Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add evasion module applocker_evasion_msbuild #12130

Merged
merged 4 commits into from
Jul 31, 2019
Merged

Add evasion module applocker_evasion_msbuild #12130

merged 4 commits into from
Jul 31, 2019

Conversation

NickTyrer
Copy link
Contributor

Intro

This module is designed to evade solutions such as software restriction policies and Applocker.
The main vector for this bypass is to use the trusted binary MSBuild.exe in executing user supplied code.

This pull request is in reference to the previous pull request #8783.

Vulnerable Application

This evasion will work on all versions of Windows that include .net versions 3.5 or greater (note: ensure the selected payload matches the target os architecture).

Verification Steps

  1. Enable Applocker and enable executable rules
  2. Verify a standard .exe will not run from the users desktop
  3. Do use evasion/windows/applocker_evasion_msbuild
  4. Do exploit
  5. Follow the onscreen instructions by copying the created file to the targets desktop
  6. Verify that code execution is achieved.

@NickTyrer NickTyrer changed the title add evasion module applocker_evasion_msbuild Add evasion module applocker_evasion_msbuild Jul 26, 2019
@wchen-r7 wchen-r7 self-assigned this Jul 29, 2019
@wchen-r7
Copy link
Contributor

I'm currently testing this out. Thanks!

@NickTyrer
Copy link
Contributor Author

@wchen-r7 sorry just pushed one final commit to fix an issue I had overlooked

@wchen-r7
Copy link
Contributor

No problem. Thanks for the heads up.

@wchen-r7 wchen-r7 merged commit 4f7e9bd into rapid7:master Jul 31, 2019
@wchen-r7
Copy link
Contributor

Really enjoyed playing with the module. Thanks for sharing.

wchen-r7 added a commit that referenced this pull request Jul 31, 2019
@wchen-r7
Land #12130, Add evasion module applocker_evasion_msbuild
abc85e4
@wchen-r7
Copy link
Contributor

wchen-r7 commented Jul 31, 2019
edited by tdoan-r7
Loading

Release Notes

The applocker_evasion_msbuild module has been added to the framework. It is designed to evade solutions such as software restriction policies and Applocker. The main vector for this bypass is to use the trusted binary MSBuild.exe in executing user supplied code.

msjenkins-r7 pushed a commit that referenced this pull request Aug 1, 2019
@wchen-r7 @msjenkins-r7
Land #12130, Add evasion module applocker_evasion_msbuild
e9b20c7
jmartin-tech added a commit that referenced this pull request Aug 1, 2019
@jmartin-tech
Revert "Land #12130, Add evasion module applocker_evasion_msbuild"
284d449 
This reverts commit e9b20c7.
@tdoan-r7 tdoan-r7 added the rn-modules release notes for new or majorly enhanced modules label Aug 7, 2019
@jmartin-tech jmartin-tech mentioned this pull request Aug 19, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wchen-r7 wchen-r7

Labels
module msf5 rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@NickTyrer @wchen-r7 @tdoan-r7 @jmartin-tech @space-r7