Real whitelisting attempt using AppLocker

I wanted to try and see if I was able to use AppLocker to only allow needed files (Real whitelisting). Normally what you would do when setting up AppLocker is that you would start out by trusting something. This something could either be everything under C:\windows and c:\programfiles, or it could be every file that … Continue reading Real whitelisting attempt using AppLocker

Putting data in Alternate data streams and how to execute it – part 2

I wrote a blogpost a while back about Alternate data streams that you can find here: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ After I wrote that post I have made some new discoveries that I wanted to share around Alternate data streams. As you probably already know if you read some of my stuff is that I am a big fan … Continue reading Putting data in Alternate data streams and how to execute it – part 2

Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe

TL;DR – Found a technique to execute any binary file after another application is closed without being detected by Autoruns.exe. – Requires administrator rights and does not belong in userland. – Can also be executed from alternate data streams – Plant file on disk and run these commands to create persistence that triggers everytime someone … Continue reading Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe

Persistence using RunOnceEx – Hidden from Autoruns.exe

TL;DR - Found a technique to execute DLL files without being detected by autoruns.exe at logon. - Requires administrator rights and does not belong in userland. - Run this to Exploit: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\messageBox64.dll"   RunOnceEx I finally had some time to do some unstructured research. With unstructured research I mean going after … Continue reading Persistence using RunOnceEx – Hidden from Autoruns.exe

Harden Windows with AppLocker – based on Case study part 2

For details on how the default rules works and how to implement them please see part 1 of the hardening posts here: https://oddvar.moe/2017/12/13/harden-windows-with-applocker-based-on-case-study-part-1/   Hardening In "AppLocker – Case study – How insecure is it really? – Part 2" we concluded that there is 1 definitive bypass technique that works and 2 possible ones. If … Continue reading Harden Windows with AppLocker – based on Case study part 2

AppLocker – Case study – How insecure is it really? – Part 2

This is part two of my blog series about the different bypasses that are supposed to work against AppLocker. I will, as I did in part 1 focus on the default rules in AppLocker. More details on the test technique and other juicy details can be found in my part 1 blogpost here (makes sense … Continue reading AppLocker – Case study – How insecure is it really? – Part 2

Harden Windows with AppLocker – based on Case study part 1

This blogpost is actually a tribute to Matt Graeber's request from twitter. Since I have learned so much stuff from that guy, I take these sort of request really seriously.   In my post about how insecure AppLocker really are we concluded that the only valid bypass technique (from the 7 I tested) was actually … Continue reading Harden Windows with AppLocker – based on Case study part 1

AppLocker – Case study – How insecure is it really? – Part 1

I often hear that AppLocker is not very safe and it is easy to bypass. Since I really like AppLocker and I recommend it to customers, I decided to do this blogpost series and go over the different bypasses that we know of and see if they are working towards a default configured AppLocker setup. … Continue reading AppLocker – Case study – How insecure is it really? – Part 1

My experience with IT DEV CONNECTIONS 2017 and demo videos

Earlier this year I submitted three sessions to the IT DEV CONNECTIONS conference and to my big surprise all of them was accepted. I was hoping that at least one of them was accepted, but all three was, and that is just incredible. I must admit at first that I was a bit scared, since … Continue reading My experience with IT DEV CONNECTIONS 2017 and demo videos