Shulou(Shulou.com)06/02 Report--

This article introduces you how to use COM to bypass AppLocker CLM, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Preface

Restricted language mode is a way that PowerShell restricts users' access to advanced features, which, no matter what Microsoft says, is essentially a security control that many defenders can use to block tools like "Invoke-Mimikatz."

No matter what Microsoft thinks of it, this feature is now seen as a security control feature because it helps defenders prevent tools like "Invoke-Mimikatz" from running. In this article, I will show you how to bypass this protection mechanism as a non-administrator user.

Go straight to the point.

The first thing we need to do is to enable AppLocker in our experimental environment. In this article, I will use the default role assigned by Windows when the script limit is enabled. Once the application recognition service is turned on, we can use the following command to ensure that CLM is successfully enabled:

$ExecutionContext.SessionState.LanguageMode

Here we can see the value returned by the program, which indicates that we are already in a restricted environment. We can also try to execute a restricted command in PowerShell to confirm again:

Add-Type "namespace test {}"

Now that we have enabled CLM, how can we get around it?

New-Object in AppLockerCLM

Interestingly, when I was looking for the attack surface of CLM, I found that when CLM was enabled through AppLocker, a New-Object appeared. Take a look at the following command:

New-Object-ComObject WScript.Shell

In this way, it seems that we can modify the PowerShell process directly in PowerShell, because the COM object is exposed through DLL and can be loaded directly into the calling process. So how do we create a COM object to be loaded? If we look at the process of ProcMon calling New-Object-ComObject xpntest, we can see a large number of requests for the HKEY_CURRENT_USER registry key:

After studying for a long time, we found that we could create the required registry keys directly in HKCU with the help of the following script:

Now, if we try to load our own COM object, we will find that the custom DLL will be loaded into the PowerShell process space:

This is great, now we can inject arbitrary DLL into PowerShell without calling CreateRemoteThread or WriteProcessMemory with too much action, and all operations are done in restricted scenarios. But our goal is to bypass CLM, how can we use our unmanaged DLL loading method to achieve this? We can use the .NET CLR, or more precisely, we can invoke the .NET tool by loading the .NET CLR through an unmanaged DLL.

Unmanaged DLL- > managed DLL- > reflection

Now we can use tools like Cobalt Strike, which provides Execute-Assembly functionality to load CLR into unmanaged processes, and I've provided you with a piece of code on GIST that can do this on its own:

I will not describe the code in detail here. Interested students can refer to the official example given by Microsoft, which allows DLL to load the .NET CLR, load the .NET tool, and finally transfer the execution permission to a specific method.

When we are done, we can access .NET. The important thing is that we can access the reflection function of .NET. The next thing we need to do is how to enable / disable CLM.

There is a place in the System.Management.Automation.Runspaces.RunspaceBase.LanguageMode property where the current language pattern is recognized. Because we are using reflection techniques, we need to find the variable that references Runspace, and then modify it at run time. I think the best way to do this is to use Runspaces.Runspace.DefaultRunspace.SessionStateProxy.LanguageMode:

After compiling to the .NET tool, we can use reflection to disable CLM, here we just need to create and run a PowerShell script [download address]:

That's it!

Demonstrate the principle of video attack

Why can COM bypass this protection mechanism? How does PowerShell handle COM loading? We can find the answer in the SystemPolicy.IsClassInApprovedList method, which can be used to check whether the program allows us to provide CLSID to New-Object. The following code is responsible for the core detection function:

If (SystemPolicy.WldpNativeMethods.WldpIsClassInApprovedList (ref clsid, refwldp_HOST_INFORMATION, ref num, 0u) > = 0 & & num = = 1) {...}

This function call is just a wrapper function of the WldpIsClassInApprovedList function (located in wldp.dll), which is mainly used to check whether the CLSID matches the DeviceGuard (now renamed Windows Defender Application Control) policy. Since AppLocker is not taken into account in this method, this means that any CLSID that passes the check can be used.

Accidental discovery

In the course of testing this technology, I came across a strange situation where it didn't work properly when we set up CLM using the following method:

$ExecutionContext.SessionState.LanguageMode= "ConstrainedLanguage"

This is awkward, because I used to use the above command to test Payload. What's the difference now? After re-examining our disassembly code, I found the answer to the question in Microsoft.Powershell.Commands.Utility.dll. The specific path to this file is in the BeginProcessing method of the NewObjectCommand class:

Here we can see that there are two code paths in the above code, depending on how CLM is enabled. If SystemPolicy.GetSystemLockdownPolicy returns Enfore, that is, the first path is executed, AppLocker or DeviceGuard will be enabled at this time. If you set this parameter directly, you will go directly to if (! flag). Code snippet, at which point an exception is thrown. In fact, CLM behaves differently depending on how it is enabled (through AppLocker, DeviceGuard, or through the LanguageMode property).

The method described in this article is not the only way to bypass CLM, and even if we roughly analyze PowerShell, we can find other ways to achieve a similar effect.

On how to use COM to bypass AppLocker CLM to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.