Unprivileged User Persistence with Zoom

*** UPDATE: It looks like the most recent version of Zoom has fixed the issue of loading an unsigned DllSafeCheck.dll. This persistence technique no longer works. Thank you to @LadhaAleem for bringing this to my attention. See the Patching Zoom.exe section for details on how this can be bypassed. Zoom has been in security news…

DLL Side-loading and Zero-width Spaces

My previous post discussed using appverif.exe and DLL side-loading to execute a payload on a system. The advantage of using a legitimate Microsoft signed binary such as appverif.exe to load and execute your DLL was to bypass anti-virus and application whitelisting. One drawback to this technique is that you are executing appverif.exe outside of its…

Unconstrained Delegation

One of the weaknesses that I configured in my lab environment was “Unconstrained Delegation.” Systems in an Active Directory (AD) environment can be configured for unconstrained delegation. This means that a system can “delegate”, or impersonate users that authenticate to it. Normally, when a user authenticates to a service running on a system, the user…