Background It’s been difficult to determine exactly who found “mshta.exe” and when they found it. I sent out a tweet asking about this. It can be seen below. Lesley is certainly right, it’s been awesome for bypassing application whitelisting if it isn’t blocked. Hopefully someone chimes in and tells us […]
Daily Archives: November 17, 2017
3 posts
Background Casey Smith (@subTee) discovered a Microsoft binary called “msbuild.exe”. He wrote a blog on Tuesday, September 13, 2016 titled “Bypassing Application Whitelisting using MSBuild.exe – Device Guard Example and Mitigations”. His blog is no longer available, however, you can access it via archive.org here. Proof of Concept You can also download […]
Background Casey Smith (@subTee) discovered a native Microsoft binary called “regsvr32.exe” aka “squiblydoo”. He wrote a blog on Tuesday, April 19, 2016 titled “Bypass Application Whitelisting Script Protections – Regsvr32.exe & COM Scriptlets (.sct files)”. The blog post in quoted below. His blog is no longer available, however, you can access […]