R E D T E A M E R A N D S E C U R I T Y A D D I C T
ENIGMA0X3
« “FILELESS” UAC BYPASS USING BYPASSING APPLICATION WHITELISTING BY
EVENTVWR.EXE AND REGISTRY HIJACKING USING RCSI.EXE »
BYPASSING APPLICATION WHITELISTING BY USING DNX.EXE
November 17, 2016 by enigma0x3
Over the past few weeks, I have had the pleasure to work side-by-side with Matt Graeber
(@mattifestation) and Casey Smith (@subtee) researching Device Guard user mode code
integrity (UMCI) bypasses. If you aren’t familiar with Device Guard, you can read more about it
here: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-
guide.
In short, Device Guard UMCI prevents unsigned binaries from executing, restricts the Windows
Scripting Host, and it places PowerShell in Constrained Language mode.
Recently, @mattifestation blogged about a typical Device Guard scenario and using the Microsoft
Signed debuggers WinDbg/CDB as shellcode runners.
Soon after, @subtee released a post on using CSI.exe to run unsigned C# code on a Device
Guard system.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� Taking their lead, I decided to install the Visual Studio Enterprise trial and poke around to see
what binaries existed. After much digging, I stumbled across dnx.exe, which is the Microsoft .NET
Execution environment. If you are curious, you can read more on dnx.exe here:
https://blogs.msdn.microsoft.com/sujitdmello/2015/04/23/step-by-step-installation-instructions-for-
getting-dnx-on-your-windows-machine/
In a Device Guard scenario, dnx.exe is allowed to execute as it is a Microsoft signed binary
packaged with Visual Studio Enterprise. In order to execute dnx.exe on a Device Guard system
(assuming it isn’t already installed), you will need to gather dnx.exe and its required
dependencies, and somehow transport everything to your target (this is an exercise left up to the
reader).
With everything required now on our target host, we can now start down the path of bypassing
Device Guard’s UMCI. Since dnx.exe allows for executing code in dynamic scenarios, we can
use it to execute arbitrary, unsigned C# code. Fortunately, there is a solid example of this on
Microsoft’s blog above.
For example, we can create a C# file called “Program.cs” and add whatever C# code we want. To
demonstrate the execution of unsigned code, we can keep things simple:
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� To satisfy the requirements of dnx.exe, a Project.json file is required, which specifies some of the
requirements when executing the code. For this PoC, the example “Project.json” file can be used
from Microsoft’s blog here. As stated in their post, we can execute our C# by placing
“Program.cs” and “Project.json” in a folder called “ConsoleApp” (this can obviously be
renamed/modified).
Now that we have our files, we can execute our C# using dnx.exe by going into the “ConsoleApp”
folder and invoking dnx.exe on it. This is done on a PC running Device Guard:
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� As you can see above, our unsigned C# successfully executed and is running inside of dnx.exe.
Fortunately, these “misplaced trust” bypasses can be mitigated via code integrity policy
FilePublisher file rules. You can read up on creating these mitigation rules here:
http://www.exploit-monday.com/2016/09/using-device-guard-to-mitigate-against.html
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� You can find a comprehensive bypass mitigation policy here:
https://github.com/mattifestation/DeviceGuardBypassMitigationRules
Cheers!
Matt Nelson
SHARE THIS:
Twitter Facebook 107 Google
Like
One blogger likes this.
RELATED
Bypassing Application Defeating Device Guard: A look UMCI vs Internet Explorer:
Whitelisting By Using rcsi.exe into CVE-2017-0007 Exploring CVE-2017-8625
With 1 comment
Bookmark the permalink.
LEAVE A REPLY
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� Enter your comment here...
Search … Search RECENT POSTS RECENT COMMENTS
Reviving DDE: Using OneNote and Excel for
Soc on Defeating Device Guard: A
ARCHIVES Code Execution
Lateral Movement Using Outlook’s
January 2018 “Fileless… on “Fileless” UAC Byp…
CreateObject Method and DotNetToJScript
November 2017
A Look at CVE-2017-8715: Bypassing CVE-
October 2017
2017-0218 using PowerShell Module Manifests “Fileless… on Bypassing UAC usin
September 2017
UMCI Bypass Using PSWorkFlowUtility: CVE- App P…
August 2017
2017-0215
July 2017
Lateral Movement using Excel.Application
April 2017 Windows 10 UAC Looph… on Bypa
and DCOM
March 2017 UAC using App P…
January 2017 NexusLogger: A New C… on “Filele
November 2016 UAC Byp…
August 2016 CATEGORIES
July 2016
Uncategorized
May 2016
March 2016 META
February 2016
Register
January 2016
Log in
October 2015
Entries RSS
August 2015
Comments RSS
April 2015
WordPress.com
March 2015
January 2015
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� October 2014
July 2014
June 2014
March 2014
January 2014
Blog at WordPress.com.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
