Recently I stumbled on another Whitelisting Bypass Trick. Its actually in the same class as "Trusted Things that Execute Things". But its a new toolset and requires slight modification to get execution.
Introducing Regsvcs.exe and RegAsm.exe. Both are part of a default .NET install, and signed by Microsoft. Sound familiar?
First these two tools are used to register .NET COM assemblies, but remember, we don't really care about their original intent.
What I found was these applications typically require admin rights to perform the necessary installation and registration. However, there is a catch. Using some C# Attributes we can influence the execution, EVEN if we don't have admin rights.
[ComRegisterFunction] & [ComUnregisterFunction] These two attributes specify code that can run before registration/unregistration (o_O). All we need to do is present these applications with an assembly with these attributes and it will happily execute our code for us
You will need to create a Strong Name Key (snk) in order to get this to work, but thats trivial.
This technique will work even if the file has been explicitly banned, and even if DLL whitelisting is enabled. The reason is, the dll is executed via reflection, and the whitelisting apps never receive notification of an execute event...
I put a sample here:
So, thats it really. Simply compile and execute your dll and run it as a guest of RegAsm or Regsvcs.
These files are already installed on any workstation/server with .NET Framework.
I'm sure there are more like this. But this pattern seems to be working quite well for me.
This may be just the technique needed for someone to gain an initial foothold.
It is my opinion that this bypass method has ramifications beyond just Whitelisting Apps...
Thats all I got today...