Endpoint Security Bypass
Denylists don't work - too easy to bypass
Methodology
- create payload exe
- disassemble
- xor X, X → always 0
- reassemble
- bypass!
Tools
Whitelisting - AppLocker
- Allow directories
- Not Downloads, Desktop, Temp Internet Files
- Publisher certs
- AppLocker does this (Local Security Policy → Application Control Policies)
Password Controls
- Spray users with common password e.g. <season><year>
- Bounce spray through AWS/Azure to avoid IP blocks
- CredKing, fireprox, CredSniper, DomainPasswordSpray
Network Security Monitoring / Egress Traffic Analysis