This video didn't go quite as smooth as I expected. Still putting it here to show an unintended route for Ethereal. When I get more time, I'll probably redo this video, so don't be surprised if it disappears.

00:14 - Demo of this AppLocker Bypass
01:30 - How this is different than LOLBINs
04:00 - Creating a Reverse Shell EXE
07:00 - Converting our Reverse Shell EXE to a DLL
10:00 - Performing this COR PROFILER bypass with our Reverse Shell DLL
11:21 - Trying to do this on the HackTheBox machine: Ethereal
18:43 - Creating a BAT file to set environment variables and execute TZSYNC
20:45 - Executing the BAT File and getting a meterpreter session!
22:03 - Doing JuicyPotato to privesc to SYSTEM
27:30 - Migrating to a user to be able to read an EFS Protected file.