Clik here to view.
Application Whitelisting Bypass - CSI.EXE C# Scripting
We’ve seen it before, where attackers can bring signed trusted tools to your system to expand functionality. Attackers can bring tools signed by any vendor you may have approved in your whitelist....
View ArticleClik here to view.
Using Application Compatibility Shims
Overview:There have been number of blog posts and presentations on Application Compatibility Shims in the past [See References at End]. Application Compatibility is a framework to resolve issues with...
View ArticleClik here to view.
Command Line Camouflage - ODBCCONF.EXE
One of the tools Blue Teams have is combining Big Data with Command Line Auditing. So here's one to add some confusion to their game.Recently I stumbled onto another interesting binary. ODBCCONF.EXE...
View ArticleClik here to view.
Mimikatz Delivery via ClickOnce with URL Parameters
Recently during an ATD team Hackathon, we split our team into groups and attacked different problems. The challenge that @webyeti and I took on, was write a quick POC to prove the ability to pass URL...
View ArticleClik here to view.
Consider Application Whitelisting with Device Guard
A while back, I posted this question on Twitter.I realize that Twitter is a difficult medium to articulate full discussions, so I wanted to engage the topic with a blog post. Over the last couple...
View ArticleClik here to view.
Attacking Drivers With MSBuild.exe
I’ve recently been experimenting with the full, offensive capabilities of MSBuild.exe. As a reference, MSBuild.exe ships with the .NET framework and comes installed by default on Windows 10. “Starting...
View ArticleClik here to view.
Shellcode Injection via QueueUserAPC - Hiding From Sysmon
Recently, our team was discussing some defender capabilities. One excellent tool is Sysmon from Sysinternals. This tool allows you to collect detailed information on processes, network connections,...
View ArticleClik here to view.
Extend Windows Script Host via Registration-Free COM
I like JScript , I just wish I could more with it. Well, now you can! There is a lot to cover here so lets get started. First, Registration-Free...
View ArticleClik here to view.
Extending JScript with System.EnterpriseServices.RegistrationHelper
tl;dr This code example is how to get .NET which gives you access to Win32 inside JScript or VbScript. For some time I've been interested in extending the capabilities of JScript. So for example, to...
View ArticleClik here to view.
Using DotNetToJScript - A Working Example, this is amazing.
Ok, so over the last few posts, I've been trying to stretch JScript/VBScript to do more? One of the main reasons has been to try to expand the capability of COM Scriptlets.The major drawback to...
View ArticleClik here to view.
Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM...
So, I have been working this out the last few days. I was trying solve a particular problem.I needed a reverse shell on workstation locked down by AppLocker executable and script rules enforced. tl;dr...
View ArticleClik here to view.
Shellcode Injection via QueueUserAPC - Hiding From Sysmon
Recently, our team was discussing some defender capabilities. One excellent tool is Sysmon from Sysinternals. This tool allows you to collect detailed information on processes, network connections,...
View ArticleClik here to view.
Attacking Drivers With MSBuild.exe
I’ve recently been experimenting with the full, offensive capabilities of MSBuild.exe. As a reference, MSBuild.exe ships with the .NET framework and comes installed by default on Windows 10. “Starting...
View ArticleBypassing Application Whitelisting using MSBuild.exe - Device Guard Example...
I’ve said it before, but when you start down the road of Application Whitelisting, you need to take the extra steps to look at the functionality of the applications you are trusting, and see if they...
View ArticleClik here to view.
Consider Application Whitelisting with Device Guard
I realize that Twitter is a difficult medium to articulate full discussions, so I wanted to engage the topic with a blog post. Over the last couple years, I have focused a fair amount of time drawing...
View ArticleClik here to view.
Using Application Compatibility Shims
Overview:There have been number of blog posts and presentations on Application Compatibility Shims in the past [See References at End]. Application Compatibility is a framework to resolve issues with...
View ArticleClik here to view.
Subvert CLR Process Listing With .NET Profilers
I recently stumbled onto an interesting capability of the CLR. "A profiler is a tool that monitors the execution of another application. A common language runtime (CLR) profiler is a dynamic link...
View ArticleClik here to view.
Do you really need quantum mechanics to solve RSA?
Suppose for example you could calculate the square root of an arbitrary number modulo the product of two primes. What would the implications be? There is an algorithm to compute the square root modulo...
View ArticleClik here to view.
Attacking the CLR - AppDomainManager Injection
I have been interested in attacking CLR to be able to manipulate .NET apps, like PowerShell.For example using .NET profilers here:Recently I was reading this article about the CLR and execution...
View ArticleDEFCON 30 CFP: New Directions in Cryptanalysis, an Exploration of Disruptive...
I had some free time today, and started thinking about what would it be like to disclose a globally disruptive vulnerability. Where and how would you do that? I started thinking about what might this...
View Article