twitter.com/NickTyrer/status/904273264385589248
• Exploring the WDAC Microsoft Recommended Block Rules (Part II): Wfc.exe, Fsi.exe, and FsiAnyCpu.exe
  • https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/

• By Nick Tyrer (@NickTyrer) via fsi.exe inline execution [Write-up: Jimmy Bayne (@bohops)]
• GitHub Gist: fsi.exe inline execution
  • https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
  • https://twitter.com/bohops/status/1319096336441090050
• Exploring the WDAC Microsoft Recommended Block Rules (Part II): Wfc.exe, Fsi.exe, and FsiAnyCpu.exe
  • https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/

• By Kyle Hanslovan (@KyleHanslovan), Chris Bisnett (@chrisbisnett)
• Evading Autoruns - DerbyCon 7.0
  • https://github.com/huntresslabs/evading-autoruns
• RE: Evading Autoruns PoCs on Windows 10
  • https://medium.com/@KyleHanslovan/re-evading-autoruns-pocs-on-windows-10-dd810d7e8a3f

• By @hyp3rlinx
• Microsoft Process Kill Utility "kill.exe" - SEH Buffer Overflow
  • http://hyp3rlinx.altervista.org/advisories/MS-KILL-UTILITY-BUFFER-OVERFLOW.txt
  • https://twitter.com/bohops/status/1324563760967753730

• By Matt Graeber (@mattifestation)
• Arbitrary, Unsigned Code Execution Vector in Microsoft.Workflow.Compiler.exe
  • https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb

• By Casey Smith (@subTee)
• Bypassing Application Whitelisting using MSBuild.exe - Device Guard Example and Mitigations
  • https://web.archive.org/web/20160920161634/http://subt0x10.blogspot.com/2016/09/bypassing-application-whitelisting.html

• By Unknown (Documented by @conscioushacker)
• Application Whitelisting Bypass: mshta.exe
  • https://web.archive.org/web/20171118145940/http://blog.conscioushacker.io/index.php/2017/11/17/application-whitelisting-bypass-mshta-exe/

• By Lasse Trolle Borup (@TrolleBorup)
• A simple Device Guard bypass
  • https://danishcyberdefence.dk/blog/device-guard-powershellcustomhost

• By Matt Nelson (@enigma0x3)
• BYPASSING APPLICATION WHITELISTING BY USING RCSI.EXE
  • https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/

• By Matt Graeber (@mattifestation)
• Bypassing Application Whitelisting with runscripthelper.exe
  • https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc

• By Lee Christensen (@tifkin_) [Write-up: Jimmy Bayne (@bohops)]
• Exploring the WDAC Microsoft Recommended Block Rules: VisualUiaVerifyNative
  • https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/

• Tipped by MSRC and Matt Graeber (@mattifestation) [Write-up: Jimmy Bayne (@bohops)]
• Exploring the WDAC Microsoft Recommended Block Rules (Part II): Wfc.exe, Fsi.exe, and FsiAnyCpu.exe
• https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/

• By Matt Graeber (@mattifestation)
• Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner
  • http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html

• By Casey Smith (@subTee)
• WMIC.EXE Whitelisting Bypass - Hacking with Style, Stylesheets
  • https://web.archive.org/web/20190814201250/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html

• addinutil.exe
• bash.exe
• dbgsvc.exe
• kd.exe
• lxrun.exe
• ntkd.exe
• ntsd.exe
• texttransform.exe
• wsl.exe
• wslconfig.exe
• wslhost.exe

• Microsoft.Build.dll
• Microsoft.Build.Framework.dll
• msbuild.dll
• lxssmanager.dll
• system.management.automation.dll

• By Casey Smith (@subTee) , Ross Wolf (@rw_access)
• How to Bypass WDAC with dbgsrv.exe
  • https://fortynorthsecurity.com/blog/how-to-bypass-wdac-with-dbgsrv-exe/
• Fantastic Red-Team Attacks and How to Find Them
  • https://i.blackhat.com/USA-19/Thursday/us-19-Smith-Fantastic-Red-Team-Attacks-And-How-To-Find-Them.pdf

• By Matt Nelson (@enigma0x3)
• https://enigma0x3.net/2017/10/19/umci-bypass-using-psworkflowutility-cve-2017-0215/

• By Matt Nelson (@enigma0x3)
• https://enigma0x3.net/2017/04/03/defeating-device-guard-a-look-into-cve-2017-0007/

• By Matt Graeber (@mattifestation)
• http://www.exploit-monday.com/2017/08/exploiting-powershell-code-injection.html

• By Matt Nelson (@enigma0x3)
• https://enigma0x3.net/2017/11/06/a-look-at-cve-2017-8715-bypassing-cve-2017-0218-using-powershell-module-manifests/

• By Matt Nelson (@enigma0x3)
• https://enigma0x3.net/2018/10/10/cve-2018-8212-device-guard-clm-bypass-using-msft_scriptresource/

• By Matt Graeber (@mattifestation)
• https://twitter.com/mattifestation/status/1095416185053696000

• By Matt Graeber (@mattifestation)
• http://www.exploit-monday.com/2017/07/bypassing-device-guard-with-dotnet-methods.html

• By Philip Tsukerman (@PhilipTsukerman)
• https://conference.hitb.org/hitbsecconf2019ams/materials/D2T1%20-%20Sneaking%20Past%20Device%20Guard%20-%20Philip%20Tsukerman.pdf

• By James Forshaw (@tiraniddo)
• https://bugs.chromium.org/p/project-zero/issues/detail?id=1514&q=

• By Matt Nelson (@enigma0x3)
• https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/

• By Matt Graeber (@mattifestation)
• https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404

• By Jimmy Bayne (@bohops)
• https://bohops.com/2019/01/10/com-xsl-transformation-bypassing-microsoft-application-control-solutions-cve-2018-8492/

• By Jimmy Bayne (@bohops)
• https://bohops.com/2019/05/04/abusing-catalog-file-hygiene-to-bypass-application-whitelisting/

• By Oddvar Moe (@Oddvarmoe), Matt Nelson (@enigma0x3)
• https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/

• By Matt Nelson (@enigma0x3)
• https://enigma0x3.net/2017/08/24/umci-vs-internet-explorer-exploring-cve-2017-8625/

• Fantastic videos collection that covers WDAC Policy Creation/Enforcement/Bypass/Audit/Etc.
• By Matt Graeber (@mattifestation)
• https://www.youtube.com/playlist?list=PL2Xx-q-W5pKUNaNkakjZkLmfsNvMWPdNB

• Documentation and tools to access Windows Defender Application Control (WDAC) technology
• By Microsoft Docs
• https://github.com/MicrosoftDocs/WDAC-Toolkit

• A PowerShell module to facilitate building, configuring, deploying, and auditing Windows Defender Application Control (WDAC) policies
• By Matt Graeber (@mattifestation)
• https://github.com/mattifestation/WDACTools

• A collection of Windows software baseline notes with corresponding Windows Defender Application Control (WDAC) policies
• By Matt Graeber (@mattifestation)
• https://github.com/mattifestation/WDACPolicies

• By FortyNorth Security (@FortyNorthSec)
• https://fortynorthsecurity.com/blog/building-a-windows-defender-application-control-lab/

• By Matt Graeber (@mattifestation)
• https://posts.specterops.io/documenting-and-attacking-a-windows-defender-application-control-feature-the-hard-way-a-case-73dd1e11be3a

• Windows Application Control Notes and Sample Policies
• By Brian in Pittsburgh (@arekfurt)
• https://github.com/arekfurt/WinAWL

• By Matt Graeber (@mattifestation)
• http://www.exploit-monday.com/

• By Jimmy Bayne (@bohops)
• https://github.com/bohops/Notes/tree/master/Windows/WDAC-DeviceGuard