![]() I created a 20Mb VHD and mounted it as a test user. So let’s PoC this up and see what we can do. That is why his CopyEAs toolkit creates entries prefixed with a # and direct disk access is required to rename them. Querying the EAs of the file using fsutil shows that the AppLocker Hash is stored in $įrom what I can gather from the tools that Grzegorz released, we can write EAs but we can’t overwrite the $ prefixed entries. It is worth noting that this is a specific AppLocker hash, not a file hash Not the same hash ![]() In my test environment I set up an AppLocker rule to allow a file with a certain hash So how does AppLocker use these EAs and how do we abuse them to bypass it? Like Alternative Data Streams (ADS) but with a data limit of ~65k on NTFS (varies according to file system but that limit is from the Linux implementation of EAs) General documentation on EAs is actually quite sparse – the best resource I found giving an overview is the ever dependable SpecterOps : Let’s start with NTFS EA – Wikipedia helpfully tells us Extended Attributes (EA) are file system features that enable users to associate computer files with metadata not interpreted by the filesystem, whereas regular attributes have a purpose strictly defined by the filesystem (such as permissions or records of creation and modification times). Having a look at the repository there isn’t a huge amount of material to go off (for someone new to it like me – once you get your head around it, then it actually is everything you need to know). Probably fair to say if it didn’t work – that would be on me, rather than the source material I had seen previous tweets referencing the AppLocker hash/signature cache and having a CPD day I thought I would take a closer look at see what did work and what didn’t. ![]() This article is based mostly on the work of Grzegorz Tworek recently saw this tweet from Grzegorz Tworek – who if you aren’t following you really should be!) come across my timeline ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |