ADS – Oddvar Moe's Blog

A small discovery about AppLocker

Posted on 29 May 2019 by Oddvar Moe [MVP]

While I was prepping for a session a while back I made a a little special discovery about AppLocker. Turns out that the files that AppLocker uses under C:\Windows\System32\AppLocker can be used in many cases to bypass a Default AppLocker ruleset. When a machine is deployed and the first user logs in, that user will … Continue reading A small discovery about AppLocker →

Putting data in Alternate data streams and how to execute it – part 2

Posted on 11 Apr 2018 by Oddvar Moe [MVP]

I wrote a blogpost a while back about Alternate data streams that you can find here: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ After I wrote that post I have made some new discoveries that I wanted to share around Alternate data streams. As you probably already know if you read some of my stuff is that I am a big fan … Continue reading Putting data in Alternate data streams and how to execute it – part 2 →

Putting data in Alternate data streams and how to execute it

Posted on 14 Jan 201829 Aug 2018 by Oddvar Moe [MVP]

Part 2 of this research can be found here: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ I always had a fascination about ADS (Alternate data streams) and using it as part of a persistence. My first meeting with this as a persistence technique was when Matt Nelson aka @Enigma0x3 wrote a blogpost about using it: https://enigma0x3.net/2015/03/05/using-alternate-data-streams-to-persist-on-a-compromised-machine/ Quite recently I have started to play … Continue reading Putting data in Alternate data streams and how to execute it →