2020-07-23 12:58:30 +02:00
|
|
|
---
|
|
|
|
|
Name: AgentExecutor.exe
|
|
|
|
|
Description: Intune Management Extension included on Intune Managed Devices
|
|
|
|
|
Author: 'Eleftherios Panos'
|
2021-01-10 16:04:52 +01:00
|
|
|
Created: 2020-07-23
|
2020-07-23 12:58:30 +02:00
|
|
|
Commands:
|
|
|
|
|
- Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\Windows\SysWOW64\WindowsPowerShell\v1.0" 0 1
|
|
|
|
|
Description: Spawns powershell.exe and executes a provided powershell script with ExecutionPolicy Bypass argument
|
|
|
|
|
Usecase: Execute unsigned powershell scripts
|
|
|
|
|
Category: Execute
|
|
|
|
|
Privileges: User
|
|
|
|
|
MitreID: T1218
|
|
|
|
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
|
|
|
|
OperatingSystem: Windows 10
|
|
|
|
|
- Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1
|
|
|
|
|
Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully
|
|
|
|
|
Usecase: Execute a provided EXE
|
|
|
|
|
Category: Execute
|
|
|
|
|
Privileges: User
|
|
|
|
|
MitreID: T1218
|
|
|
|
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
|
|
|
|
OperatingSystem: Windows 10
|
|
|
|
|
Full_Path:
|
|
|
|
|
- Path: C:\Program Files (x86)\Microsoft Intune Management Extension
|
2021-01-10 16:04:52 +01:00
|
|
|
Code_Sample:
|
2020-07-23 12:58:30 +02:00
|
|
|
- Code:
|
2021-01-10 16:04:52 +01:00
|
|
|
Detection:
|
2020-07-23 12:58:30 +02:00
|
|
|
- IOC:
|
|
|
|
|
Resources:
|
2021-01-10 16:04:52 +01:00
|
|
|
- Link:
|
2020-07-23 12:58:30 +02:00
|
|
|
Acknowledgement:
|
|
|
|
|
- Person: Eleftherios Panos
|
2020-08-24 09:48:07 +02:00
|
|
|
Handle: '@lefterispan'
|
2020-08-24 09:42:07 +02:00
|
|
|
---
|
