Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe

TL;DR – Found a technique to execute any binary file after another application is closed without being detected by Autoruns.exe. – Requires administrator rights and does not belong in userland. – Can also be executed from alternate data streams – Plant file on disk and run these commands to create persistence that triggers everytime someone … Continue reading Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe

Persistence using RunOnceEx – Hidden from Autoruns.exe

TL;DR - Found a technique to execute DLL files without being detected by autoruns.exe at logon. - Requires administrator rights and does not belong in userland. - Run this to Exploit: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\messageBox64.dll"   RunOnceEx I finally had some time to do some unstructured research. With unstructured research I mean going after … Continue reading Persistence using RunOnceEx – Hidden from Autoruns.exe

Windows Defender Attack Surface Reduction Rules bypass

I discovered an easy way to bypass the Windows Defender Attack Surface Reduction Rules using code inside a macro. This issue has already been fixed with the Windows Defender virus definition version: 1.263.536.0 and above. I was first told to report this to secure@microsoft.com, but it turns out that these kinds of bypasses are considered … Continue reading Windows Defender Attack Surface Reduction Rules bypass

Putting data in Alternate data streams and how to execute it

Part 2 of this research can be found here: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ I always had a fascination about ADS (Alternate data streams) and using it as part of a persistence. My first meeting with this as a persistence technique was when Matt Nelson aka @Enigma0x3 wrote a blogpost about using it: https://enigma0x3.net/2015/03/05/using-alternate-data-streams-to-persist-on-a-compromised-machine/ Quite recently I have started to play … Continue reading Putting data in Alternate data streams and how to execute it

Harden Windows with AppLocker – based on Case study part 2

For details on how the default rules works and how to implement them please see part 1 of the hardening posts here: https://oddvar.moe/2017/12/13/harden-windows-with-applocker-based-on-case-study-part-1/   Hardening In "AppLocker – Case study – How insecure is it really? – Part 2" we concluded that there is 1 definitive bypass technique that works and 2 possible ones. If … Continue reading Harden Windows with AppLocker – based on Case study part 2

AppLocker – Case study – How insecure is it really? – Part 2

This is part two of my blog series about the different bypasses that are supposed to work against AppLocker. I will, as I did in part 1 focus on the default rules in AppLocker. More details on the test technique and other juicy details can be found in my part 1 blogpost here (makes sense … Continue reading AppLocker – Case study – How insecure is it really? – Part 2

Harden Windows with AppLocker – based on Case study part 1

This blogpost is actually a tribute to Matt Graeber's request from twitter. Since I have learned so much stuff from that guy, I take these sort of request really seriously.   In my post about how insecure AppLocker really are we concluded that the only valid bypass technique (from the 7 I tested) was actually … Continue reading Harden Windows with AppLocker – based on Case study part 1

AppLocker – Case study – How insecure is it really? – Part 1

I often hear that AppLocker is not very safe and it is easy to bypass. Since I really like AppLocker and I recommend it to customers, I decided to do this blogpost series and go over the different bypasses that we know of and see if they are working towards a default configured AppLocker setup. … Continue reading AppLocker – Case study – How insecure is it really? – Part 1

My experience with IT DEV CONNECTIONS 2017 and demo videos

Earlier this year I submitted three sessions to the IT DEV CONNECTIONS conference and to my big surprise all of them was accepted. I was hoping that at least one of them was accepted, but all three was, and that is just incredible. I must admit at first that I was a bit scared, since … Continue reading My experience with IT DEV CONNECTIONS 2017 and demo videos