CVE-2019-1378: Exploiting an Access Control Privilege Escalation Vulnerability in Windows 10 Update Assistant (WUA)

Introduction Windows 10 is an incredibly feature rich Operating System (OS).  In the last four years, the innovative folks at Microsoft have continued to introduce and expand functionality as well as improve and integrate security features in its flagship OS.  On the second Tuesday of each month, many of us that live in the Windows […]

DotNet Core: A Vector For AWL Bypass & Defense Evasion

[*] Introduction .NET Core is an open-source, cross-platform framework for building and running applications.  The framework was introduced in 2014 as the (eventual) successor to the ever-popular .NET Framework. .NET Core runs on Windows, *Nix, and MacOS operating systems. The .NET Core management tool, DotNet (dotnet.exe), potentially offers an untapped attack surface on Windows when […]

Abusing Catalog Hygiene to Bypass Application Whitelisting

Introduction Last week, I presented COM Under The Radar: Circumventing Application Control Solutions at BsidesCharm 2019.  In the presentation, I briefly discussed COM and highlighted a few techniques for bypassing Windows application control solutions.  One of those techniques takes advantage of an issue with catalog hygiene where old code often remains signed in updated versions […]

COM XSL Transformation: Bypassing Microsoft Application Control Solutions (CVE-2018-8492)

Introduction Greetings, Everyone!  It has been several months since I’ve blogged, so it seems fitting to start the New Year off with a post about two topics that I thoroughly enjoy exploring: Application Control/Application Whitelisting (AWL) and the Component Object Model (COM).  As the title suggests, I stumbled upon a technique for bypassing Microsoft Application […]

Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniques

TL;DR There are several ways that attackers can leverage COM hijacking to influence evasive loading and hidden persistence.  A few examples include CLSID (sub)key abandonment referencing, key overriding, and key linking. There are several programs and utilities that can invoke COM registry payloads including Rundll32.exe, Xwizard.exe, Verclsid.exe, Mmc.exe, and the Task Scheduler.  In the traditional […]

Capturing NetNTLM Hashes with Office [DOT] XML Documents

TL;DR An Office XML (.xml) document can call a remote XSL stylesheet over SMB.  If this occurs against an attacker controlled server, the net-NTLM authentication hash (challenge/response) of that user is revealed.  Operationally, an attacker could crack this offline or leverage a relay technique for remote command execution (if privileged and on-net).  There are possible […]

Abusing the COM Registry Structure: CLSID, LocalServer32, & InprocServer32

TL;DR Vendors are notorious for including and/or leaving behind Registry artifacts that could potentially be abused by attackers for lateral movement, evasion, bypass, and persistence. CLSIDs subkeys (LocalServer32 and InprocServer32) can be enumerated to discover abandoned binary references. Interestingly, CLSIDs can be called (‘invoked’) with this command: rundll32.exe -sta {CLSID} Defensive recommendations – clean up […]

DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extraction

[Source:] Introduction Not long ago, I blogged about Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction.  This tool was quite interesting because it was yet another utility to perform volume shadow copy operations, and it had a few other features that could potentially support other offensive use cases.  […]