research – Page 2 – Oddvar Moe's Blog

Windows Defender Attack Surface Reduction Rules bypass

Posted on 15 Mar 2018 by Oddvar Moe [MVP]

I discovered an easy way to bypass the Windows Defender Attack Surface Reduction Rules using code inside a macro. This issue has already been fixed with the Windows Defender virus definition version: 1.263.536.0 and above. I was first told to report this to secure@microsoft.com, but it turns out that these kinds of bypasses are considered … Continue reading Windows Defender Attack Surface Reduction Rules bypass →

Putting data in Alternate data streams and how to execute it

Posted on 14 Jan 201829 Aug 2018 by Oddvar Moe [MVP]

Part 2 of this research can be found here: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ I always had a fascination about ADS (Alternate data streams) and using it as part of a persistence. My first meeting with this as a persistence technique was when Matt Nelson aka @Enigma0x3 wrote a blogpost about using it: https://enigma0x3.net/2015/03/05/using-alternate-data-streams-to-persist-on-a-compromised-machine/ Quite recently I have started to play … Continue reading Putting data in Alternate data streams and how to execute it →

Office 365 Safe links bypass

Posted on 3 Jan 2018 by Oddvar Moe [MVP]

Time for a break from the AppLocker case study to blog about this issue, since I found it very interesting. This issue was actually discovered by me and a customer of mine by coincidence. The issue has been run through Microsoft Security Response Center (MSRC) and they concluded that this can be fixed with a … Continue reading Office 365 Safe links bypass →

Harden Windows with AppLocker – based on Case study part 2

Posted on 21 Dec 2017 by Oddvar Moe [MVP]

For details on how the default rules works and how to implement them please see part 1 of the hardening posts here: https://oddvar.moe/2017/12/13/harden-windows-with-applocker-based-on-case-study-part-1/ Hardening In "AppLocker – Case study – How insecure is it really? – Part 2" we concluded that there is 1 definitive bypass technique that works and 2 possible ones. If … Continue reading Harden Windows with AppLocker – based on Case study part 2 →

AppLocker – Case study – How insecure is it really? – Part 2

Posted on 21 Dec 201721 Dec 2017 by Oddvar Moe [MVP]

This is part two of my blog series about the different bypasses that are supposed to work against AppLocker. I will, as I did in part 1 focus on the default rules in AppLocker. More details on the test technique and other juicy details can be found in my part 1 blogpost here (makes sense … Continue reading AppLocker – Case study – How insecure is it really? – Part 2 →

Harden Windows with AppLocker – based on Case study part 1

Posted on 13 Dec 201713 Dec 2017 by Oddvar Moe [MVP]

This blogpost is actually a tribute to Matt Graeber's request from twitter. Since I have learned so much stuff from that guy, I take these sort of request really seriously. In my post about how insecure AppLocker really are we concluded that the only valid bypass technique (from the 7 I tested) was actually … Continue reading Harden Windows with AppLocker – based on Case study part 1 →

AppLocker – Case study – How insecure is it really? – Part 1

Posted on 13 Dec 201713 Jan 2018 by Oddvar Moe [MVP]

I often hear that AppLocker is not very safe and it is easy to bypass. Since I really like AppLocker and I recommend it to customers, I decided to do this blogpost series and go over the different bypasses that we know of and see if they are working towards a default configured AppLocker setup. … Continue reading AppLocker – Case study – How insecure is it really? – Part 1 →

Research on CMSTP.exe

Posted on 15 Aug 201712 Jun 2018 by Oddvar Moe [MVP]

Whenever I have a chance I use my time diving into Windows internal binaries to uncover hidden functionality. This blogpost is dedicated to things I have discovered with the CMSTP.exe binary file. I found a UAC Bypass using sendkeys and a way to load DLL files from a Webdav server. I know the bypass I … Continue reading Research on CMSTP.exe →

Bypassing Device guard UMCI using CHM – CVE-2017-8625

Posted on 13 Aug 20177 Nov 2017 by Oddvar Moe [MVP]

TL;DR You could/can bypass Device Guard user mode code integrity with a custom CHM and execute code. The last 6 months I have done some security research on my (little) spare time, because I find that very interesting. During this time, I was lucky enough to find another valid Device Guard UMCI bypass (I … Continue reading Bypassing Device guard UMCI using CHM – CVE-2017-8625 →

Ping is okay? – Right?

Posted on 30 May 20177 Nov 2017 by Oddvar Moe [MVP]

TL;DR You can run a remote shell through ICMP. ICMP can be used for bad. Many customers have asked me this question many times, and in general ICMP (ICMP is a lot more than just ping, but is often referred to as ping for simplicity) is a nice thing to use to verify if … Continue reading Ping is okay? – Right? →