On the correct list
AppLocker and Software Restriction Policies control the applications and files that users are able to run on Windows Operating Systems. These two protections have been available to the blue team for years. AppLocker is supported on Windows 7 and above, and Software Restriction Policies is supported on Windows XP and above. Encountering either during an engagement could slow you down; however, look no further than the evasion modules for assistance. Nick Tyrer contributed two new AppLocker and Software Restriction Policies evasion modules that leverage different bypass vectors discovered by Casey Smith (@subTee). First, the
evasion/windows/applocker_evasion_presentationhost evasion module uses the Microsoft signed binary
PresentationHost.exe in order to execute the payload. Second, the
evasion/windows/applocker_evasion_regasm_regsvcs evasion module uses the Microsoft signed binaries
RegSvcs.exe in order to execute the payload. Both evasions should work as long as .NET version 3.5 or above is installed and the binaries are not explicitly blocked.
New modules (2)
- Applocker Evasion - Windows Presentation Foundation Host by Casey Smith and Nick Tyrer
- Applocker Evasion - Microsoft .NET Assembly Registration Utility by Casey Smith and Nick Tyrer
- PR #12343 by egypt fixes a payload generation issue when formatting payload buffers as powershell byte arrays. These changes also add comments describing how the payload was configured.
- PR #12239 by Clément Notin fixes the search path separator to use the client's path separator instead of a fixed slash character.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).