From 1587eeaf6ce1f08bc3d945eb0392257c14dcd488 Mon Sep 17 00:00:00 2001
From: Grzegorz Tworek <gtworek@users.noreply.github.com>
Date: Wed, 26 Oct 2022 12:15:13 +0200
Subject: [PATCH] Create Setres.yml (#262)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
---
 yml/OSBinaries/Setres.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 yml/OSBinaries/Setres.yml

diff --git a/yml/OSBinaries/Setres.yml b/yml/OSBinaries/Setres.yml
new file mode 100644
index 0000000..1f51d47
--- /dev/null
+++ b/yml/OSBinaries/Setres.yml
@@ -0,0 +1,24 @@
+---
+Name: Setres.exe
+Description: Configures display settings
+Author: Grzegorz Tworek
+Created: 2022-10-21
+Commands:
+  - Command: setres.exe -w 800 -h 600
+    Description: Sets the resolution and then launches 'choice' command from the working directory.
+    Usecase: Executes arbitrary code
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022
+Full_Path:
+  - Path: c:\windows\system32\setres.exe
+Detection:
+  - IOC: Unusual location for choice.exe file
+  - IOC: Process created from choice.com binary
+  - IOC: Existence of choice.cmd file
+Resources:
+  - Link: https://twitter.com/0gtweet/status/1583356502340870144
+Acknowledgement:
+  - Person: Grzegorz Tworek
+    Handle: '@0gtweet'