From 4860585fb763ea8ba6e58b27014c9af1fa0ab54d Mon Sep 17 00:00:00 2001 From: Wietze Date: Sun, 14 Nov 2021 23:26:39 +0000 Subject: [PATCH 1/2] Adding CustomShellHost.exe LOLBAS --- yml/OSBinaries/CustomShellHost.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 yml/OSBinaries/CustomShellHost.yml diff --git a/yml/OSBinaries/CustomShellHost.yml b/yml/OSBinaries/CustomShellHost.yml new file mode 100644 index 0000000..d40fff8 --- /dev/null +++ b/yml/OSBinaries/CustomShellHost.yml @@ -0,0 +1,24 @@ +--- +Name: CustomShellHost.exe +Description: A host process that is used by custom shells when using Windows in Kiosk mode. +Author: 'Wietze Beukema' +Created: 2021-11-14 +Commands: + - Command: CustomShellHost.exe + Description: Executes explorer.exe (with command-line argument /NoShellRegistrationCheck) if present in the current working folder. + Usecase: Can be used to evade defensive counter-measures + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Windows\System32\CustomShellHost.exe +Detection: + - IOC: CustomShellHost.exe is unlikely to run on normal workstations +Resources: + - Link: https://twitter.com/YoSignals/status/1381353520088113154 + - Link: https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher +Acknowledgement: + - Person: John Carroll + Handle: '@YoSignals' +--- From 05faad73b2732926bf320b612d2c55ae079e9068 Mon Sep 17 00:00:00 2001 From: Conor Richard Date: Sat, 17 Sep 2022 21:32:13 -0400 Subject: [PATCH 2/2] Removing extra YAML record start "---" --- yml/OSBinaries/CustomShellHost.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/yml/OSBinaries/CustomShellHost.yml b/yml/OSBinaries/CustomShellHost.yml index d40fff8..c9ae886 100644 --- a/yml/OSBinaries/CustomShellHost.yml +++ b/yml/OSBinaries/CustomShellHost.yml @@ -21,4 +21,3 @@ Resources: Acknowledgement: - Person: John Carroll Handle: '@YoSignals' ----