This blogpost is about a minor discovery I made regarding a writeable file inside the Windows folder that is present on Lenovo machines. Initially when I found it I thought it was only a handful of…| Oddvar Moe's Blog
While I was prepping for a session a while back I made a a little special discovery about AppLocker. Turns out that the files that AppLocker uses under C:\Windows\System32\AppLocker can be used in many cases to bypass a Default AppLocker ruleset. When a machine is deployed and the first user logs in, that user will … Continue reading A small discovery about AppLocker→| Oddvar Moe's Blog
I thought it would be useful to have a blog post about two different techniques you can use to bypass AppLocker if you are an admin on a host that has AppLocker enabled. The first technique that uses the GUI was briefly discussed in a tweet I posted a while back: https://twitter.com/Oddvarmoe/status/996147947975962624 My goal with this … Continue reading Bypassing AppLocker as an admin→| Oddvar Moe's Blog
TL;DR Done as a normal user without admin privs Change %TEMP%/%TMP% to point to a location that allows execution of scripts defined by AppLocker Start Powershell with the new environment variables that you set for %TEMP%/%TMP% and profit! Background This blogpost covers a technique I discovered when digging further into AppLocker to bypass Powershell Constrained … Continue reading %Temp%orary Constrained Language mode in AppLocker→| Oddvar Moe's Blog
This is just a quick blogpost about a thing I forgot to write about a long time ago. One issue with AppLocker is that when someone gets admin access on a box they can create local AppLocker rules that will be combined with the Group Policy AppLocker rules. This is explained in this tweet here: https://twitter.com/Oddvarmoe/status/996147947975962624 … Continue reading AppLocker – Making sure that local rules are removed→| Oddvar Moe's Blog
A thing I see a lot is that AppLocker is used to “protect” servers and prevent admins from doing certain things. In this post I want to go over what sort of security this gives so that everyone can see Pros and Cons. A thing to remember is that an administrator has all the rights … Continue reading AppLocker for admins – Does it work?→| Oddvar Moe's Blog