Oddvar Moe [MVP]

GPscript.exe – another LOLBin to the list

Posted on 27 Apr 201830 Apr 2018 by Oddvar Moe [MVP]

TL;DR - GPO scripts can be defined for user and started with GPScript.exe /Logon - Logonscripts do not show up in Autoruns.exe I started to play around with GPscript.exe here the other day and found some interesting stuff and I want to have this documented for the future, so therefor I wrote this blogpost … Continue reading GPscript.exe – another LOLBin to the list →

Putting data in Alternate data streams and how to execute it – part 2

Posted on 11 Apr 2018 by Oddvar Moe [MVP]

I wrote a blogpost a while back about Alternate data streams that you can find here: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ After I wrote that post I have made some new discoveries that I wanted to share around Alternate data streams. As you probably already know if you read some of my stuff is that I am a big fan … Continue reading Putting data in Alternate data streams and how to execute it – part 2 →

Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe

Posted on 10 Apr 201811 Apr 2018 by Oddvar Moe [MVP]

TL;DR – Found a technique to execute any binary file after another application is closed without being detected by Autoruns.exe. – Requires administrator rights and does not belong in userland. – Can also be executed from alternate data streams – Plant file on disk and run these commands to create persistence that triggers everytime someone … Continue reading Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe →

Persistence using RunOnceEx – Hidden from Autoruns.exe

Posted on 21 Mar 201816 Dec 2019 by Oddvar Moe [MVP]

TL;DR - Found a technique to execute DLL files without being detected by autoruns.exe at logon. - Requires administrator rights and does not belong in userland. - Run this to Exploit: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\messageBox64.dll" RunOnceEx I finally had some time to do some unstructured research. With unstructured research I mean going after … Continue reading Persistence using RunOnceEx – Hidden from Autoruns.exe →

Windows Defender Attack Surface Reduction Rules bypass

Posted on 15 Mar 2018 by Oddvar Moe [MVP]

I discovered an easy way to bypass the Windows Defender Attack Surface Reduction Rules using code inside a macro. This issue has already been fixed with the Windows Defender virus definition version: 1.263.536.0 and above. I was first told to report this to secure@microsoft.com, but it turns out that these kinds of bypasses are considered … Continue reading Windows Defender Attack Surface Reduction Rules bypass →

Putting data in Alternate data streams and how to execute it

Posted on 14 Jan 201829 Aug 2018 by Oddvar Moe [MVP]

Part 2 of this research can be found here: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ I always had a fascination about ADS (Alternate data streams) and using it as part of a persistence. My first meeting with this as a persistence technique was when Matt Nelson aka @Enigma0x3 wrote a blogpost about using it: https://enigma0x3.net/2015/03/05/using-alternate-data-streams-to-persist-on-a-compromised-machine/ Quite recently I have started to play … Continue reading Putting data in Alternate data streams and how to execute it →

Office 365 Safe links bypass

Posted on 3 Jan 2018 by Oddvar Moe [MVP]

Time for a break from the AppLocker case study to blog about this issue, since I found it very interesting. This issue was actually discovered by me and a customer of mine by coincidence. The issue has been run through Microsoft Security Response Center (MSRC) and they concluded that this can be fixed with a … Continue reading Office 365 Safe links bypass →

Harden Windows with AppLocker – based on Case study part 2

Posted on 21 Dec 2017 by Oddvar Moe [MVP]

For details on how the default rules works and how to implement them please see part 1 of the hardening posts here: https://oddvar.moe/2017/12/13/harden-windows-with-applocker-based-on-case-study-part-1/ Hardening In "AppLocker – Case study – How insecure is it really? – Part 2" we concluded that there is 1 definitive bypass technique that works and 2 possible ones. If … Continue reading Harden Windows with AppLocker – based on Case study part 2 →

AppLocker – Case study – How insecure is it really? – Part 2

Posted on 21 Dec 201721 Dec 2017 by Oddvar Moe [MVP]

This is part two of my blog series about the different bypasses that are supposed to work against AppLocker. I will, as I did in part 1 focus on the default rules in AppLocker. More details on the test technique and other juicy details can be found in my part 1 blogpost here (makes sense … Continue reading AppLocker – Case study – How insecure is it really? – Part 2 →

Harden Windows with AppLocker – based on Case study part 1

Posted on 13 Dec 201713 Dec 2017 by Oddvar Moe [MVP]

This blogpost is actually a tribute to Matt Graeber's request from twitter. Since I have learned so much stuff from that guy, I take these sort of request really seriously. In my post about how insecure AppLocker really are we concluded that the only valid bypass technique (from the 7 I tested) was actually … Continue reading Harden Windows with AppLocker – based on Case study part 1 →