Windows Defender Application Control (WDAC) Updates in 20H2 and Building a Simple, Secure…The goal is to highlight the WDAC improvements made since Windows 10 20H2 in the context of building and applying a simple but secure…Jan 4, 20212Jan 4, 20212
Windows Defender Application Control (WDAC) ResourcesOver the years, I have written and recorded a lot of material related to Windows Defender Application Control (previously, Device Guard)…Nov 5, 20201Nov 5, 20201
Published inPosts By SpecterOps Team MembersSecurity Descriptor Auditing Methodology: Investigating Event Log SecurityUpon gaining access to a system, what level of access is granted to an attacker who has yet to elevate their privileges?Oct 10, 2019Oct 10, 2019
Published inPosts By SpecterOps Team MembersAntimalware Scan Interface Detection Optics Analysis MethodologyIdentification and Analysis of AMSI for WMIOct 4, 2019Oct 4, 2019
Improving Infosec (or any Community/Industry) in One Simple but Mindful StepAlternate title for the technical crowd: Discovering, performing root cause analysis of, and strategically mitigating vulnerabilities of…May 9, 20191May 9, 20191
Published inPosts By SpecterOps Team MembersData Source Analysis and Dynamic Windows RE using WPP and TraceLoggingWhether analyzing a Windows binary or assessing new data sources for detection engineering purposes, using lesser known tracing mechanisms…Feb 22, 2019Feb 22, 2019
Published inPosts By SpecterOps Team MembersSubverting X509Certificate.Equals in .NETWhile performing code reviews, I’ve encountered several instances now in .NET code where the Equals method in X509Certificate is used as a…Jan 16, 2019Jan 16, 2019
Published inPosts By SpecterOps Team MembersAbusing PowerShell Desired State Configuration for Lateral MovementLateral Movement Technique DescriptionNov 1, 20181Nov 1, 20181
Published inPosts By SpecterOps Team MembersArbitrary, Unsigned Code Execution Vector in Microsoft.Workflow.Compiler.exeBypass Technique DescriptionAug 17, 20181Aug 17, 20181
Published inPosts By SpecterOps Team MembersApplication Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique in winrm.vbsBypass Technique DescriptionJul 12, 2018Jul 12, 2018