Many incidents happened recently that used legitimate.exe side loading malicious .dll to execute MSXSL and bypass AppLocker.
For more information about side loading malicious dll can read from here.
For more information about MSXSL execution can read from here
From the pentestlab blog, it is running using jscript. However the xsl file can run vbscript too. Sample vbscript execution using xsl can be found here.
For detailed explanation can be found here (It is in Mandarin). If anyone has English post please kindly share in the comment. Thanks!
Then I saw a post in Twitter showed a sample malicious xsl using jscript to run powershell. It can be found here.
How about running powershell without powershell? I have read a post from blackhillsinfosec recently to execute powershell script without running powershell.exe process. It bypassed execution policy and many detection failed to alert the execution.
How about combine MSXSL without powershell.exe? It's going to be interesting.
Here goes my weekend...
Download XML and XSL sample from GitHub.
Download MSXSL from Microsoft.
Download the source code for running powershell without powershell.exe from blackhillsinfosec.
Search the System.Management.Automation.dll from Windows directory:
Then copy the path and compile it.
Now let's try to execute with simple ps1 script. From the process monitor, spotted the powershell is execute through Registry instead of powershell.exe
Now I have EXE and PS1 script. I have to dump them into a single VBS script then insert into XSL.
Simple Google around from EXE to VBS, a python script wrote by Didier Stevens that can convert EXE to VBS.
The VBS script looks good. Let's combine the ps1 script into the VBS script.
Everything seems to be fine when running the VBS using wscript. The a.txt is created.
Let's copy the VBS into XSL. It should run without any errors.
Great! Let's take a look at process monitoring.
MSXSL process created.
Command line file.exe with argument a.ps1 spotted.
Query for directory.
Powershell execution from Registry.
a.txt file created.
Set timeout delay for 2 seconds.
Delete file.exe and a.ps1.
From process monitoring, there is no PowerShell.exe process created. Hence, bypass AppLocker and bypass PowerShell policy execution is possible.
In order to mitigate the attack, detecting MSXSL execution and subprocess contains .ps1 are important.
No comments:
Post a Comment