%Temp%orary Constrained Language mode in AppLocker

TL;DR Done as a normal user without admin privs Change %TEMP%/%TMP% to point to a location that allows execution of scripts defined by AppLocker Start Powershell with the new environment variables that you set for %TEMP%/%TMP% and profit! Background This blogpost covers a technique I discovered when digging further into AppLocker to bypass Powershell Constrained … Continue reading %Temp%orary Constrained Language mode in AppLocker

AppLocker – Making sure that local rules are removed

This is just a quick blogpost about a thing I forgot to write about a long time ago. One issue with AppLocker is that when someone gets admin access on a box they can create local AppLocker rules that will be combined with the Group Policy AppLocker rules. This is explained in this tweet here: https://twitter.com/Oddvarmoe/status/996147947975962624 … Continue reading AppLocker – Making sure that local rules are removed

Persistence using Universal Windows Platform apps (APPX)

TL;DR Persistence can be achieved with Appx/UWP apps using the debugger options. This technique will not be visible by Autoruns. Two different approaches exists (registry keys). Listed below are the two techniques for two different apps that starts at logon: Cortana app: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy /d "C:\windows\system32\cmd.exe" OR reg add HKCU\Software\Classes\ActivatableClasses\Package\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy\DebugInformation\CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca /v DebugPath /d "C:\windows\system32\cmd.exe" … Continue reading Persistence using Universal Windows Platform apps (APPX)

Real whitelisting attempt using AppLocker

I wanted to try and see if I was able to use AppLocker to only allow needed files (Real whitelisting). Normally what you would do when setting up AppLocker is that you would start out by trusting something. This something could either be everything under C:\windows and c:\programfiles, or it could be every file that … Continue reading Real whitelisting attempt using AppLocker

Putting data in Alternate data streams and how to execute it – part 2

I wrote a blogpost a while back about Alternate data streams that you can find here: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ After I wrote that post I have made some new discoveries that I wanted to share around Alternate data streams. As you probably already know if you read some of my stuff is that I am a big fan … Continue reading Putting data in Alternate data streams and how to execute it – part 2

Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe

TL;DR – Found a technique to execute any binary file after another application is closed without being detected by Autoruns.exe. – Requires administrator rights and does not belong in userland. – Can also be executed from alternate data streams – Plant file on disk and run these commands to create persistence that triggers everytime someone … Continue reading Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe

Persistence using RunOnceEx – Hidden from Autoruns.exe

TL;DR - Found a technique to execute DLL files without being detected by autoruns.exe at logon. - Requires administrator rights and does not belong in userland. - Run this to Exploit: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\messageBox64.dll"   RunOnceEx I finally had some time to do some unstructured research. With unstructured research I mean going after … Continue reading Persistence using RunOnceEx – Hidden from Autoruns.exe

Harden Windows with AppLocker – based on Case study part 2

For details on how the default rules works and how to implement them please see part 1 of the hardening posts here: https://oddvar.moe/2017/12/13/harden-windows-with-applocker-based-on-case-study-part-1/   Hardening In "AppLocker – Case study – How insecure is it really? – Part 2" we concluded that there is 1 definitive bypass technique that works and 2 possible ones. If … Continue reading Harden Windows with AppLocker – based on Case study part 2