Hey all,

Lately I’ve been playing around with Visual Studio Tools for Office (VSTO) as a persistent foothold.  VSTOs are Microsoft Office add-ins that can enhance the user’s experience or automate tasks.  Enabled add-ins are run every time the target Office application is started, a perfect persistence point.  VSTOs can be written in C# or VB, and if done correctly, do not require administrative privileges to install.

Because of this event driven nature and the non-admin installation, I think VSTOs could be a decent addition to a phishing installation package.  I’ve put together a proof of concept which can be found at https://github.com/ThunderGunExpress/ThunderVSTO

What This is Not

A complete installation package.  This persistent VSTO would need to be included in some sort of a larger installation package.  Fortunately, I plan on posting about this at a later date.

How to Defend

• Restrict the user’s ability to install Outlook add-ins
• Don’t install software from untrusted sources
• Audit HKU and HKLM\Software\Microsoft\Office\**Office App**\Addins for new installations

Sysinternals Autoruns checks for Office add-ins; however, unless I’m missing something, it only displays the HKLM\Software\Microsoft\Office\**Office App**\Addins.  Personally, I would target HKU instead (non-admin) which is not tracked by Autoruns.

Continue reading “Persistent VSTO” →

Hey all,

This really isn’t much of a post; instead, I wanted to show some love for https://www.hackthebox.eu/ which a friend recently introduced me to.  I just started to work my way through some of the challenges and I think it’s very well done.

I suspect that the reason you might be here is to get an invite code.  Out of respect for the rules, I’m not going to do a walkthrough.  Instead, I’m going to give two hints: javascript and http://jsbeautifier.org/.  If you’re really stumped, drop me a line and we can work through it together.

Good luck!

Hey all,

We all know that UAC is not a security boundary.  That being said, it can be super annoying, and sometimes difficult, when you just want to spawn a window-less high integrity session so you can continue with funtimes.

Recently I came across the technique described on Tyranid’s Lair to bypass UAC, but I could only find Powershell implementations like UAC-TokenMagic and Invoke-TokenDuplication. So to take a different route, I put together a reflective DLL that uses this technique and an Aggressor script to make everything easy.

The DLL creates a duplicate token for wusa.exe, crafts a new restricted token, spawns an elevated hidden instance of cmd.exe, and proceeds to inject shellcode into cmd.exe via RTLCreateUserThread.  I’ve tested it on Windows 7, 10, 2008, and 2012 on both x64 and x86 architectures.

https://github.com/ThunderGunExpress/UAC-TokenDuplication