Merge pull request #160 from bohops/master

WDAC Bypass additions, LOLScript additions, and a few updates
This commit is contained in:
Oddvar Moe 2021-09-29 12:30:34 +02:00 committed by GitHub
commit 3b848e6121
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 225 additions and 0 deletions

View File

@ -0,0 +1,28 @@
---
Name: Aspnet_Compiler.exe
Description: ASP.NET Compilation Tool
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u
Description: Execute C# code with the Build Provider and proper folder structure in place.
Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 10
Full_Path:
- Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
- Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Code_Sample:
- Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder
Detection:
- IOC: Sysmon Event ID 1 - Process Creation
Resources:
- Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
- Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
Acknowledgement:
- Person: cpl
Handle: '@cpl3h'
---

View File

@ -20,6 +20,14 @@ Commands:
MitreID: T1127
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: msbuild.exe project.proj
Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
Usecase: Execute project file that contains XslTransformation tag parameters
Category: Execute
Privileges: User
MitreID: T1127
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
@ -27,6 +35,7 @@ Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
- Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
Code_Sample:
- Code:
Detection:
@ -36,9 +45,12 @@ Resources:
- Link: https://github.com/Cn33liz/MSBuildShell
- Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- Link: https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
- Person: Cn33liz
Handle: '@Cneelis'
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -0,0 +1,26 @@
---
Name: CL_LoadAssembly.ps1
Description: PowerShell Diagnostic Script
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()'
Description: Proxy execute Managed DLL with PowerShell
Usecase: Execute proxied payload with Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1059.001
MitreLink: https://attack.mitre.org/techniques/T1059/001/
OperatingSystem: Windows 10 21H1 (likely other versions as well)
Full_Path:
- Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
Code_Sample:
- Code:
Detection:
- IOC:
Resources:
- Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -0,0 +1,26 @@
---
Name: UtilityFunctions.ps1
Description: PowerShell Diagnostic Script
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: 'powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()”'
Description: Proxy execute Managed DLL with PowerShell
Usecase: Execute proxied payload with Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1059.001
MitreLink: https://attack.mitre.org/techniques/T1059/001/
OperatingSystem: Windows 10 21H1 (likely other versions as well)
Full_Path:
- Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
Code_Sample:
- Code:
Detection:
- IOC:
Resources:
- Link: https://twitter.com/nickvangilder/status/1441003666274668546
Acknowledgement:
- Person: Nick VanGilder
Handle: '@nickvangilder'
---

View File

@ -0,0 +1,38 @@
---
Name: Fsi.exe
Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: fsi.exe c:\path\to\test.fsscript
Description: Execute F# code via script file
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
MitreLink: https://attack.mitre.org/techniques/T1059/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
- Command: fsi.exe
Description: Execute F# code via interactive command line
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
MitreLink: https://attack.mitre.org/techniques/T1059/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
Code_Sample:
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
Detection:
- IOC: Sysmon Event ID 1 - Process Creation
Resources:
- Link: https://twitter.com/NickTyrer/status/904273264385589248
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Acknowledgement:
- Person: Nick Tyrer
Handle: '@NickTyrer'
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -0,0 +1,36 @@
---
Name: FsiAnyCpu.exe
Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio.
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: fsianycpu.exe c:\path\to\test.fsscript
Description: Execute F# code via script file
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
MitreLink: https://attack.mitre.org/techniques/T1059/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
- Command: fsianycpu.exe
Description: Execute F# code via interactive command line
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
MitreLink: https://attack.mitre.org/techniques/T1059/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe
Code_Sample:
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
Detection:
- IOC: Sysmon Event ID 1 - Process Creation
Resources:
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Acknowledgement:
- Person: Nick Tyrer
Handle: '@NickTyrer'
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -0,0 +1,31 @@
---
Name: VisualUiaVerifyNative.exe
Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: VisualUiaVerifyNative.exe
Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing.
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
Code_Sample:
- Code:
Detection:
- IOC: Sysmon Event ID 1 - Process Creation
Resources:
- Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
- Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
Acknowledgement:
- Person: Lee Christensen
Handle: '@tifkin'
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -0,0 +1,28 @@
---
Name: Wfc.exe
Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: wfc.exe c:\path\to\test.xoml
Description: Execute arbitrary C# code embedded in a XOML file.
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
Code_Sample:
- Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Detection:
- IOC: Sysmon Event ID 1 - Process Creation
Resources:
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Acknowledgement:
- Person: Matt Graeber
Handle: '@mattifestation'
- Person: Jimmy
Handle: '@bohops'
---