Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM...
So, I have been working this out the last few days. I was trying solve a particular problem.I needed a reverse shell on workstation locked down by AppLocker executable and script rules enforced. tl;dr...
View ArticleShellcode Injection via QueueUserAPC - Hiding From Sysmon
Recently, our team was discussing some defender capabilities. One excellent tool is Sysmon from Sysinternals. This tool allows you to collect detailed information on processes, network connections,...
View ArticleAttacking Drivers With MSBuild.exe
I’ve recently been experimenting with the full, offensive capabilities of MSBuild.exe. As a reference, MSBuild.exe ships with the .NET framework and comes installed by default on Windows 10. “Starting...
View ArticleBypassing Application Whitelisting using MSBuild.exe - Device Guard Example...
I’ve said it before, but when you start down the road of Application Whitelisting, you need to take the extra steps to look at the functionality of the applications you are trusting, and see if they...
View ArticleConsider Application Whitelisting with Device Guard
I realize that Twitter is a difficult medium to articulate full discussions, so I wanted to engage the topic with a blog post. Over the last couple years, I have focused a fair amount of time drawing...
View ArticleUsing Application Compatibility Shims
Overview:There have been number of blog posts and presentations on Application Compatibility Shims in the past [See References at End]. Application Compatibility is a framework to resolve issues with...
View ArticleSubvert CLR Process Listing With .NET Profilers
I recently stumbled onto an interesting capability of the CLR. "A profiler is a tool that monitors the execution of another application. A common language runtime (CLR) profiler is a dynamic link...
View ArticleAttacking the CLR - AppDomainManager Injection
I have been interested in attacking CLR to be able to manipulate .NET apps, like PowerShell.For example using .NET profilers here:Recently I was reading this article about the CLR and execution...
View ArticleDEFCON 30 CFP: New Directions in Cryptanalysis, an Exploration of Disruptive...
I had some free time today, and started thinking about what would it be like to disclose a globally disruptive vulnerability. Where and how would you do that? I started thinking about what might this...
View Articlemsxsl.exe Working As Designed.
So, I recently was exploring XSL, and injection and came across several interesting references.<msxsl:script> ElementXSLT Script Block SampleThe basic gist, and what I think is interesting is...
View ArticleBanned File Execution via InstallUtil.exe Nov 11, 2014 12:58 AM
I was going through some of my old research today, and thought I might share the genesis of one of my older findings. I thought maybe it would be helpful to share my thinking and motivation for some...
View ArticleDemogorgon - A Stranger Things Inspired Tool, Coming Soon.
******This tool is inspired by the show "Stranger Things". There are spoilers, so, if you want to watch the show, read no further.You were warned. :-)******First some background. If you haven't seen...
View Articledbghost.exe - Ghost And The Darkness
I found another Device Guard bypass recently. It was great to get to work with MSRC to get confirmation of the bypass, and to have them update the Device Guard configurations here:Device Guard...
View ArticleCLRGuard - Let's Kick the Door Down. Part One
I really like this tool! Let me start with that. ;-)I really appreciate Joe Desimone ( @dez_ ) and EndGame making this available open source.First, check this DerbyCon 2017 Talk out, it will help you...
View Article