Loading Alternate Data Stream (ADS) DLL/CPL Binaries to Bypass AppLocker

(Image Source: blogs.technet.microsoft.com) Introduction A few weeks ago, I wrote about Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts.  Overall, it was a viable technique that allowed for the loading of .NET/C# assemblies.  However, PowerShell Constraint Language Mode proved to be a viable mechanism for defeating this technique if strictly enforced by UMCI/system policies […]

Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts

Introduction Last week, I was hunting around the Windows Operating System for interesting scripts and binaries that may be useful for future penetration tests and Red Team engagements.  With increased client-side security, awareness, and monitoring (e.g. AppLocker, Device Guard, AMSI, Powershell ScriptBlock Logging, PowerShell Constraint Language Mode, User Mode Code Integrity, HIDS/anti-virus, the SOC, etc.), […]

ClickOnce (Twice or Thrice): A Technique for Social Engineering and (Un)trusted Command Execution

What is ClickOnce? ClickOnce is a “a Microsoft technology that enables the user to install and run a Windows-based smart client application by clicking a link in a web page” [Wikipedia].  Included as a component within the .NET Framework, ClickOnce allows a developer to create a web-enabled installer package for their (C#) Visual Studio project.  […]