I thought it would be useful to have a blog post about two different techniques you can use to bypass AppLocker if you are an admin on a host that has AppLocker enabled. The first technique that uses the GUI was briefly discussed in a tweet I posted a while back: https://twitter.com/Oddvarmoe/status/996147947975962624 My goal with this … Continue reading Bypassing AppLocker as an admin
Tag: persistence
Persistence using Universal Windows Platform apps (APPX)
TL;DR Persistence can be achieved with Appx/UWP apps using the debugger options. This technique will not be visible by Autoruns. Two different approaches exists (registry keys). Listed below are the two techniques for two different apps that starts at logon: Cortana app: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy /d "C:\windows\system32\cmd.exe" OR reg add HKCU\Software\Classes\ActivatableClasses\Package\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy\DebugInformation\CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca /v DebugPath /d "C:\windows\system32\cmd.exe" … Continue reading Persistence using Universal Windows Platform apps (APPX)
Another way to get to a system shell – Assistive Technology
TL;DR Manipulate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\magnifier - StartExe to run other binary when pressing WinKey and plus to zoom. Can load binary from Webdav and also start webbrowser and browse to desired link Runs command as system during UAC prompt and logon screen I have thought a while about this blogpost and finally had some time to … Continue reading Another way to get to a system shell – Assistive Technology
GPscript.exe – another LOLBin to the list
TL;DR - GPO scripts can be defined for user and started with GPScript.exe /Logon - Logonscripts do not show up in Autoruns.exe I started to play around with GPscript.exe here the other day and found some interesting stuff and I want to have this documented for the future, so therefor I wrote this blogpost … Continue reading GPscript.exe – another LOLBin to the list
Putting data in Alternate data streams and how to execute it – part 2
I wrote a blogpost a while back about Alternate data streams that you can find here: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ After I wrote that post I have made some new discoveries that I wanted to share around Alternate data streams. As you probably already know if you read some of my stuff is that I am a big fan … Continue reading Putting data in Alternate data streams and how to execute it – part 2
Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe
TL;DR – Found a technique to execute any binary file after another application is closed without being detected by Autoruns.exe. – Requires administrator rights and does not belong in userland. – Can also be executed from alternate data streams – Plant file on disk and run these commands to create persistence that triggers everytime someone … Continue reading Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe
Persistence using RunOnceEx – Hidden from Autoruns.exe
TL;DR - Found a technique to execute DLL files without being detected by autoruns.exe at logon. - Requires administrator rights and does not belong in userland. - Run this to Exploit: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\messageBox64.dll" RunOnceEx I finally had some time to do some unstructured research. With unstructured research I mean going after … Continue reading Persistence using RunOnceEx – Hidden from Autoruns.exe
Oddvar Moe's Blog 