From b5357cdec00bbfe4e714fa227da2230a27d70918 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 26 Sep 2021 23:31:30 -0400 Subject: [PATCH] Adding app-ctrl bypass bins and a few lolscripts --- yml/OSBinaries/Aspnet_Compiler.yml | 28 ++++++++++++++ yml/OSBinaries/Msbuild.yml | 12 ++++++ yml/OSScripts/CL_LoadAssembly.yml | 30 +++++++++++++++ yml/OSScripts/UtilityFunctions.yml | 26 +++++++++++++ yml/OtherMSBinaries/Fsi.yml | 38 +++++++++++++++++++ yml/OtherMSBinaries/FsiAnyCpu.yml | 36 ++++++++++++++++++ yml/OtherMSBinaries/VisualUiaVerifyNative.yml | 31 +++++++++++++++ yml/OtherMSBinaries/Wfc.yml | 28 ++++++++++++++ 8 files changed, 229 insertions(+) create mode 100644 yml/OSBinaries/Aspnet_Compiler.yml create mode 100644 yml/OSScripts/CL_LoadAssembly.yml create mode 100644 yml/OSScripts/UtilityFunctions.yml create mode 100644 yml/OtherMSBinaries/Fsi.yml create mode 100644 yml/OtherMSBinaries/FsiAnyCpu.yml create mode 100644 yml/OtherMSBinaries/VisualUiaVerifyNative.yml create mode 100644 yml/OtherMSBinaries/Wfc.yml diff --git a/yml/OSBinaries/Aspnet_Compiler.yml b/yml/OSBinaries/Aspnet_Compiler.yml new file mode 100644 index 0000000..7cbd821 --- /dev/null +++ b/yml/OSBinaries/Aspnet_Compiler.yml @@ -0,0 +1,28 @@ +--- +Name: Aspnet_Compiler.exe +Description: ASP.NET Compilation Tool +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u + Description: Execute C# code with the Build Provider and proper folder structure in place. + Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions + Category: AWL Bypass + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 10 +Full_Path: + - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe + - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe +Code_Sample: + - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder +Detection: + - IOC: Sysmon Event ID 1 - Process Creation +Resources: + - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ + - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8 +Acknowledgement: + - Person: cpl + Handle: '@cpl3h' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index b5bfbe5..5b4deca 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -20,6 +20,14 @@ Commands: MitreID: T1127 MitreLink: https://attack.mitre.org/wiki/Technique/T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: msbuild.exe project.proj + Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+. + Usecase: Execute project file that contains XslTransformation tag parameters + Category: Execute + Privileges: User + MitreID: T1127 + MitreLink: https://attack.mitre.org/wiki/Technique/T1127 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe @@ -27,6 +35,7 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe + - Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe Code_Sample: - Code: Detection: @@ -36,9 +45,12 @@ Resources: - Link: https://github.com/Cn33liz/MSBuildShell - Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/ - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ + - Link: https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191 Acknowledgement: - Person: Casey Smith Handle: '@subtee' - Person: Cn33liz Handle: '@Cneelis' + - Person: Jimmy + Handle: '@bohops' --- \ No newline at end of file diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml new file mode 100644 index 0000000..4bc7719 --- /dev/null +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -0,0 +1,30 @@ +--- +Name: CL_LoadAssembly.ps1 +Description: PowerShell Diagnostic Script +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()' + Description: Proxy execute Managed DLL with PowerShell + Usecase: Execute proxied payload with Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1059.001 + MitreLink: https://attack.mitre.org/techniques/T1059/001/ + OperatingSystem: Windows 10 21H1 (likely other versions as well) +Full_Path: + - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ +Acknowledgement: + - Person: Jimmy + Handle: '@bohops' +--- + + + +powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; RegSnapin ..\..\..\..\testing\fun.dll;[Program.Class]::Fun() \ No newline at end of file diff --git a/yml/OSScripts/UtilityFunctions.yml b/yml/OSScripts/UtilityFunctions.yml new file mode 100644 index 0000000..8f92417 --- /dev/null +++ b/yml/OSScripts/UtilityFunctions.yml @@ -0,0 +1,26 @@ +--- +Name: UtilityFunctions.ps1 +Description: PowerShell Diagnostic Script +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: 'powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()”' + Description: Proxy execute Managed DLL with PowerShell + Usecase: Execute proxied payload with Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1059.001 + MitreLink: https://attack.mitre.org/techniques/T1059/001/ + OperatingSystem: Windows 10 21H1 (likely other versions as well) +Full_Path: + - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: https://twitter.com/nickvangilder/status/1441003666274668546 +Acknowledgement: + - Person: Nick VanGilder + Handle: '@nickvangilder' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Fsi.yml b/yml/OtherMSBinaries/Fsi.yml new file mode 100644 index 0000000..66f55f7 --- /dev/null +++ b/yml/OtherMSBinaries/Fsi.yml @@ -0,0 +1,38 @@ +--- +Name: Fsi.exe +Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: fsi.exe c:\path\to\test.fsscript + Description: Execute F# code via script file + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + MitreLink: https://attack.mitre.org/techniques/T1059/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + - Command: fsi.exe + Description: Execute F# code via interactive command line + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + MitreLink: https://attack.mitre.org/techniques/T1059/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe + - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe +Code_Sample: + - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 +Detection: + - IOC: Sysmon Event ID 1 - Process Creation +Resources: + - Link: https://twitter.com/NickTyrer/status/904273264385589248 + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Nick Tyrer + Handle: '@NickTyrer' + - Person: Jimmy + Handle: '@bohops' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/FsiAnyCpu.yml b/yml/OtherMSBinaries/FsiAnyCpu.yml new file mode 100644 index 0000000..855f7d7 --- /dev/null +++ b/yml/OtherMSBinaries/FsiAnyCpu.yml @@ -0,0 +1,36 @@ +--- +Name: FsiAnyCpu.exe +Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: fsianycpu.exe c:\path\to\test.fsscript + Description: Execute F# code via script file + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + MitreLink: https://attack.mitre.org/techniques/T1059/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + - Command: fsianycpu.exe + Description: Execute F# code via interactive command line + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + MitreLink: https://attack.mitre.org/techniques/T1059/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe +Code_Sample: + - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 +Detection: + - IOC: Sysmon Event ID 1 - Process Creation +Resources: + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Nick Tyrer + Handle: '@NickTyrer' + - Person: Jimmy + Handle: '@bohops' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml new file mode 100644 index 0000000..dafea55 --- /dev/null +++ b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml @@ -0,0 +1,31 @@ +--- +Name: VisualUiaVerifyNative.exe +Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: VisualUiaVerifyNative.exe + Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing. + Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe +Code_Sample: + - Code: +Detection: + - IOC: Sysmon Event ID 1 - Process Creation +Resources: + - Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/ + - Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad +Acknowledgement: + - Person: Lee Christensen + Handle: '@tifkin' + - Person: Jimmy + Handle: '@bohops' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Wfc.yml b/yml/OtherMSBinaries/Wfc.yml new file mode 100644 index 0000000..8542015 --- /dev/null +++ b/yml/OtherMSBinaries/Wfc.yml @@ -0,0 +1,28 @@ +--- +Name: Wfc.exe +Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK). +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: wfc.exe c:\path\to\test.xoml + Description: Execute arbitrary C# code embedded in a XOML file. + Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe +Code_Sample: + - Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Detection: + - IOC: Sysmon Event ID 1 - Process Creation +Resources: + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Matt Graeber + Handle: '@mattifestation' + - Person: Jimmy + Handle: '@bohops' +--- \ No newline at end of file