{
	"id": "c53cc54f-085c-4abf-a9ed-6460d619a39b",
	"created_at": "2026-04-06T00:12:36.987176Z",
	"updated_at": "2026-04-10T13:12:16.417888Z",
	"deleted_at": null,
	"sha1_hash": "4b8ee3fdbcb75a5bc6ffee3a4d59303042cbde0e",
	"title": "Bypassing Application Whitelisting By Using dnx.exe",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 142340,
	"plain_text": "Bypassing Application Whitelisting By Using dnx.exe\r\nPublished: 2016-11-17 · Archived: 2026-04-05 20:55:09 UTC\r\nOver the past few weeks, I have had the pleasure to work side-by-side with Matt Graeber (@mattifestation) and\r\nCasey Smith (@subtee) researching Device Guard user mode code integrity (UMCI) bypasses. If you aren’t\r\nfamiliar with Device Guard, you can read more about it here: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide.  \r\nIn short, Device Guard UMCI prevents unsigned binaries from executing, restricts the Windows Scripting Host,\r\nand it places PowerShell in Constrained Language mode.\r\nRecently, @mattifestation blogged about a typical Device Guard scenario and using the Microsoft Signed\r\ndebuggers WinDbg/CDB as shellcode runners.\r\nSoon after, @subtee released a post on using CSI.exe to run unsigned C# code on a Device Guard system.\r\nTaking their lead, I decided to install the Visual Studio Enterprise trial and poke around to see what binaries\r\nexisted. After much digging, I stumbled across dnx.exe, which is the Microsoft .NET Execution environment. If\r\nyou are curious, you can read more on dnx.exe here:\r\nhttps://blogs.msdn.microsoft.com/sujitdmello/2015/04/23/step-by-step-installation-instructions-for-getting-dnx-on-your-windows-machine/\r\nIn a Device Guard scenario, dnx.exe is allowed to execute as it is a Microsoft signed binary packaged with Visual\r\nStudio Enterprise. In order to execute dnx.exe on a Device Guard system (assuming it isn’t already installed), you\r\nwill need to gather dnx.exe and its required dependencies, and somehow transport everything to your target (this is\r\nan exercise left up to the reader).\r\nWith everything required now on our target host, we can now start down the path of bypassing Device Guard’s\r\nUMCI. Since dnx.exe allows for executing code in dynamic scenarios, we can use it to execute arbitrary, unsigned\r\nC# code. Fortunately, there is a solid example of this on Microsoft’s blog above.\r\nFor example, we can create a C# file called “Program.cs” and add whatever C# code we want. To demonstrate the\r\nexecution of unsigned code, we can keep things simple:\r\nhttps://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/\r\nPage 1 of 3\n\nTo satisfy the requirements of dnx.exe, a Project.json file is required, which specifies some of the requirements\r\nwhen executing the code. For this PoC, the example “Project.json” file can be used from Microsoft’s blog here. As\r\nstated in their post, we can execute our C# by placing “Program.cs” and “Project.json” in a folder called\r\n“ConsoleApp” (this can obviously be renamed/modified).\r\nNow that we have our files, we can execute our C# using dnx.exe by going into the “ConsoleApp” folder and\r\ninvoking dnx.exe on it. This is done on a PC running Device Guard:\r\nAs you can see above, our unsigned C# successfully executed and is running inside of dnx.exe.\r\nFortunately, these “misplaced trust” bypasses can be mitigated via code integrity policy FilePublisher file rules.\r\nYou can read up on creating these mitigation rules here:\r\nhttp://www.exploit-monday.com/2016/09/using-device-guard-to-mitigate-against.html\r\nYou can find a comprehensive bypass mitigation policy here:\r\nhttps://github.com/mattifestation/DeviceGuardBypassMitigationRules\r\nCheers!\r\nMatt Nelson\r\nhttps://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/\r\nPage 2 of 3\n\nSource: https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/\r\nhttps://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/"
	],
	"report_names": [
		"bypassing-application-whitelisting-by-using-dnx-exe"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434356,
	"ts_updated_at": 1775826736,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b8ee3fdbcb75a5bc6ffee3a4d59303042cbde0e.pdf",
		"text": "https://archive.orkl.eu/4b8ee3fdbcb75a5bc6ffee3a4d59303042cbde0e.txt",
		"img": "https://archive.orkl.eu/4b8ee3fdbcb75a5bc6ffee3a4d59303042cbde0e.jpg"
	}
}