public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-02-05 18:12:17 +01:00
Code Issues Projects Releases Wiki Activity

did linter fixing

Browse Source
This commit is contained in:
JasonPhang98 2025-01-19 18:03:08 +08:00
parent c44c70d55b
commit 89105ae243
1 changed files with 7 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
yml/OSBinaries/SystemSettingsAdminFlow.yml
View File

@ -1,6 +1,5 @@
---
Name: SystemSettingsAdminFlow.exe Name: SystemSettingsAdminFlow.exe
Description: SystemSettingsAdminFlows.exe is responsible for the administrator privileges that are required for opening /editing/ removing files. Description: SystemSettingsAdminFlows.exe is responsible for the administrator privileges that are required for opening/editing/removing files.
Author: 'Jason Phang Vern-Onn' Author: 'Jason Phang Vern-Onn'
Created: 2025-01-19 Created: 2025-01-19
Commands: Commands:
@ -8,20 +7,20 @@ Commands:
- Command: C:\Windows\System32\SystemSettingsFlowAdmin.exe Defender SubmitSamplesConsent 0 - Command: C:\Windows\System32\SystemSettingsFlowAdmin.exe Defender SubmitSamplesConsent 0
- Command: C:\Windows\System32\SystemSettingsFlowAdmin.exe Defender SpynetReporting 0 - Command: C:\Windows\System32\SystemSettingsFlowAdmin.exe Defender SpynetReporting 0
- Command: C:\Windows\System32\SystemSettingsFlowAdmin.exe Defender RTP 1 - Command: C:\Windows\System32\SystemSettingsFlowAdmin.exe Defender RTP 1
Description: SystemSettingsFlowAdmin.exe can be abused to modify Windows Defender settings, such as disabling enhanced notifications, submission consent, and real-time protection. This allows execution of potentially malicious software without detection. Description: SystemSettingsFlowAdmin.exe can be abused to modify Windows Defender settings, such as disabling enhanced notifications, submission consent, and real-time protection.
Usecase: Attackers can exploit this binary to disable critical Windows Defender settings and bypass security measures, enabling malware execution. Usecase: Attackers can exploit this binary to disable critical Windows Defender settings and bypass security measures, enabling malware execution.
Category: Execute Category: Execute
Privileges: Administrator Privileges: Administrator
MitreID: T1562.001 MitreID: T1562.001
OperatingSystem: Windows 10 1803, Windows 10 1703 OperatingSystem: Windows 10 1803, Windows 10 1703
Tags: Tags:
- Execute: EXE - Execute
- Tamper - Tamper
Full_Path: Full_Path:
- Path: C:\Windows\System32\SystemSettingsFlowAdmin.exe - Path: C:\Windows\System32\SystemSettingsFlowAdmin.exe
- Path: C:\Windows\Syswow64\SystemSettingsFlowAdmin.exe - Path: C:\Windows\Syswow64\SystemSettingsFlowAdmin.exe
Detection: Detection:
- IOC: Microsoft-Windows-Windows Defender/Operational Event Log Event ID 5007 for changes - IOC: Microsoft-Windows-Windows Defender/Operational Event Log Event ID 5007 for changes.
- IOC: SystemSettingsFlowAdmin.exe spawned with parent image not SystemSettings.exe - IOC: SystemSettingsFlowAdmin.exe spawned with parent image not SystemSettings.exe
- Sigma: https://gist.githubusercontent.com/ald3n5/b1a3f4138b1a1624f7e183a3d0859d17/raw/29e6f67fa3920a39cb4c4bc5226f21a6057fa5ad/susp_adminflows_tampering_defender.yml - Sigma: https://gist.githubusercontent.com/ald3n5/b1a3f4138b1a1624f7e183a3d0859d17/raw/29e6f67fa3920a39cb4c4bc5226f21a6057fa5ad/susp_adminflows_tampering_defender.yml
Resources: Resources: