From 6d07c2dee1ec4339c0eae49f96cc8b54ead38bd3 Mon Sep 17 00:00:00 2001
From: idabian <139040851+idabian@users.noreply.github.com>
Date: Wed, 10 Sep 2025 21:08:49 +0300
Subject: [PATCH] Add RDS Binaries (#453)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
---
 yml/OSBinaries/Change.yml | 24 ++++++++++++++++++++++++
 yml/OSBinaries/Query.yml  | 24 ++++++++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 yml/OSBinaries/Change.yml
 create mode 100644 yml/OSBinaries/Query.yml

diff --git a/yml/OSBinaries/Change.yml b/yml/OSBinaries/Change.yml
new file mode 100644
index 0000000..dde871e
--- /dev/null
+++ b/yml/OSBinaries/Change.yml
@@ -0,0 +1,24 @@
+---
+Name: Change.exe
+Description: Remote Desktop Services MultiUser Change Utility
+Author: 'Idan Lerman'
+Created: 2025-07-31
+Commands:
+  - Command: change.exe user
+    Description: Once executed, `change.exe` will execute `chgusr.exe` in the same folder. Thus, if `change.exe` is copied to a folder and an arbitrary executable is renamed to `chgusr.exe`, `change.exe` will spawn it. Instead of `user`, it is also possible to use `port` or `logon` as command-line option.
+    Usecase: Execute an arbitrary executable via trusted system executable.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
+      - Requires: Rename
+Full_Path:
+  - Path: c:\windows\system32\change.exe
+  - Path: c:\windows\syswow64\change.exe
+Detection:
+  - IOC: change.exe being executed and executes a child process outside of its normal path of c:\windows\system32\ or c:\windows\syswow64\
+Acknowledgement:
+  - Person: Idan Lerman
+    Handle: '@IdanLerman'
diff --git a/yml/OSBinaries/Query.yml b/yml/OSBinaries/Query.yml
new file mode 100644
index 0000000..c257847
--- /dev/null
+++ b/yml/OSBinaries/Query.yml
@@ -0,0 +1,24 @@
+---
+Name: Query.exe
+Description: Remote Desktop Services MultiUser Query Utility
+Author: Idan Lerman
+Created: 2025-07-31
+Commands:
+  - Command: query.exe user
+    Description: Once executed, `query.exe` will execute `quser.exe` in the same folder. Thus, if `query.exe` is copied to a folder and an arbitrary executable is renamed to `quser.exe`, `query.exe` will spawn it. Instead of `user`, it is also possible to use `session`, `termsession` or `process` as command-line option.
+    Usecase: Execute an arbitrary executable via trusted system executable.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
+      - Requires: Rename
+Full_Path:
+  - Path: c:\windows\system32\query.exe
+  - Path: c:\windows\syswow64\query.exe
+Detection:
+  - IOC: query.exe being executed and executes a child process outside of its normal path of c:\windows\system32\ or c:\windows\syswow64\
+Acknowledgement:
+  - Person: Idan Lerman
+    Handle: '@IdanLerman'