On the correct list

AppLocker and Software Restriction Policies control the applications and files that users are able to run on Windows Operating Systems. These two protections have been available to the blue team for years. AppLocker is supported on Windows 7 and above, and Software Restriction Policies is supported on Windows XP and above. Encountering either during an engagement could slow you down; however, look no further than the evasion modules for assistance. Nick Tyrer contributed two new AppLocker and Software Restriction Policies evasion modules that leverage different bypass vectors discovered by Casey Smith (@subTee). First, the evasion/windows/applocker_evasion_presentationhost evasion module uses the Microsoft signed binary PresentationHost.exe in order to execute the payload. Second, the evasion/windows/applocker_evasion_regasm_regsvcs evasion module uses the Microsoft signed binaries RegAsm.exe or RegSvcs.exe in order to execute the payload. Both evasions should work as long as .NET version 3.5 or above is installed and the binaries are not explicitly blocked.

New modules (2)

Bugs fixed

  • PR #12343 by egypt fixes a payload generation issue when formatting payload buffers as powershell byte arrays. These changes also add comments describing how the payload was configured.
  • PR #12239 by Clément Notin fixes the search path separator to use the client's path separator instead of a fixed slash character.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).