Notes on security
I’ve worked a lot with Microsoft Defender Antivirus, and particularly with the Attack Surface Reduction feature. Having built up some understanding of its inner workings with the help of other online literature on the topic, it occurred to me that some of the previous work I’d performed using command line tampering could prove useful in …
Continue reading “Microsoft Defender ASR Bypass using Command Line Tampering”
In previous posts, we have explored some techniques for tampering with the command line of a freshly launched Windows process. In Part I, we saw a simple technique which suffered from the drawback that the new command line could be no longer than the original. In Part II, we proposed an alternate technique which supported …
Continue reading “Command Line Tampering in Windows, part III”
In Part I of this series, we proposed a simple method for launching a child process with a fake command line and then modifying its command line before it started executing. Due to its simplicity, this method comes with one major drawback: because we are modifying the buffer where the command line is located, the …
Continue reading “Command Line Tampering in Windows, Part II”
Every Windows process has a command line — a string of characters that is supplied to the process when it first starts, and can be interpreted by the process to govern its behaviour. It might be assumed that, once a process is started, the command line provides an immutable record of how the process was …
Continue reading “Command Line Tampering in Windows, Part I”
While studying AppLocker in recent months, I’ve had the opportunity to delve into the world of Living -off-the-land Binaries (LOLbins), particularly those which are of particular use as Application Whitelisting Bypass tools. Windows LOLbins are catalogued in several places, not least of which is the LOLBAS project (https://github.com/LOLBAS-Project/LOLBAS). This project provides a comprehensive definition of …
Continue reading “Microsoft Teams and other Electron Apps as LOLbins”
L<<K 