Added method for AgentExecutor

yml/OtherMSBinaries/agentexecutor.yml

@@ -0,0 +1,34 @@
+---
+Name: AgentExecutor.exe
+Description: Intune Management Extension included on Intune Managed Devices
+Author: 'Eleftherios Panos'
+Created: '23/07/2020'
+Commands:
+  - Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\Windows\SysWOW64\WindowsPowerShell\v1.0" 0 1
+    Description: Spawns powershell.exe and executes a provided powershell script with ExecutionPolicy Bypass argument
+    Usecase: Execute unsigned powershell scripts
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 10
+  - Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1
+    Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully
+    Usecase: Execute a provided EXE
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 10
+Full_Path:
+  - Path: C:\Program Files (x86)\Microsoft Intune Management Extension
+Code_Sample: 
+  - Code:
+Detection: 
+  - IOC:
+Resources:
+  - Link: 
+Acknowledgement:
+  - Person: Eleftherios Panos
+    Handle: @lefterispan
+---