Abusing and Detecting LOLBIN Usage of .NET Development Mode Features

Background As discussed in this previous post, Microsoft has provided valuable (explicit and implicit) insight into the inner workings of the functional components of the .NET ecosystem through online documentation and by open-sourcing .NET Core. .NET, in general, is a very powerful and capable development platform and runtime framework for building and running .NET managed […]

Investigating .NET CLR Usage Log Tampering Techniques For EDR Evasion

Introduction In recent years, there have been numerous published techniques for evading endpoint security solutions and sources such as A/V, EDR and logging facilities. The methods deployed to achieve the desired result usually differ in sophistication and implementation, however, effectiveness is usually the end goal (of course, with thoughtful consideration of potential tradeoffs). Defenders can […]

Exploring the WDAC Microsoft Recommended Block Rules (Part II): Wfc.exe, Fsi.exe, and FsiAnyCpu.exe

Introduction In Part One, I blogged about VisualUiaVerifyNative.exe, a LOLBIN that could be used to bypass Windows Defender Application Control (WDAC)/Device Guard. The technique used for circumventing WDAC was originally discovered by Lee Christensen, however, it was not previously disclosed like a handful of others on the Microsoft Recommended Block Rules list. If you are […]

WS-Management COM: Another Approach for WinRM Lateral Movement

Introduction Lateral movement techniques in the wonderful world of enterprise Windows are quite finite.  There are only so many techniques and variations of those techniques that attackers use to execute remote commands and payloads.  With the rise of PowerShell well over a decade ago, most ethical hackers may agree that Windows Remote Management (WinRM) became […]

Exploring Microsoft Teams Rooms (MTR) Console as a Potential Attack Vector

Introduction Microsoft Teams Rooms (MTR), formerly known as Skype Room System and Lync Room Systems, is the latest and greatest solution from Microsoft for managing online collaborative meetings. In many businesses across the globe, a Teams Rooms console (“Teams console”) is the lifeblood of the conference room. The console typically consists of a supported computer […]

CVE-2019-1378: Exploiting an Access Control Privilege Escalation Vulnerability in Windows 10 Update Assistant (WUA)

Introduction Windows 10 is an incredibly feature rich Operating System (OS).  In the last four years, the innovative folks at Microsoft have continued to introduce and expand functionality as well as improve and integrate security features in its flagship OS.  On the second Tuesday of each month, many of us that live in the Windows […]

DotNet Core: A Vector For AWL Bypass & Defense Evasion

[*] Introduction .NET Core is an open-source, cross-platform framework for building and running applications.  The framework was introduced in 2014 as the (eventual) successor to the ever-popular .NET Framework. .NET Core runs on Windows, *Nix, and MacOS operating systems. The .NET Core management tool, DotNet (dotnet.exe), potentially offers an untapped attack surface on Windows when […]

Abusing Catalog Hygiene to Bypass Application Whitelisting

Introduction Last week, I presented COM Under The Radar: Circumventing Application Control Solutions at BsidesCharm 2019.  In the presentation, I briefly discussed COM and highlighted a few techniques for bypassing Windows application control solutions.  One of those techniques takes advantage of an issue with catalog hygiene where old code often remains signed in updated versions […]

COM XSL Transformation: Bypassing Microsoft Application Control Solutions (CVE-2018-8492)

Introduction Greetings, Everyone!  It has been several months since I’ve blogged, so it seems fitting to start the New Year off with a post about two topics that I thoroughly enjoy exploring: Application Control/Application Whitelisting (AWL) and the Component Object Model (COM).  As the title suggests, I stumbled upon a technique for bypassing Microsoft Application […]