LOLBAS/yml/OSBinaries/SystemSettingsAdminFlow.yml

---
Name: SystemSettingsAdminFlow.exe
Description: SystemSettingsAdminFlows.exe is responsible for the administrator privileges that are required for opening/editing/removing files.
Author: 'Jason Phang Vern-Onn'
Created: 2025-01-19
Commands:
  - Command: C:\Windows\System32\SystemSettingsFlowAdmin.exe Defender DisableEnhancedNotifications 1
  - Command: C:\Windows\System32\SystemSettingsFlowAdmin.exe Defender SubmitSamplesConsent 0
  - Command: C:\Windows\System32\SystemSettingsFlowAdmin.exe Defender SpynetReporting 0
  - Command: C:\Windows\System32\SystemSettingsFlowAdmin.exe Defender RTP 1
    Description: SystemSettingsFlowAdmin.exe can be abused to modify Windows Defender settings, such as disabling enhanced notifications, submission consent, and real-time protection.
    Usecase: Attackers can exploit this binary to disable critical Windows Defender settings and bypass security measures, enabling malware execution.
    Category: Execute
    Privileges: Administrator
    MitreID: T1562.001
    OperatingSystem: Windows 10 1803, Windows 10 1703
    Tags:
      - Execute: EXE
Full_Path:
  - Path: C:\Windows\System32\SystemSettingsFlowAdmin.exe
  - Path: C:\Windows\Syswow64\SystemSettingsFlowAdmin.exe
Detection:
  - IOC: Microsoft-Windows-Windows Defender/Operational Event Log Event ID 5007 for changes
  - IOC: SystemSettingsFlowAdmin.exe spawned with parent image not SystemSettings.exe
  - Sigma: https://gist.githubusercontent.com/ald3n5/b1a3f4138b1a1624f7e183a3d0859d17/raw/29e6f67fa3920a39cb4c4bc5226f21a6057fa5ad/susp_adminflows_tampering_defender.yml
Resources:
  - Link: https://www.huntress.com/blog/lolbin-to-inc-ransomware
  - Link: https://www.huntress.com/blog/its-not-safe-to-pay-safepay
Acknowledgement:
  - Person: Alden Schmidt
  - Person: Matt Anderson
fixing again linter 2025-01-19 11:06:55 +01:00			`---`
adding new lolbin 2025-01-19 10:25:51 +01:00			`Name: SystemSettingsAdminFlow.exe`
did linter fixing 2025-01-19 11:03:08 +01:00			`Description: SystemSettingsAdminFlows.exe is responsible for the administrator privileges that are required for opening/editing/removing files.`
adding new lolbin 2025-01-19 10:25:51 +01:00			`Author: 'Jason Phang Vern-Onn'`
			`Created: 2025-01-19`
			`Commands:`
			`- Command: C:\Windows\System32\SystemSettingsFlowAdmin.exe Defender DisableEnhancedNotifications 1`
added fixes 2025-01-19 10:54:46 +01:00			`- Command: C:\Windows\System32\SystemSettingsFlowAdmin.exe Defender SubmitSamplesConsent 0`
adding new lolbin 2025-01-19 10:25:51 +01:00			`- Command: C:\Windows\System32\SystemSettingsFlowAdmin.exe Defender SpynetReporting 0`
added fixes 2025-01-19 10:54:46 +01:00			`- Command: C:\Windows\System32\SystemSettingsFlowAdmin.exe Defender RTP 1`
did linter fixing 2025-01-19 11:03:08 +01:00			`Description: SystemSettingsFlowAdmin.exe can be abused to modify Windows Defender settings, such as disabling enhanced notifications, submission consent, and real-time protection.`
adding new lolbin 2025-01-19 10:25:51 +01:00			`Usecase: Attackers can exploit this binary to disable critical Windows Defender settings and bypass security measures, enabling malware execution.`
			`Category: Execute`
			`Privileges: Administrator`
did linter fixing 2025-01-19 11:03:08 +01:00			`MitreID: T1562.001`
adding new lolbin 2025-01-19 10:25:51 +01:00			`OperatingSystem: Windows 10 1803, Windows 10 1703`
			`Tags:`
fixing again linter 2025-01-19 11:06:55 +01:00			`- Execute: EXE`
adding new lolbin 2025-01-19 10:25:51 +01:00			`Full_Path:`
			`- Path: C:\Windows\System32\SystemSettingsFlowAdmin.exe`
			`- Path: C:\Windows\Syswow64\SystemSettingsFlowAdmin.exe`
			`Detection:`
fix formatting 2025-01-19 11:13:34 +01:00			`- IOC: Microsoft-Windows-Windows Defender/Operational Event Log Event ID 5007 for changes`
added fixes 2025-01-19 10:54:46 +01:00			`- IOC: SystemSettingsFlowAdmin.exe spawned with parent image not SystemSettings.exe`
adding new lolbin 2025-01-19 10:25:51 +01:00			`- Sigma: https://gist.githubusercontent.com/ald3n5/b1a3f4138b1a1624f7e183a3d0859d17/raw/29e6f67fa3920a39cb4c4bc5226f21a6057fa5ad/susp_adminflows_tampering_defender.yml`
			`Resources:`
			`- Link: https://www.huntress.com/blog/lolbin-to-inc-ransomware`
did linter fixing 2025-01-19 11:03:08 +01:00			`- Link: https://www.huntress.com/blog/its-not-safe-to-pay-safepay`
adding new lolbin 2025-01-19 10:25:51 +01:00			`Acknowledgement:`
did linter fixing 2025-01-19 11:03:08 +01:00			`- Person: Alden Schmidt`
fixing again linter 2025-01-19 11:06:55 +01:00			`- Person: Matt Anderson`