Oddvar Moe [MVP]

A small discovery about AppLocker

Posted on 29 May 2019 by Oddvar Moe [MVP]

While I was prepping for a session a while back I made a a little special discovery about AppLocker. Turns out that the files that AppLocker uses under C:\Windows\System32\AppLocker can be used in many cases to bypass a Default AppLocker ruleset. When a machine is deployed and the first user logs in, that user will … Continue reading A small discovery about AppLocker →

Bypassing AppLocker as an admin

Posted on 1 Feb 20191 Feb 2019 by Oddvar Moe [MVP]

I thought it would be useful to have a blog post about two different techniques you can use to bypass AppLocker if you are an admin on a host that has AppLocker enabled. The first technique that uses the GUI was briefly discussed in a tweet I posted a while back: https://twitter.com/Oddvarmoe/status/996147947975962624 My goal with this … Continue reading Bypassing AppLocker as an admin →

Doing the PentesterAcademy Red Team Lab

Posted on 25 Oct 201825 Oct 2018 by Oddvar Moe [MVP]

This is my review of the Pentester Academy Red Team Lab. I got the possibility to try out the Red Team Lab (Thanks Nikhil Mittal) and I wanted to write my experiences with it. This was a lot of fun and I learned a lot of stuff along the road. It started out with a … Continue reading Doing the PentesterAcademy Red Team Lab →

%Temp%orary Constrained Language mode in AppLocker

Posted on 6 Oct 2018 by Oddvar Moe [MVP]

TL;DR Done as a normal user without admin privs Change %TEMP%/%TMP% to point to a location that allows execution of scripts defined by AppLocker Start Powershell with the new environment variables that you set for %TEMP%/%TMP% and profit! Background This blogpost covers a technique I discovered when digging further into AppLocker to bypass Powershell Constrained … Continue reading %Temp%orary Constrained Language mode in AppLocker →

TrustedSec+Oddvar=OH YEAH!

Posted on 5 Oct 2018 by Oddvar Moe [MVP]

As I announced at DerbyCon on stage during my #LOLBins talk, I have now started to work for TrustedSec. To me this is really huge and I truly feel lucky to be a part of such an amazing team of talented people. Right before my summer vacation this year, me and some of my former … Continue reading TrustedSec+Oddvar=OH YEAH! →

AppLocker – Making sure that local rules are removed

Posted on 28 Sep 2018 by Oddvar Moe [MVP]

This is just a quick blogpost about a thing I forgot to write about a long time ago. One issue with AppLocker is that when someone gets admin access on a box they can create local AppLocker rules that will be combined with the Group Policy AppLocker rules. This is explained in this tweet here: https://twitter.com/Oddvarmoe/status/996147947975962624 … Continue reading AppLocker – Making sure that local rules are removed →

Persistence using Universal Windows Platform apps (APPX)

Posted on 6 Sep 20187 Sep 2018 by Oddvar Moe [MVP]

TL;DR Persistence can be achieved with Appx/UWP apps using the debugger options. This technique will not be visible by Autoruns. Two different approaches exists (registry keys). Listed below are the two techniques for two different apps that starts at logon: Cortana app: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy /d "C:\windows\system32\cmd.exe" OR reg add HKCU\Software\Classes\ActivatableClasses\Package\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy\DebugInformation\CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca /v DebugPath /d "C:\windows\system32\cmd.exe" … Continue reading Persistence using Universal Windows Platform apps (APPX) →

AppLocker for admins – Does it work?

Posted on 27 Jul 2018 by Oddvar Moe [MVP]

A thing I see a lot is that AppLocker is used to "protect" servers and prevent admins from doing certain things. In this post I want to go over what sort of security this gives so that everyone can see Pros and Cons. A thing to remember is that an administrator has all the rights … Continue reading AppLocker for admins – Does it work? →

Another way to get to a system shell – Assistive Technology

Posted on 23 Jul 201825 Jul 2018 by Oddvar Moe [MVP]

TL;DR Manipulate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\magnifier - StartExe to run other binary when pressing WinKey and plus to zoom. Can load binary from Webdav and also start webbrowser and browse to desired link Runs command as system during UAC prompt and logon screen I have thought a while about this blogpost and finally had some time to … Continue reading Another way to get to a system shell – Assistive Technology →

Real whitelisting attempt using AppLocker

Posted on 14 May 201814 May 2018 by Oddvar Moe [MVP]

I wanted to try and see if I was able to use AppLocker to only allow needed files (Real whitelisting). Normally what you would do when setting up AppLocker is that you would start out by trusting something. This something could either be everything under C:\windows and c:\programfiles, or it could be every file that … Continue reading Real whitelisting attempt using AppLocker →