Defense-In-Depth write-up

TL;DR .BGI files can be sent on mail as attachment and can execute code when opened.Requires that BGinfo.exe has been run on the remote machine once. It will also bypass Outlook attachment protection (Fixed with Defense-in-depth patch from September 2017). PowerShell functions to generate BGI and VBSWebMeter here: https://github.com/api0cradle/BGInfo     I was acknowledged on … Continue reading Defense-In-Depth write-up

Bypassing Device guard UMCI using CHM – CVE-2017-8625

TL;DR You could/can bypass Device Guard user mode code integrity with a custom CHM and execute code.   The last 6 months I have done some security research on my (little) spare time, because I find that very interesting. During this time, I was lucky enough to find another valid Device Guard UMCI bypass (I … Continue reading Bypassing Device guard UMCI using CHM – CVE-2017-8625

Clarification – BGInfo 4.22 – AppLocker still vulnerable

Just wanted to do a quick follow-up on this bypass. Seems that BGInfo 4.22 still can be used to bypass AppLocker using the techniques I showed in my previous post. Meaning that if you use AppLocker as whitelisting solution I guess you must deny BGInfo.exe in order to prevent this bypass. Screenshots from an AppLocker … Continue reading Clarification – BGInfo 4.22 – AppLocker still vulnerable

Bypassing Application Whitelisting with BGInfo

TL;DR BGinfo.exe older than version 4.22 can be used to bypass application whitelisting using vbscript inside a bgi file. This can run directly from a webdav server.   UPDATE: 22.05.2017 AppLocker is still vulnerable with Bginfo 4.22. A blogpost about that here: https://msitpros.com/?p=3860 UPDATE: 19.06.2017 Microsoft has thanked me in their documentation for this finding. The … Continue reading Bypassing Application Whitelisting with BGInfo

Accessing clipboard from the lock screen in Windows 10 #2

#UPDATE# This issue is fixed in the Windows 10 1803 versions and newer.   I received a lot of positive feedback on my previous post on accessing the clipboard from the lock screen using the wireless password field. Just out of curiosity I tried other combinations on doing the same thing, and I found out … Continue reading Accessing clipboard from the lock screen in Windows 10 #2

Accessing clipboard from the lock screen in Windows 10

#UPDATE# This issue is fixed in the Windows 10 1803 versions and newer.   I discovered something interesting that I wanted to be shared with the rest of the world. Before you read any further, I want you to know that I did send an email to MSRC (Microsoft Security Response Center) about this. The … Continue reading Accessing clipboard from the lock screen in Windows 10