Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add evasion module applocker_evasion_install_util #11795

Merged
merged 18 commits into from
Jul 23, 2019
Merged

Add evasion module applocker_evasion_install_util #11795

merged 18 commits into from
Jul 23, 2019

Conversation

NickTyrer
Copy link
Contributor

@NickTyrer NickTyrer commented Apr 29, 2019
edited
Loading

Intro

This module is designed to evade solutions such as software restriction policies and Applocker.
The main vector for this bypass is to use the trusted binary InstallUtil.exe in executing user supplied code.

This pull request is in reference to the previous pull request #8783.

Vulnerable Application

This evasion will work on all versions of Windows that include .net versions 3.5 or greater (note: ensure the selected payload matches the target os architecture).

Verification Steps

  1. Enable Applocker and enable executable rules
  2. Verify a standard .exe will not run from the users desktop
  3. Do use evasion/windows/applocker_evasion_install_util
  4. Do exploit
  5. Follow the onscreen instructions by copying the created file to the targets desktop
  6. Verify that the .exe executes from the users Desktop

@bcoles bcoles added the module label Apr 29, 2019
@NickTyrer
Copy link
Contributor Author

@busterb should I submit each Applocker evasion technique as separate evasion modules or should I create one module that gives the option of which Applocker evasion to create?

cbrnrd
cbrnrd suggested changes May 24, 2019
View reviewed changes
documentation/modules/evasion/windows/applocker_evasion_install_util.md Show resolved Hide resolved
modules/evasion/windows/applocker_evasion_install_util.rb Outdated Show resolved Hide resolved
modules/evasion/windows/applocker_evasion_install_util.rb Show resolved Hide resolved
modules/evasion/windows/applocker_evasion_install_util.rb Outdated Show resolved Hide resolved
modules/evasion/windows/applocker_evasion_install_util.rb Outdated Show resolved Hide resolved
documentation/modules/evasion/windows/applocker_evasion_install_util.md
@@ -0,0 +1,9 @@
## Intro

This module is designed to evade solutions such as software restriction policies and Applocker.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

software restriction policies

this is too vague

documentation/modules/evasion/windows/applocker_evasion_install_util.md Outdated Show resolved Hide resolved
documentation/modules/evasion/windows/applocker_evasion_install_util.md Outdated Show resolved Hide resolved
modules/evasion/windows/applocker_evasion_install_util.rb Outdated Show resolved Hide resolved
@NickTyrer
Copy link
Contributor Author

Thanks @cbrnrd for the review.

@bcoles bcoles added the docs label Jun 6, 2019
@wchen-r7 wchen-r7 self-assigned this Jul 23, 2019
@wchen-r7 wchen-r7 merged commit 5a010e1 into rapid7:master Jul 23, 2019
@wchen-r7
Copy link
Contributor

wchen-r7 commented Jul 23, 2019
edited by tdoan-r7
Loading

Release Notes

The applocker_evasion_install_util module has been added to the framework. It is designed to evade software restriction policies and Applocker. The main vector for this bypass is to use the trusted binary InstallUtil.exe in executing user supplied code.

wchen-r7 added a commit that referenced this pull request Jul 23, 2019
@wchen-r7
Land #11795, Add evasion module applocker_evasion_install_util
8f8e32b
msjenkins-r7 pushed a commit that referenced this pull request Jul 23, 2019
@wchen-r7 @msjenkins-r7
Land #11795, Add evasion module applocker_evasion_install_util
b369425
@NickTyrer NickTyrer deleted the applocker_evasion_install_util branch July 25, 2019 07:11
@tdoan-r7 tdoan-r7 added the rn-modules release notes for new or majorly enhanced modules label Aug 6, 2019
@jmartin-tech jmartin-tech mentioned this pull request Aug 19, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cbrnrd cbrnrd cbrnrd requested changes

Assignees

@wchen-r7 wchen-r7

Labels
docs module msf5 rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@NickTyrer @wchen-r7 @cbrnrd @bcoles @tdoan-r7 @jmartin-tech @mikemenasi