[Source: blog.microsoft.com] Introduction Not long ago, I blogged about Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction. This tool was quite interesting because it was yet another utility to perform volume shadow copy operations, and it had a few other features that could potentially support other offensive use cases. […]
#dfir
4 posts
26 Mar 2018
10 Mar 2018
Introduction Two weeks ago, I blogged about several “pass-thru” techniques that leveraged the use of INF files (‘.inf’) to “fetch and execute” remote script component files (‘.sct’). In general, instances of these methods could potentially be abused to bypass application whitelisting (AWL) policies (e.g. Default AppLocker policies), deter host-based security products, and achieve ‘hidden’ persistence. […]
10 Feb 2018
Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction
Bohops[Source: blog.microsoft.com] What is Vshadow? Vshadow (vshadow.exe) is a command line utility for managing volume shadow copies. This tool is included within the Windows SDK and is signed by Microsoft (more on this later). Vshadow has a lot of functionality, including the ability to execute scripts and invoke commands in support of volume shadow snapshot […]
31 Jan 2018
Introduction Visual Studio Tools for Office (VSTO) “is a set of development tools available in the form of a Visual Studio add-in (project templates) and a runtime that allows Microsoft Office 2003 and later versions of Office applications to host the .NET Framework Common Language Runtime (CLR) to expose their functionality via .NET” (Wikipedia). For […]