TL;DR BGinfo.exe older than version 4.22 can be used to bypass application whitelisting using vbscript inside a bgi file. This can run directly from a webdav server. UPDATE: 22.05.2017 AppLocker is still vulnerable with Bginfo 4.22. A blogpost about that here: https://msitpros.com/?p=3860 UPDATE: 19.06.2017 Microsoft has thanked me in their documentation for this finding. The […]
I must say that NIC 2017 was an awesome event and I meet a lot of great people. Thanks to all the people working for NIC that made this such a great event. During my presentation, I did not get enough time to show all the things I wanted to (damn you demo gods), and […]
This post is all about how I created a PowerShell script to automate the process of generating USB sticks used in a Social engineering attack. The goal with the attack was to measure if the employees inserted the USB sticks and opened any documents. It was not a goal to exploit the users. The Manual way So […]
I often end up in discussions where I point out that UAC bypass is a common thing and that UAC is not a very good security boundary if it is left default. Truth be told that if you change the default UAC setting from «Notify me only when apps try to make changes to my […]
After watching «The Advanced Persistent Pentester (All Your Networks Are Belong 2 Us)» (http://www.irongeek.com/i.php?page=videos/derbycon6/416-the-advanced-persistent-pentester-all-your-networks-are-belong-2-us-beau-bullock-derek-banks-joff-thyer)and especially the release of mailsniper I was inspired to write about another method that I use to get access to all data from within mailboxes and Sharepoint sites during pentests. This is often an overlooked feature by pentesters and it is […]
I often want to show customers how a ransomware attack will affect the business. Finding all the network shares that you have write access to as a normal user can take a lot of time to do manually. As a result of this I have created a script that I have called Ransomware simulator. The […]
Microsoft has announced (https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/) that there is a new group policy setting in macro security that blocks macros from files that arrives from Internet. If there is one setting you should implement in your organization, it is this one. This setting will make attacks through attachments in emails much harder. Microsoft’s Office 365 Advanced Threat […]
Let’s say you love Armitage ( I do ) and you are doing a pentest assignment and you can only work remotely against a Kali 2.0 vm hosted in a datacenter or something. Armitage is a GUI tool and you really need to have a desktop to use it. Or at least that was what […]
Say what? This is probably well known by people that knows Linux a little more than average. I often have Kali Linux running on Hyper-V and I often struggle with resolution using the native Hyper-V console. After a little research I found out that I can install xrdp on the Kali machine and be able […]
In this post, I will focus on maintaining access on a Windows machine after getting a shell. In my environment the user is a local administrator on the client machine. The clue of creating a successful backdoor is to create something that is not to suspicious and that blends into everything else. In my lab […]