The tool copies NTFS EAs from one file to another one. If EA name starts with $...
the copied one is renamed to #...
. It allows to manipulate the AppLocker cache, effectively leading to whitelisting bypass.
If you want to test it on your own, you can use the published VHDX file:
- Create whitelisting rules allowing to run only Microsoft-signed applications
- Attach the VHDX
- Observe my app (harmless "hello world") running, despite whitelisting configured