From 4860585fb763ea8ba6e58b27014c9af1fa0ab54d Mon Sep 17 00:00:00 2001
From: Wietze <wietze@users.noreply.github.com>
Date: Sun, 14 Nov 2021 23:26:39 +0000
Subject: [PATCH] Adding CustomShellHost.exe LOLBAS

---
 yml/OSBinaries/CustomShellHost.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 yml/OSBinaries/CustomShellHost.yml

diff --git a/yml/OSBinaries/CustomShellHost.yml b/yml/OSBinaries/CustomShellHost.yml
new file mode 100644
index 0000000..d40fff8
--- /dev/null
+++ b/yml/OSBinaries/CustomShellHost.yml
@@ -0,0 +1,24 @@
+---
+Name: CustomShellHost.exe
+Description: A host process that is used by custom shells when using Windows in Kiosk mode.
+Author: 'Wietze Beukema'
+Created: 2021-11-14
+Commands:
+  - Command: CustomShellHost.exe
+    Description: Executes explorer.exe (with command-line argument /NoShellRegistrationCheck) if present in the current working folder.
+    Usecase: Can be used to evade defensive counter-measures
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Windows\System32\CustomShellHost.exe
+Detection:
+  - IOC: CustomShellHost.exe is unlikely to run on normal workstations
+Resources:
+  - Link: https://twitter.com/YoSignals/status/1381353520088113154
+  - Link: https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher
+Acknowledgement:
+  - Person: John Carroll
+    Handle: '@YoSignals'
+---