Clik here to view.
Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM...
So, I have been working this out the last few days. I was trying solve a particular problem.I needed a reverse shell on workstation locked down by AppLocker executable and script rules enforced. tl;dr...
View ArticleClik here to view.
Shellcode Injection via QueueUserAPC - Hiding From Sysmon
Recently, our team was discussing some defender capabilities. One excellent tool is Sysmon from Sysinternals. This tool allows you to collect detailed information on processes, network connections,...
View ArticleClik here to view.
Attacking Drivers With MSBuild.exe
I’ve recently been experimenting with the full, offensive capabilities of MSBuild.exe. As a reference, MSBuild.exe ships with the .NET framework and comes installed by default on Windows 10. “Starting...
View ArticleBypassing Application Whitelisting using MSBuild.exe - Device Guard Example...
I’ve said it before, but when you start down the road of Application Whitelisting, you need to take the extra steps to look at the functionality of the applications you are trusting, and see if they...
View ArticleClik here to view.
Consider Application Whitelisting with Device Guard
I realize that Twitter is a difficult medium to articulate full discussions, so I wanted to engage the topic with a blog post. Over the last couple years, I have focused a fair amount of time drawing...
View ArticleClik here to view.
Using Application Compatibility Shims
Overview:There have been number of blog posts and presentations on Application Compatibility Shims in the past [See References at End]. Application Compatibility is a framework to resolve issues with...
View ArticleClik here to view.
Subvert CLR Process Listing With .NET Profilers
I recently stumbled onto an interesting capability of the CLR. "A profiler is a tool that monitors the execution of another application. A common language runtime (CLR) profiler is a dynamic link...
View ArticleClik here to view.
Attacking the CLR - AppDomainManager Injection
I have been interested in attacking CLR to be able to manipulate .NET apps, like PowerShell.For example using .NET profilers here:Recently I was reading this article about the CLR and execution...
View ArticleDEFCON 30 CFP: New Directions in Cryptanalysis, an Exploration of Disruptive...
I had some free time today, and started thinking about what would it be like to disclose a globally disruptive vulnerability. Where and how would you do that? I started thinking about what might this...
View ArticleClik here to view.
msxsl.exe Working As Designed.
So, I recently was exploring XSL, and injection and came across several interesting references.<msxsl:script> ElementXSLT Script Block SampleThe basic gist, and what I think is interesting is...
View ArticleClik here to view.
Banned File Execution via InstallUtil.exe Nov 11, 2014 12:58 AM
I was going through some of my old research today, and thought I might share the genesis of one of my older findings. I thought maybe it would be helpful to share my thinking and motivation for some...
View ArticleClik here to view.
Demogorgon - A Stranger Things Inspired Tool, Coming Soon.
******This tool is inspired by the show "Stranger Things". There are spoilers, so, if you want to watch the show, read no further.You were warned. :-)******First some background. If you haven't seen...
View ArticleClik here to view.
dbghost.exe - Ghost And The Darkness
I found another Device Guard bypass recently. It was great to get to work with MSRC to get confirmation of the bypass, and to have them update the Device Guard configurations here:Device Guard...
View ArticleClik here to view.
CLRGuard - Let's Kick the Door Down. Part One
I really like this tool! Let me start with that. ;-)I really appreciate Joe Desimone ( @dez_ ) and EndGame making this available open source.First, check this DerbyCon 2017 Talk out, it will help you...
View Article