That's a good Step 3, but first you need to get to the point where you can run wmic.exe (the Step 2). That's the bit I'm lost on.
-
-
Office macro
2 replies 0 retweets 5 likes -
Replying to @GossiTheDog @da_667 and
I see, so to bypass whitelisting, you just need to bypass whitelisting then you can bypass the whitelisting?
2 replies 0 retweets 7 likes -
This stuff isn't theoretical, I see Office macros that use wmic (etc) to bypass application whitelisting all the time :) quite often they're targeting high security orgs. cc
@subTee2 replies 1 retweet 11 likes -
Replying to @GossiTheDog @da_667 and
When you've got to the point that you can run office macros, you've already defeated whitelisting. You need to get to that point first.
4 replies 1 retweet 6 likes -
I don't disagree. The slight problem, here's how to run Office macros at almost every organisation: email them to a user.
2 replies 0 retweets 3 likes -
Replying to @GossiTheDog @taviso and
Organisations that immature aren’t going to be able to implement whitelisting in the first place. This argument is going around in circles.
2 replies 0 retweets 1 like -
Oh, there's major UK banks like that. Alphabet have Chronicle (aka VirusTotal), which is a ~100tb a month database of macros which bypass app whitelisting and bad .exes.
1 reply 0 retweets 1 like -
Replying to @GossiTheDog @taviso and
Tavis’ point is that if you’re able to email macros to a user and have them execute them, your target isn’t using whitelisting.
1 reply 0 retweets 0 likes -
I don't think it was - it was more by letting users execute macros (and so code) you've already lost a degree of control (correct me if I'm wrong
@taviso)1 reply 0 retweets 0 likes
No, Mark was right, macros can be whitelisted just like anything else. If you're allowing arbitrary macros, then you're not whitelisting.
-
-
Ah! There isn't a macro whitelisting feature in Office, not to get all technical. You can whitelist folder locations though, or rely on digital signatures (but then you get just get a public CA to sign your doc).
1 reply 0 retweets 2 likes -
Replying to @GossiTheDog @markeldo and
I don't follow, what you've just described is a whitelisting feature, right?
2 replies 0 retweets 0 likes - 18 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.