DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extraction

[Source: blog.microsoft.com] Introduction Not long ago, I blogged about Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction.  This tool was quite interesting because it was yet another utility to perform volume shadow copy operations, and it had a few other features that could potentially support other offensive use cases.  … Continue reading DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extraction

Abusing Exported Functions and Exposed DCOM Interfaces for Pass-Thru Command Execution and Lateral Movement

Background Last Wednesday, I had some down time so I decided to hunt around in \System32 to see if I could find anything of potential interest.  I located a few DLL files that shared an interesting export function called OpenURL: While looking for a quick win, I wanted to see if anything could be invoked … Continue reading Abusing Exported Functions and Exposed DCOM Interfaces for Pass-Thru Command Execution and Lateral Movement

Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence

Introduction Over the last few weeks, I researched and tested a few interesting namespaces/methods documented on various Microsoft/MSDN sources that dealt with executing various COM scripts/scriptlets (e.g. VBscript, Jscript, etc.).  In particular, I was curious to see if there were potentially new ways to invoke remote scripts (ActiveX Objects) by leveraging some of the great … Continue reading Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence

Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction

[Source: blog.microsoft.com] What is Vshadow? Vshadow (vshadow.exe) is a command line utility for managing volume shadow copies.  This tool is included within the Windows SDK and is signed by Microsoft (more on this later). Vshadow has a lot of functionality, including the ability to execute scripts and invoke commands in support of volume shadow snapshot … Continue reading Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction

VSTO: The Payload Installer That Probably Defeats Your Application Whitelisting Rules

Introduction Visual Studio Tools for Office (VSTO) "is a set of development tools available in the form of a Visual Studio add-in (project templates) and a runtime that allows Microsoft Office 2003 and later versions of Office applications to host the .NET Framework Common Language Runtime (CLR) to expose their functionality via .NET" (Wikipedia).  For … Continue reading VSTO: The Payload Installer That Probably Defeats Your Application Whitelisting Rules

ClickOnce (Twice or Thrice): A Technique for Social Engineering and (Un)trusted Command Execution

What is ClickOnce? ClickOnce is a “a Microsoft technology that enables the user to install and run a Windows-based smart client application by clicking a link in a web page” [Wikipedia].  Included as a component within the .NET Framework, ClickOnce allows a developer to create a web-enabled installer package for their (C#) Visual Studio project.  … Continue reading ClickOnce (Twice or Thrice): A Technique for Social Engineering and (Un)trusted Command Execution