Until recently, I had gotten away from configuring Windows Defender Application Control (WDAC) until the lead-up to Christmas when I wanted to repurpose an older Microsoft Surface Gen. 1 Laptop as my young daughter’s first Windows-based computer for play and experimentation.
As a security practitioner, obviously, I want to protect her from external threats as much a possible but as a dad who is acutely aware and in awe of a child’s willingness to experiment, I acknowledge that my daughter will do everything in her power to corrupt (intentionally or otherwise) her Windows installation. Along with traditional least-privilege principles in…
Over the years, I have written and recorded a lot of material related to Windows Defender Application Control (previously, Device Guard). I am extremely heartened to have received a lot of interest in it lately and I’ve been getting a lot of questions asking for help with individual deployments. It means a lot to me for someone to spend their valuable time reaching out to me with questions but considering the nature of the beast that is configuration, baselining, tuning, maintenance, and deployment of application control solutions, there is “no one size fits all” answer which makes addressing individual questions…
Upon gaining access to a system, what level of access is granted to an attacker who has yet to elevate their privileges?
Rather than experiment on the host, ultimately be denied access, and generate noisy logs in the process, a better strategy would be to first have a sense of what permissions Windows implicitly grants unprivileged users in the first place.
In Windows, nearly all access is controlled by security descriptors. The goal of this post is to establish a methodology for auditing potential exposure caused by security descriptor misconfigurations. Upon establishing the methodology, we will apply it to a…
AMSI offers a fantastic interface for endpoint security vendors to gain insight into in-memory buffers from components that choose have their content scanned. Microsoft documents the following list of components that opt in to AMSI:
As a defender engaged in detection engineering and as an attack researcher interested in maturing evasion techniques, I was left with these questions:
Alternate title for the technical crowd: Discovering, performing root cause analysis of, and strategically mitigating vulnerabilities of the soul. Exercises for the intelligent and mindful.
As I write this, I’m going through a minor bout of depression. I mention this because while it is extremely difficult to do so in the midst of pain, darkness can often offer extremely profound perspective that you might otherwise lose sight of if you don’t practice looking at it directly. This post is a collection of thoughts, observations, and principles I’ve been establishing over the past several months. The ultimate motivation to write this…
Whether analyzing a Windows binary or assessing new data sources for detection engineering purposes, using lesser known tracing mechanisms, Windows software trace preprocessor (WPP) and TraceLogging offer a potential goldmine of valuable information that has been right under your nose. Both WPP and TraceLogging were designed primarily for debugging purposes but potentially offer reverse engineers, vulnerability researchers, and detection engineers an opportunity to peer inside Windows binaries all without requiring a debugger.
By now, defenders are generally familiar with manifest-based ETW which offers the ability to easily recover events and field metadata. In reality though, the set of registered ETW…
While performing code reviews, I’ve encountered several instances now in .NET code where the Equals method in X509Certificate is used as a basis for trust when validating signatures. Understandably, application developers should be able to assume that the method performs a robust comparison, unfortunately, the comparison is far from robust. This blog post will cover why the Equals method is considered weak and should not be used in security-related code.
Here is the open source, coreclr implementation of Equals:
And here is the decompiled, simple implementation in Windows .NET:
At the core of each method implementation is the comparison…
PowerShell Desired State Configuration (DSC) permits the direct execution of resources using WMI directly. Using DSC WMI classes, remote PowerShell code execution can be achieved by abusing the built-in script resource. The benefits of this lateral movement technique are the following:
Microsoft.Workflow.Compiler.exe, a utility included by default in the .NET framework, permits the execution of arbitrary, unsigned code by supplying a serialized workflow in the form of a XOML workflow file (don’t worry. I had no clue what that was either) and an XML file consisting of serialized compiler arguments. This bypass is similar in its mechanics to Casey Smith’s msbuild.exe bypass.
Microsoft.Workflow.Compiler.exe requires two command-line arguments. The first argument must be the path to an XML file consisting of a serialized CompilerInput object. The second argument expected is a file path to which the utility writes serialized compilation results.
winrm.vbs (a Windows-signed script in System32) is able to consume and execute attacker-controlled XSL which is not subject to “enlightened script host” restrictions, resulting in the execution of arbitrary, unsigned code execution.
When you supply “-format:pretty” or “-format:text” to winrm.vbs, it pulls WsmPty.xsl or WsmTxt.xsl respectively from the directory in which cscript.exe resides. This means that if an attacker copies cscript.exe to an attacker-controlled location where their malicious XSL resides, they will achieve arbitrary unsigned code execution. This issue is effectively identical to Casey Smith’s wmic.exe technique.
The weaponization workflow is as follows:
Security Researcher, SpecterOps