public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-01-12 23:11:40 +01:00
Code Issues Projects Releases Wiki Activity

Added plain explorer execution

Browse Source
This commit is contained in:
bohops 2020-07-03 15:03:07 -04:00 committed by GitHub
parent 92f020b885
commit 343a0e2478
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
yml/OSBinaries/Explorer.yml
View File

@ -12,6 +12,14 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: explorer.exe C:\Windows\System32\notepad.exe
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10 (Tested)
Full_Path:
- Path: C:\Windows\explorer.exe
- Path: C:\Windows\SysWOW64\explorer.exe
@ -21,7 +29,11 @@ Detection:
- IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this.
Resources:
- Link: https://twitter.com/CyberRaiju/status/1273597319322058752?s=20
- Link: https://twitter.com/bohops/status/1276356245541335048
- Link: https://twitter.com/bohops/status/986984122563391488
Acknowledgement:
- Person: Jai Minton
Handle: '@CyberRaiju'
- Person: Jimmy
Handle: '@bohops'
---