What is the core technique used by bohops to bypass AppLocker?

The core technique is to use the legitimate PowerShell diagnostic script `CL_LoadAssembly.ps1` located in `C:\windows\diagnostics\system\AERO`. The script internally calls `[System.Reflection.Assembly]::LoadFile()` to load a .NET assembly from disk. By providing the path to a malicious .NET executable compiled under .NET 2.0, an attacker can then invoke a public method from the loaded assembly to execute commands, such as calc.exe, bypassing AppLocker restrictions. For full details, refer to the Analysis and Summary of Bypassing AppLocker Using Assembly Load & LoadFile.