Persistent VSTO

Hey all,

Lately I’ve been playing around with Visual Studio Tools for Office (VSTO) as a persistent foothold.  VSTOs are Microsoft Office add-ins that can enhance the user’s experience or automate tasks.  Enabled add-ins are run every time the target Office application is started, a perfect persistence point.  VSTOs can be written in C# or VB, and if done correctly, do not require administrative privileges to install.

Because of this event driven nature and the non-admin installation, I think VSTOs could be a decent addition to a phishing installation package.  I’ve put together a proof of concept which can be found at

What This is Not

A complete installation package.  This persistent VSTO would need to be included in some sort of a larger installation package.  Fortunately, I plan on posting about this at a later date.

How to Defend

Sysinternals Autoruns checks for Office add-ins; however, unless I’m missing something, it only displays the HKLM\Software\Microsoft\Office\**Office App**\Addins.  Personally, I would target HKU instead (non-admin) which is not tracked by Autoruns.

Continue reading “Persistent VSTO”

Hey all,

This really isn’t much of a post; instead, I wanted to show some love for which a friend recently introduced me to.  I just started to work my way through some of the challenges and I think it’s very well done.

I suspect that the reason you might be here is to get an invite code.  Out of respect for the rules, I’m not going to do a walkthrough.  Instead, I’m going to give two hints: javascript and  If you’re really stumped, drop me a line and we can work through it together.

Good luck!

UAC Bypass with Token Duplication

Hey all,

We all know that UAC is not a security boundary.  That being said, it can be super annoying, and sometimes difficult, when you just want to spawn a window-less high integrity session so you can continue with funtimes.

Recently I came across the technique described on Tyranid’s Lair to bypass UAC, but I could only find Powershell implementations like UAC-TokenMagic and Invoke-TokenDuplication. So to take a different route, I put together a reflective DLL that uses this technique and an Aggressor script to make everything easy.

The DLL creates a duplicate token for wusa.exe, crafts a new restricted token, spawns an elevated hidden instance of cmd.exe, and proceeds to inject shellcode into cmd.exe via RTLCreateUserThread.  I’ve tested it on Windows 7, 10, 2008, and 2012 on both x64 and x86 architectures.