The IEExec is a Microsoft binary that it is part  of the .NET framework (v2.0.50727) and has the ability to run applications that are hosted on a remote target by specifying the URL. This can allow an attacker to run an executable bypassing AppLocker and other application whitelisting solutions since IEExec is a Microsoft trusted utility.

This technique was first introduced on room362 blog.

The code access security policy needs to be disabled by default in order to allow the execution of the .NET code.

Disabling Code Access Security Policy
Disabling Code Access Security Policy

Running the binary by default will fail since AppLocker is blocking the execution of files that are not trusted.

AppLocker Blocks Binary
AppLocker Blocks Binary

However the following command will attempt to execute the binary test64.exe that is hosted on a remote server via the IEEexec utility:

IEExec - Bypassing AppLocker
IEExec -Bypassing AppLocker

The binary will be executed bypassing the AppLocker restrictions. This binary has the ability to execute commands or run other binaries.

IEExec - Dot NET 64bit Application
IEExec – Dot NET 64bit Application

Resources

https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/

https://github.com/khr0x40sh/WhiteListEvasion

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s