I think you're confused about whitelisting. I think you're doing this: Step 1. Find a "built-in" that lets you do what you want. Step 2. ??? Step 3. Arbitrary code execution.
-
-
Spell it out for me, I want to run wmic.exe on your computer and you have whitelisting installed, what do I do next? Let's imagine you're a regular user who can be easily tricked to running any attachment, downloading and running files, etc.
3 replies 0 retweets 2 likes -
Use wmic to turn off application whitelisting (almost all of them are registry entries - at worst case set the service to disabled at boot). Then proceed as usual.
3 replies 2 retweets 5 likes -
Replying to @GossiTheDog @da_667 and
That's a good Step 3, but first you need to get to the point where you can run wmic.exe (the Step 2). That's the bit I'm lost on.
1 reply 0 retweets 0 likes -
Office macro
2 replies 0 retweets 5 likes -
Replying to @GossiTheDog @da_667 and
I see, so to bypass whitelisting, you just need to bypass whitelisting then you can bypass the whitelisting?
2 replies 0 retweets 7 likes -
This stuff isn't theoretical, I see Office macros that use wmic (etc) to bypass application whitelisting all the time :) quite often they're targeting high security orgs. cc
@subTee2 replies 1 retweet 11 likes -
Replying to @GossiTheDog @da_667 and
When you've got to the point that you can run office macros, you've already defeated whitelisting. You need to get to that point first.
4 replies 1 retweet 6 likes -
I don't disagree. The slight problem, here's how to run Office macros at almost every organisation: email them to a user.
2 replies 0 retweets 3 likes
Very true, if only they used whitelisting! 
-
-
Replying to @taviso @GossiTheDog and
Right, the missing key point here: you can whitelist certs and sign macros with those certs. Disable running unsigned macros. Whitelisting now protects you against drive by macros.
0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.