19. UAC
• User Account Control (UAC)
• Run with standard user rights instead of full administrator rights
• C:WindowsSystem32cmd.exe /k %windir%System32reg.exe ADD
HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v
EnableLUA /t REG_DWORD /d 0 /f
• C:WindowsSystem32cmd.exe /k %windir%System32reg.exe ADD
HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v
EnableLUA /t REG_DWORD /d 1 /f
20. Bypass UAC
• Using mistake of any autoElevate binary (Using sigcheck for check autoElevate flag)
• UACME
• DLL Hijacking
• autoElevate
• Elevated COM interface
• SDCLT - Backup command
• Fodhelper - Manage Optional Features
• Using process or dll injection into Windows Publisher Certificate
• Using Windows Update Standalone Installer (wusa.exe)
• etc.
23. AppLocker
• Whitelisting application
• Executable files, scripts, Windows Installer files,
dynamic-link libraries (DLLs), packaged apps, and
packaged app installers
• Windows 7 >
• Single computer (secpol.msc), Group Policy Management
(gpmc.msc)
24. AppLocker File Type
• These are regular .exe and .com applications (cmd.exe,
ipconfig.exe, etc.)
• Windows Installer files (.msi, .msp, .mst), typically used to
install a new software on the machine.
• Script files with the following
extensions .ps1, .vbs, .vba, .cmd and .js.
• Packaged Apps installed through the Microsoft Store
• DLL files (.dll and .ocx in the advanced tab).
26. Bypass AppLocker
• Find exception path
• “C:WindowsTasks”
• “C:Windowstracing”
• Load file from memory (PowerSploit framework)
• $ByteArray = [System.IO.File]::ReadAllBytes(“C:usersricharddesktopmimikatz.exe");
• Invoke-expression(Get-Content .Invoke-ReflectivePEInjection.ps1 |out-string)
• Invoke-ReflectivePEInjection -PEBytes $ByteArray
• Obfuscate exe for bypass hash
• Powershell without powershell (Casey Smith) (Powershell Empire)
• Registry Key Manipulation
• Run PE file by using microsoft tool
• C:windowssystem32rundll32.exe
• C:WindowsMicrosoft.NETFrameworkv2.0.50727InstallUtil.exe ( install and uninstall applications via the command
prompt)
• C:WindowsSystem32regsvr32.exe (Install and Uninstall dll file)
• C:WindowsMicrosoft.NETFrameworkv4.0.30319MSBuild.exe (Using to build products in environments where Visual
Studio is not installed)
28. Protecting against malware
• People: Security Awareness Training
• Process: Restrict program install or usage with policy, Updates,
Backups, Governance, Intelligence, Incident response plan, and more =>
Security Team
• Technology: Technology supports the team and processes
• Backup
• Antivirus
• Anti-ransomware
• Endpoint Detection