Windows Device Guard Code Integrity Policy Reference
One of the more obvious ways to circumvent Device Guard deployments is by exploiting code integrity policy misconfigurations. The ability to effectively audit deployed policies requires a thorough...
View ArticleDevice Guard Code Integrity Policy Auditing Methodology
In my previous blogpost, I provided a detailed reference of every component of a code integrity (CI) policy. In this post, I'd like to exercise that reference and perform an audit of a code integrity...
View ArticleOn the Effectiveness of Device Guard User Mode Code Integrity
Is a security feature with known bypasses pointless?I felt compelled to answer to this question after seeing several tweets recently claiming that Device Guard User Mode Code Integrity (UMCI) is a...
View ArticleCode Integrity on Nano Server: Tips/Gotchas
Although it's not explicitly called out as being supported in Microsoft documentation, it turns out that you can deploy a code integrity policy to Nano Server, enabling enforcement of user and...
View ArticleClik here to view.
Updating Device Guard Code Integrity Policies
In previous posts about Device Guard, I spent a lot of time talking about initial code integrity (CI) configurations and bypasses. What I haven't covered until now however is an extremely important...
View ArticlePowerShell is Not Special - An Offensive PowerShell Retrospective
“PowerShell is not special.”During Jared Haight’s excellent DerbyCon presentation, he uttered this blasphemous sentence. As someone who has invested the last five years of his life learning and...
View ArticleBypassing Device Guard with .NET Assembly Compilation Methods
Tl;drThis post will describe a Device Guard user mode code integrity (UMCI) bypass (or any other application whitelisting solution for that matter) that takes advantage of the fact the code integrity...
View ArticleClik here to view.
Application of Authenticode Signatures to Unsigned Code
Attackers have been known to apply legitimate digital certificates to their malware, presumably, to evade basic signature validation utilities. This was the case with the Petya ransomware. As a reverse...
View ArticleExploiting PowerShell Code Injection Vulnerabilities to Bypass Constrained...
IntroductionConstrained language mode is an extremely effective method of preventing arbitrary unsigned code execution in PowerShell. It’s most realistic enforcement scenarios are when Device Guard or...
View ArticleClik here to view.
Device Guard and Application Whitelisting on Windows - An Airing of Grievances
IntroductionThe purpose of this post is to highlight many of the frustrations I’ve had with Device Guard (rebranded as Windows Defender Application Control) and to discuss why I think it is not an...
View ArticleClik here to view.
Welcome!
The fact that you are reading this indicates that you and I share a similar passion for exploiting software vulnerabilities. My primary intent with this blog is to motivate myself to learn new...
View ArticleClik here to view.
Leveraging format string vulnerabilities to interrogate Win32 process memory
Although format string vulnerabilities aren't seen as much in the wild these days since they are so easy to spot in source code, I'd like to use this class of vulnerability to demonstrate what...
View ArticleClik here to view.
Post-mortem Analysis of a Use-After-Free Vulnerability (CVE-2011-1260)
Recently, I've been looking into the exploitation of use-after-free vulnerabilities. This class of bug is very application specific, but armed with just the right amount of knowledge these...
View ArticleClik here to view.
Cool kids pop a programmer's calc in their demos
Over time, I've heard several well-respected security professionals mention that you're not really cool unless you can pop a scientific/programmer's calculator when demoing your exploits. I mean, what...
View ArticleClik here to view.
Integrating WinDbg and IDA for Improved Code Flow Analysis
IDA is hands down the best tool for static analysis. Its debugger on the other hand, when compared to the power of WinDbg is certainly lacking, IMHO. As such, I find myself wasting too much time...
View ArticleClik here to view.
Targeted Heap Spraying – 0x0c0c0c0c is a Thing of the Past
Traditionally, heap spraying has relied upon spraying with 0x0C0C0C0C followed by shellcode which serves as both an address in the heap and a series of nops. This however is not extremely reliable. You...
View ArticleClik here to view.
Dropping Executables with Powershell
Scenario: You find yourself in a limited Windows user environment without the ability to transfer binary files over the network for one reason or another. So this rules out using a browser, ftp.exe,...
View ArticleClik here to view.
Stealth Alternate Data Streams and Other ADS Weirdness
I was reading an article on MSDN regarding the naming of files, paths, and namespaces[1] and I discovered some interesting peculiarities regarding the naming and creation of certain files containing...
View Article