From 3b1fd0ea8eeb7f215bf974f3a640f54918004283 Mon Sep 17 00:00:00 2001
From: Elliot Killick <elliotkillick@zohomail.eu>
Date: Thu, 26 Aug 2021 13:35:15 -0400
Subject: [PATCH] Create SettingSyncHost.yml

---
 yml/OSBinaries/SettingSyncHost.yml | 35 ++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 yml/OSBinaries/SettingSyncHost.yml

diff --git a/yml/OSBinaries/SettingSyncHost.yml b/yml/OSBinaries/SettingSyncHost.yml
new file mode 100644
index 0000000..b67c9ce
--- /dev/null
+++ b/yml/OSBinaries/SettingSyncHost.yml
@@ -0,0 +1,35 @@
+---
+Name: SettingSyncHost.exe
+Description: Host Process for Setting Synchronization
+Author: 'Elliot Killick'
+Created: '2021-08-26'
+Commands:
+  - Command: SettingSyncHost -LoadAndRunDiagScript anything
+    Description: Execute file specified in %COMSPEC%
+    Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218/
+    OperatingSystem: Windows 8, Windows 8.1, Windows 10
+  - Command: SettingSyncHost -LoadAndRunDiagScriptNoCab anything
+    Description: Execute a batch script in the background (no window ever pops up) which can be subverted to running arbitrary programs by setting the current working directory to %TMP% and creating files such as reg.bat/reg.exe in that directory thereby causing them to execute instead of the ones in C:\Windows\System32.
+    Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism. Additionally, effectively act as a -WindowStyle Hidden option (as there is in PowerShell) for any arbitrary batch file.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218/
+    OperatingSystem: Windows 8, Windows 8.1, Windows 10
+Full_Path:
+  - Path: C:\Windows\System32\SettingSyncHost.exe
+  - Path: C:\Windows\SysWOW64\SettingSyncHost.exe
+Detection:
+  - IOC: SettingSyncHost.exe should not be run on a normal workstation
+Resources:
+  - Link: https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin/
+Acknowledgement:
+  - Person: Adam
+    Handle: '@hexacorn'
+  - Person: Elliot Killick
+    Handle: '@elliotkillick'
+---