security – Page 2 – Oddvar Moe's Blog

Harden Windows with AppLocker – based on Case study part 2

Posted on 21 Dec 2017 by Oddvar Moe [MVP]

For details on how the default rules works and how to implement them please see part 1 of the hardening posts here: https://oddvar.moe/2017/12/13/harden-windows-with-applocker-based-on-case-study-part-1/ Hardening In "AppLocker – Case study – How insecure is it really? – Part 2" we concluded that there is 1 definitive bypass technique that works and 2 possible ones. If … Continue reading Harden Windows with AppLocker – based on Case study part 2 →

AppLocker – Case study – How insecure is it really? – Part 2

Posted on 21 Dec 201721 Dec 2017 by Oddvar Moe [MVP]

This is part two of my blog series about the different bypasses that are supposed to work against AppLocker. I will, as I did in part 1 focus on the default rules in AppLocker. More details on the test technique and other juicy details can be found in my part 1 blogpost here (makes sense … Continue reading AppLocker – Case study – How insecure is it really? – Part 2 →

Harden Windows with AppLocker – based on Case study part 1

Posted on 13 Dec 201713 Dec 2017 by Oddvar Moe [MVP]

This blogpost is actually a tribute to Matt Graeber's request from twitter. Since I have learned so much stuff from that guy, I take these sort of request really seriously. In my post about how insecure AppLocker really are we concluded that the only valid bypass technique (from the 7 I tested) was actually … Continue reading Harden Windows with AppLocker – based on Case study part 1 →

AppLocker – Case study – How insecure is it really? – Part 1

Posted on 13 Dec 201713 Jan 2018 by Oddvar Moe [MVP]

I often hear that AppLocker is not very safe and it is easy to bypass. Since I really like AppLocker and I recommend it to customers, I decided to do this blogpost series and go over the different bypasses that we know of and see if they are working towards a default configured AppLocker setup. … Continue reading AppLocker – Case study – How insecure is it really? – Part 1 →

My experience with IT DEV CONNECTIONS 2017 and demo videos

Posted on 29 Oct 20178 Nov 2017 by Oddvar Moe [MVP]

Earlier this year I submitted three sessions to the IT DEV CONNECTIONS conference and to my big surprise all of them was accepted. I was hoping that at least one of them was accepted, but all three was, and that is just incredible. I must admit at first that I was a bit scared, since … Continue reading My experience with IT DEV CONNECTIONS 2017 and demo videos →

Defense-In-Depth write-up

Posted on 13 Sep 20177 Nov 2017 by Oddvar Moe [MVP]

TL;DR .BGI files can be sent on mail as attachment and can execute code when opened.Requires that BGinfo.exe has been run on the remote machine once. It will also bypass Outlook attachment protection (Fixed with Defense-in-depth patch from September 2017). PowerShell functions to generate BGI and VBSWebMeter here: https://github.com/api0cradle/BGInfo I was acknowledged on … Continue reading Defense-In-Depth write-up →

Bypassing Device guard UMCI using CHM – CVE-2017-8625

Posted on 13 Aug 20177 Nov 2017 by Oddvar Moe [MVP]

TL;DR You could/can bypass Device Guard user mode code integrity with a custom CHM and execute code. The last 6 months I have done some security research on my (little) spare time, because I find that very interesting. During this time, I was lucky enough to find another valid Device Guard UMCI bypass (I … Continue reading Bypassing Device guard UMCI using CHM – CVE-2017-8625 →

Clarification – BGInfo 4.22 – AppLocker still vulnerable

Posted on 22 May 20177 Nov 2017 by Oddvar Moe [MVP]

Just wanted to do a quick follow-up on this bypass. Seems that BGInfo 4.22 still can be used to bypass AppLocker using the techniques I showed in my previous post. Meaning that if you use AppLocker as whitelisting solution I guess you must deny BGInfo.exe in order to prevent this bypass. Screenshots from an AppLocker … Continue reading Clarification – BGInfo 4.22 – AppLocker still vulnerable →

Bypassing Application Whitelisting with BGInfo

Posted on 18 May 20171 Jun 2018 by Oddvar Moe [MVP]

TL;DR BGinfo.exe older than version 4.22 can be used to bypass application whitelisting using vbscript inside a bgi file. This can run directly from a webdav server. UPDATE: 22.05.2017 AppLocker is still vulnerable with Bginfo 4.22. A blogpost about that here: https://msitpros.com/?p=3860 UPDATE: 19.06.2017 Microsoft has thanked me in their documentation for this finding. The … Continue reading Bypassing Application Whitelisting with BGInfo →

NIC 2017 – Slides, notes and a video

Posted on 7 Feb 20177 Nov 2017 by Oddvar Moe [MVP]

I must say that NIC 2017 was an awesome event and I meet a lot of great people. Thanks to all the people working for NIC that made this such a great event. During my presentation, I did not get enough time to show all the things I wanted to (damn you demo gods), and … Continue reading NIC 2017 – Slides, notes and a video →