.bat
, .vbs
, or .ps1
scripts. The first tactic is not to use these file extensions at all for the content of the script you wish to execute. Using .txt, or other non-script related file extensions is sufficient. Second, we will use redirection to pipe contents to the script execution environment.There is a fundamental difference between the approach taken by a development team and that taken by someone attacking an application. A development team typically approaches an application based on what it is intended to do. In other words, they are designing an application to perform specific tasks based on documented functional requirements and use cases. An attacker, on the other hand, is more interested in what n application can be made to do and operates on the principle that "any action not specifically denied, is allowed" - OWASP Secure Coding Practices Guide v2
Released Windows operating system versions do support notification of image loading operations (which does meet some ISV requirements), but do not provide the ability to block the loading operation. For that reason, Microsoft investigated whether a new API would be needed to support this requirement, but ultimately concluded that existing supported functionality could be used to achieve the desired module load blocking behavior. In particular, a file system mini-filter can be utilized to block the loading of both modules in both user mode (e.g., DLLs) and kernel mode (e.g., device drivers). InterceptingIRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION
and returningSTATUS_ACCESS_DENIED
when sections are loaded forPAGE_EXECUTE
permission is an appropriate approach." - Kernel Data Filtering and Support
The root issue here is that at the point at which execute operations are detected (CreateFileMapping
->NtCreateSection
), only read-only access to the section is requested, so it is not processed as an execute operation. Later, execute access is requested in the file mapping (MapViewOfFile->NtMapViewOfSection), which results in the image being mapped asEXECUTE_WRITECOPY
and subsequently allows unchecked execute access." - Chris Lord, Bit9
rundll32
or pcwutl.dll
.Invoke-ReflectivePEInjection
. This tool is an amazing example of how PowerShell and the .NET framework can be leveraged to execute arbitrary PE files. Since many environments trust the powershell.exe
binary, it is a natural evolution for adversaries to leverage this framework. By creating an exploit for CVE-2014-4113, and embedding that into the Invoke-ReflectivePEInjection
script. We were able to achieve privilege escalation, even an environment with strict whitelisting enabled.