Endpoint Security Bypass

Denylists don't work - too easy to bypass

Methodology

1. create payload exe
2. disassemble
3. xor X, X → always 0
4. reassemble
5. bypass!

Tools

• LOLBAS
• Magic Unicorn

Whitelisting - AppLocker

• Allow directories
  • Not Downloads, Desktop, Temp Internet Files
• Publisher certs
• AppLocker does this (Local Security Policy → Application Control Policies)

Password Controls

• Spray users with common password e.g. <season><year>
• Bounce spray through AWS/Azure to avoid IP blocks
  • CredKing, fireprox, CredSniper, DomainPasswordSpray

Network Security Monitoring / Egress Traffic Analysis