November 15, 2023
Webinar Series: Purple Teaming - Validating Detection & Response Capabilities
Application Whitelisting (AWL) can be a valuable addition to a network defender's toolkit. It ensures that only applications and executables deemed safe by your organization are allowed to run on workstations and servers. However, despite the widespread use of Endpoint Detection and Response (EDR) solutions in modern enterprise networks, attackers have devised creative methods to potentially bypass these security measures through Windows utilities.
This article will briefly cover some of these applications, how hackers exploit them to circumvent security controls, and what defenders can do to mitigate this threat.
The two utilities covered in this article are ConfigSecurityPolicy.exe and aspnet_compiler.exe. The former is used to manage settings for Windows Defender, while the latter is a Windows-native .NET compiler.
ConfigSecurityPolicy.exe (CSP) is a binary that works in conjunction with Windows Defender and should never be used outside the context of Defender. However, researchers have discovered that this tool may be used to download payloads that would otherwise be blocked by EDR solutions [1].
For this demonstration we have our malware which includes as the payload some shellcode that will call back to our attack machine. Our victim machine is running Windows 10 22H2 with Defender enabled. We can see below that if we try to simply download the file it will be automatically quarantined by Defender.
We can navigate to “C:\Program File\Windows Defender” where CSP is located by default. Running this binary on its own does not yield any tangible outcome, although if we add an argument that contains the location of a file on the web we can download it.
The challenge with this bypass is that CSP downloads the file to a randomly generated cache folder. The easiest way to locate the file is by searching for it within File Explorer, as shown below.
Finally, after navigating to the malware's target directory and executing it, we can supply our malware with a Process ID (PID) of the target process for writing and executing our shellcode. Below, we can see that the malware executed successfully, and that our handler has opened a shell on the victim machine.
Let's briefly discuss the aspnet_compiler. While the execution of this technique is more complex, for brevity, we will limit the discussion to the actual bypass execution, omitting extensive setup. For a more detailed understanding of how this technique works, please refer to the original researcher's post [2] and a post by one of our testers [3].
With Applocker in place, if an attempt is made to execute a file with similar functionality, it will fail.
As for the actual execution of the bypass, it is relatively straight forward. We will be pointing aspnet_compiler to a project that we want compiled and executed. For a proof of concept, our payload is a simple Windows message box API call written in C# as shown below.
Lastly, we can see the bypass in action by calling the aspnet_compiler and creating a project named 'NWG' within the 'asptest' directory, where the project files are compiled and executed, displaying the message box.
Mitigating these threats for blue teams is straightforward. Block access to these Windows utilities for standard users, or set up alerts for when they are executed by non-IT staff members. A comprehensive list of these utilities can be found on the LOLBAS website [4].
To read more from our experts on a range of security topics, check out our other blogs here. Want to be notified when we publish more content? Fill out the subscription form at the bottom of the page.
References:
[1] https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/
[2] https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
[3] https://taylorcraig.com/2023/10/09/using-aspnet_compiler-exe-for-awl-bypassing/
[4] https://lolbas-project.github.io/#
Published By: Taylor Craig, Penetration Tester
Publish Date: November 15, 2023
Security news, tips, webinars, and more straight to your inbox.
