TL;DR An Office XML (.xml) document can call a remote XSL stylesheet over SMB. If this occurs against an attacker controlled server, the net-NTLM authentication hash (challenge/response) of that user is revealed. Operationally, an attacker could crack this offline or leverage a relay technique for remote command execution (if privileged and on-net). There are possible … Continue reading Capturing NetNTLM Hashes with Office [DOT] XML Documents
Author: bohops
Abusing the COM Registry Structure: CLSID, LocalServer32, & InprocServer32
TL;DR Vendors are notorious for including and/or leaving behind Registry artifacts that could potentially be abused by attackers for lateral movement, evasion, bypass, and persistence. CLSIDs subkeys (LocalServer32 and InprocServer32) can be enumerated to discover abandoned binary references. Interestingly, CLSIDs can be called ('invoked') with this command: rundll32.exe -sta {CLSID} Defensive recommendations - clean up … Continue reading Abusing the COM Registry Structure: CLSID, LocalServer32, & InprocServer32
Abusing DCOM For Yet Another Lateral Movement Technique
TL;DR This post discusses an alternate DCOM lateral movement discovery and payload execution method. The primary gist is to locate DCOM registry key/values that point to the path of a binary on the 'remote' machine that does not exist. This example method is likely to work if mobsync.exe is not in \\target\admin$\system32\, which is default … Continue reading Abusing DCOM For Yet Another Lateral Movement Technique
DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extraction
[Source: blog.microsoft.com] Introduction Not long ago, I blogged about Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction. This tool was quite interesting because it was yet another utility to perform volume shadow copy operations, and it had a few other features that could potentially support other offensive use cases. … Continue reading DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extraction
Abusing Exported Functions and Exposed DCOM Interfaces for Pass-Thru Command Execution and Lateral Movement
Background Last Wednesday, I had some down time so I decided to hunt around in \System32 to see if I could find anything of potential interest. I located a few DLL files that shared an interesting export function called OpenURL: While looking for a quick win, I wanted to see if anything could be invoked … Continue reading Abusing Exported Functions and Exposed DCOM Interfaces for Pass-Thru Command Execution and Lateral Movement
Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence (Part 2)
Introduction Two weeks ago, I blogged about several "pass-thru" techniques that leveraged the use of INF files ('.inf') to "fetch and execute" remote script component files ('.sct'). In general, instances of these methods could potentially be abused to bypass application whitelisting (AWL) policies (e.g. Default AppLocker policies), deter host-based security products, and achieve 'hidden' persistence. … Continue reading Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence (Part 2)
Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence
Introduction Over the last few weeks, I researched and tested a few interesting namespaces/methods documented on various Microsoft/MSDN sources that dealt with executing various COM scripts/scriptlets (e.g. VBscript, Jscript, etc.). In particular, I was curious to see if there were potentially new ways to invoke remote scripts (ActiveX Objects) by leveraging some of the great … Continue reading Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence
Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction
[Source: blog.microsoft.com] What is Vshadow? Vshadow (vshadow.exe) is a command line utility for managing volume shadow copies. This tool is included within the Windows SDK and is signed by Microsoft (more on this later). Vshadow has a lot of functionality, including the ability to execute scripts and invoke commands in support of volume shadow snapshot … Continue reading Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction
VSTO: The Payload Installer That Probably Defeats Your Application Whitelisting Rules
Introduction Visual Studio Tools for Office (VSTO) "is a set of development tools available in the form of a Visual Studio add-in (project templates) and a runtime that allows Microsoft Office 2003 and later versions of Office applications to host the .NET Framework Common Language Runtime (CLR) to expose their functionality via .NET" (Wikipedia). For … Continue reading VSTO: The Payload Installer That Probably Defeats Your Application Whitelisting Rules
Loading Alternate Data Stream (ADS) DLL/CPL Binaries to Bypass AppLocker
(Image Source: blogs.technet.microsoft.com) Introduction A few weeks ago, I wrote about Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts. Overall, it was a viable technique that allowed for the loading of .NET/C# assemblies. However, PowerShell Constraint Language Mode proved to be a viable mechanism for defeating this technique if strictly enforced by UMCI/system policies … Continue reading Loading Alternate Data Stream (ADS) DLL/CPL Binaries to Bypass AppLocker
