There have been a number of students of mine that have been asking why the bypass of Software Restriction Policies matters. This trickle of questions started the first time I taught SANS 660 Advanced Network Penetration Testing and has permeated through the other classes I have taught over the past few months.
We at PDC have been testing a number of Citrix implementations and bypassing SRP is becoming as important as bypassing AV. The reason for this is because once you can bypass SRP the whole arsenal of the command line is at your disposal. Look, the ability to upload Meterpreter is great. However, when attacking a domain there are a number of additional commands and Windows snap-ins that are essential for owning a domain. Thankfully, there are a number of outstanding resources available online. One of them is Wicked Clown.
Here are a few of his outstanding videos. You know the videos are good because I generally hate clowns.

EvilClown.jpeg

Left me scared for life…

The final reason bypassing SRP is so important is that it highlights the risk of a standard user account being used to attack the rest of the domain using built-in tools.
I would also like to say thanks to Peter Danhieux for putting together a number of outstanding SRP bypass attacks.
-strandjs

About the author