Tag: windows

%Temp%orary Constrained Language mode in AppLocker

Posted on by Oddvar Moe [MVP]

TL;DR Done as a normal user without admin privs Change %TEMP%/%TMP% to point to a location that allows execution of scripts defined by AppLocker Start Powershell with the new environment variables that you set for %TEMP%/%TMP% and profit! Background This blogpost covers a technique I discovered when digging further into AppLocker to bypass Powershell Constrained … Continue reading %Temp%orary Constrained Language mode in AppLocker

AppLocker – Making sure that local rules are removed

Posted on by Oddvar Moe [MVP]

This is just a quick blogpost about a thing I forgot to write about a long time ago. One issue with AppLocker is that when someone gets admin access on a box they can create local AppLocker rules that will be combined with the Group Policy AppLocker rules. This is explained in this tweet here: https://twitter.com/Oddvarmoe/status/996147947975962624 … Continue reading AppLocker – Making sure that local rules are removed

Persistence using Universal Windows Platform apps (APPX)

Posted on by Oddvar Moe [MVP]

TL;DR Persistence can be achieved with Appx/UWP apps using the debugger options. This technique will not be visible by Autoruns. Two different approaches exists (registry keys). Listed below are the two techniques for two different apps that starts at logon: Cortana app: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy /d "C:\windows\system32\cmd.exe" OR reg add HKCU\Software\Classes\ActivatableClasses\Package\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy\DebugInformation\CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca /v DebugPath /d "C:\windows\system32\cmd.exe" … Continue reading Persistence using Universal Windows Platform apps (APPX)

Persistence using RunOnceEx – Hidden from Autoruns.exe

Posted on by Oddvar Moe [MVP]

TL;DR - Found a technique to execute DLL files without being detected by autoruns.exe at logon. - Requires administrator rights and does not belong in userland. - Run this to Exploit: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\messageBox64.dll"   RunOnceEx I finally had some time to do some unstructured research. With unstructured research I mean going after … Continue reading Persistence using RunOnceEx – Hidden from Autoruns.exe

My experience with IT DEV CONNECTIONS 2017 and demo videos

Posted on by Oddvar Moe [MVP]

Earlier this year I submitted three sessions to the IT DEV CONNECTIONS conference and to my big surprise all of them was accepted. I was hoping that at least one of them was accepted, but all three was, and that is just incredible. I must admit at first that I was a bit scared, since … Continue reading My experience with IT DEV CONNECTIONS 2017 and demo videos

Accessing clipboard from the lock screen in Windows 10 #2

Posted on by Oddvar Moe [MVP]

#UPDATE# This issue is fixed in the Windows 10 1803 versions and newer.   I received a lot of positive feedback on my previous post on accessing the clipboard from the lock screen using the wireless password field. Just out of curiosity I tried other combinations on doing the same thing, and I found out … Continue reading Accessing clipboard from the lock screen in Windows 10 #2

Accessing clipboard from the lock screen in Windows 10

Posted on by Oddvar Moe [MVP]

#UPDATE# This issue is fixed in the Windows 10 1803 versions and newer.   I discovered something interesting that I wanted to be shared with the rest of the world. Before you read any further, I want you to know that I did send an email to MSRC (Microsoft Security Response Center) about this. The … Continue reading Accessing clipboard from the lock screen in Windows 10