I really like this tool!  Let me start with that. ;-) I really appreciate Joe Desimone ( @dez_ ) and EndGame making this available open source. First, check this DerbyCon 2017 Talk out, it will help you have the necessary background. The code can be found here: I've had some time to experiment with this code the last few days. Lets look at the...

I found another Device Guard bypass recently.  It was great to get to work with MSRC to get confirmation of the bypass, and to have them update the Device Guard configurations here: Device Guard Configuration This is another example of a misplaced trust bypass.  A trusted signed binary that can allow unapproved execution. I'll keep this post short...

****** This tool is inspired by the show "Stranger Things". There are spoilers, so, if you want to watch the show, read no further. You were warned.  :-) ****** First some background.  If you haven't seen the show. In the show, an alternate reality, called the Upside Down is introduced.  Think of this as an overlay to the real world, same infrastructure...

I was going through some of my old research today, and thought I might share the genesis of one of my older findings.  I thought maybe it would be helpful to share my thinking and motivation for some of the research I have done in the past. It was October 31, 2014.  We were running a Red Team exercise against our environment, it was the first engagement...

So, I recently was exploring XSL, and injection and came across several interesting references. <msxsl:script> Element XSLT Script Block Sample The basic gist, and what I think is interesting is that you can host/execute scripts inside trusted signed binaries that ingest XML. So, here is an example, a tool called msxsl.exe. You can download...

I had some free time today, and started thinking about what would it be like to disclose a globally disruptive vulnerability. Where and how would you do that? I started thinking about what might this actually look like. So I chose the theme as a rogue cipher punk team that solves some critical equations. How would they get the word out. Safely? ...