This article demonstrates how attackers bypass AppLocker and Windows Defender Application Control (WDAC) by abusing trusted binaries, living-off-the-land techniques, in-memory payloads, and tunneling tools such as Ligolo-NG. It outlines preparing Ligolo and a reflective loader, converting payloads to shellcode with Donut, hosting artifacts, and executing them via trusted binaries (InstallUtil, MSBuild) or PowerShell memory injection to establish a Ligolo reverse TLS tunnel and bypass Constrained Language Mode. #AppLocker #WDAC #LigoloNG #MSBuild
Keypoints
- AppLocker and WDAC block unsigned executables and restrict full PowerShell functionality.
- Attackers pivot to LOLBins, trusted signed binaries, and in-memory execution to evade file-based controls.
- Preparation involves building a custom Ligolo agent, encoding loaders, and hosting artifacts on an attacker-controlled server.
- Bypass techniques demonstrated include reflective PE injection, Donut-generated shellcode, InstallUtil abuse, PowerShell injection, and MSBuild inline task execution.
- Successful Ligolo callbacks confirm a reverse TLS tunnel and internal pivot, and MSBuild can be used to bypass PowerShell Constrained Language Mode.
Read More: https://www.hackingarticles.in/bypassing-wdac-and-applocker-using-ligolo/