Feb 27, 2017

Training Teaser - Windows AppLocker bypass

In this short teaser, we want to demonstate a simple AppLocker bypass. AppLocker, which will be the main focus of the ‘Windows Breakout’ (Day 1) section of the BruCON spring training, is the de-facto standard for locking down Windows machines in an enterprise environment.

It is the successor to SRP (Software Restriction Policies) and allows definition of fine-grained rules to allow or deny execution based on the path, file hash or publisher of the executable or script.
For this post, let us consider a scenario where the system administrator of a company has deployed the following AppLocker rules on all company machines through Group Policy:


The executable rules permit Administrators to run anything, while users which are part of the 'Employees' group are only allowed to run Microsoft signed binaries, with a few exceptions.

The explicitly-blocked binaries are the usual suspects; each of them would allow users to run arbitrary commands on their corporate machine if not blocked by AppLocker. The training course will go into detail on how to attaining code execution through regsvr32, rundll32 and InstallUtil.
The aim of this exercise is to run PowerShell and subsequently launch any binary on this box, such as a Meterpreter reverse shell.

Trying to run PowerShell directly is a no go:


Even though the publisher information matches an 'Allow' rule in AppLocker, it is explicitly denied by path. 'Explicit Deny' takes precedence over 'Explicitly Allow' in AppLocker. 

If we look closer at the rules, we can see that the offending rule is applied on the path of the binary and hence moving it to another location, such as the Desktop, would invalidate the rule and allow execution:

Easy right? The next step is to run any executable with the help of Powershell. At this point we could either beg Microsoft to sign our Meterpreter reverse shell or use the Invoke-ReflectivePEInjection PowerShell script, which is part of PowerSploit, to reflectively load our executable in memory and execute it that way. 

This time we'll go for the latter. Transfer the Meterpreter reverse shell to the box and run the following commands:


The result is a complete bypass of this AppLocker policy:



This is just a taste of what we'll be covering during the 'Windows Breakout' section of this 3-day training course. 

In addition to this we'll be going through Windows Privilege Escalation and UAC Bypasses. For a more complete overview as well as registration information, please visit this page

BruCON Spring Training is hosted on 19,20 and 21 April 2017 at the Novotel Ghent Centrum in Belgium.  http://2017.brucon.org

See you there!!



Feb 10, 2017

Training Feedback - What we have learned from you !

After each training, we invite our students to complete a feedback form and provide us some input and honest opinions on how we can further improve the BruCON training experience.

On average about 70% of student typically complete the survey and a majority of them go beyond the rating scale and provide us detailed feedback and areas with room for improvement.

So what have we learned so far ? 



There have been an number of issues in the past with the hotel wireless network. That being said, we aim to provide you a standard solid internet connection that allows you to do your research and check your emails and not for heavy downloading. The hotel has improved and upgraded the wireless network since last BruCON. During Spring Training 2017 in April, we'll evaluate the progress and if required we'll be deploying our own wireless (or even wired) network in October once again.



When it comes to food, there is no such thing as pleasing everybody. We've tried different approaches in the past, but as of this year, we'll be going back to a buffet format with cold starters and a choice of three warm main courses (meat, fish and vegetarian). To speed things up, the classes will again be split into two groups giving you more free time during the lunch break.






After a long day of absorbing the sweet security goodness (and possibly frustrations ;-) ) you get during your training, you deserve some time off. And what would be better then having a beer together with your fellow students, after all, BruCON's slogan is still "hacking for beer". After the second day of training, we will be inviting you for a drink in the hotel bar. The first one is on us ! 




Check out our Spring Training 2017 lineup (19-21 April) here
If you want to share with us some other feedback, you can contact us on Twitter or via email at training@brucon.org