LOLBAS/yml/OtherMSBinaries/Mftrace.yml

35 lines
1.2 KiB
YAML
Raw Normal View History

2018-06-09 00:15:06 +02:00
---
Name: Mftrace.exe
Description: Trace log generation tool for Media Foundation Tools.
Author: 'Oddvar Moe'
Created: 2018-05-25
2018-06-09 00:15:06 +02:00
Commands:
- Command: Mftrace.exe cmd.exe
Description: Launch cmd.exe as a subprocess of Mftrace.exe.
Usecase: Local execution of cmd.exe as a subprocess of Mftrace.exe.
Category: Execute
Privileges: User
MitreID: T1127
OperatingSystem: Windows
2018-06-09 00:15:06 +02:00
- Command: Mftrace.exe powershell.exe
Description: Launch cmd.exe as a subprocess of Mftrace.exe.
Usecase: Local execution of powershell.exe as a subprocess of Mftrace.exe.
Category: Execute
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64
- Path: C:\Program Files (x86)\Windows Kits\10\bin\x86
- Path: C:\Program Files (x86)\Windows Kits\10\bin\x64
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml
2018-06-09 00:15:06 +02:00
Resources:
- Link: https://twitter.com/0rbz_/status/988911181422186496
Acknowledgement:
- Person: fabrizio
Handle: '@0rbz_'