Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence

Introduction Over the last few weeks, I researched and tested a few interesting namespaces/methods documented on various Microsoft/MSDN sources that dealt with executing various COM scripts/scriptlets (e.g. VBscript, Jscript, etc.).  In particular, I was curious to see if there were potentially new ways to invoke remote scripts (ActiveX Objects) by leveraging some of the great … Continue reading Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence

Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction

[Source: blog.microsoft.com] What is Vshadow? Vshadow (vshadow.exe) is a command line utility for managing volume shadow copies.  This tool is included within the Windows SDK and is signed by Microsoft (more on this later). Vshadow has a lot of functionality, including the ability to execute scripts and invoke commands in support of volume shadow snapshot … Continue reading Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction

VSTO: The Payload Installer That Probably Defeats Your Application Whitelisting Rules

Introduction Visual Studio Tools for Office (VSTO) "is a set of development tools available in the form of a Visual Studio add-in (project templates) and a runtime that allows Microsoft Office 2003 and later versions of Office applications to host the .NET Framework Common Language Runtime (CLR) to expose their functionality via .NET" (Wikipedia).  For … Continue reading VSTO: The Payload Installer That Probably Defeats Your Application Whitelisting Rules

Loading Alternate Data Stream (ADS) DLL/CPL Binaries to Bypass AppLocker

(Image Source: blogs.technet.microsoft.com) Introduction A few weeks ago, I wrote about Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts.  Overall, it was a viable technique that allowed for the loading of .NET/C# assemblies.  However, PowerShell Constraint Language Mode proved to be a viable mechanism for defeating this technique if strictly enforced by UMCI/system policies … Continue reading Loading Alternate Data Stream (ADS) DLL/CPL Binaries to Bypass AppLocker

Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts

Introduction Last week, I was hunting around the Windows Operating System for interesting scripts and binaries that may be useful for future penetration tests and Red Team engagements.  With increased client-side security, awareness, and monitoring (e.g. AppLocker, Device Guard, AMSI, Powershell ScriptBlock Logging, PowerShell Constraint Language Mode, User Mode Code Integrity, HIDS/anti-virus, the SOC, etc.), … Continue reading Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts

ClickOnce (Twice or Thrice): A Technique for Social Engineering and (Un)trusted Command Execution

What is ClickOnce? ClickOnce is a “a Microsoft technology that enables the user to install and run a Windows-based smart client application by clicking a link in a web page” [Wikipedia].  Included as a component within the .NET Framework, ClickOnce allows a developer to create a web-enabled installer package for their (C#) Visual Studio project.  … Continue reading ClickOnce (Twice or Thrice): A Technique for Social Engineering and (Un)trusted Command Execution

Trust Direction: An Enabler for Active Directory Enumeration and Trust Exploitation

Introduction Active Directory (AD) Trusts have been a hot topic as of late.  @harmj0y posted a recent entry about domain trusts [A Guide to Attacking Domain Trusts].  It provides a great understanding of how AD trusts actually work, so be sure to check that out as a primer for this post. In this blog entry, … Continue reading Trust Direction: An Enabler for Active Directory Enumeration and Trust Exploitation