mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-07-27 04:32:24 +02:00
Wietze
GitHub
@@ -1,10 +1,10 @@
|
||||
---
|
||||
Name: DefaultPack.EXE
|
||||
Description: This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.
|
||||
Description: This binary can be downloaded along side multiple software downloads on the Microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.
|
||||
Author: '@checkymander'
|
||||
Created: 2020-10-01
|
||||
Commands:
|
||||
- Command: DefaultPack.EXE /C:"process.exe args"
|
||||
- Command: DefaultPack.EXE /C:"{CMD}"
|
||||
Description: Use DefaultPack.EXE to execute arbitrary binaries, with added argument support.
|
||||
Usecase: Can be used to execute stagers, binaries, and other malicious commands.
|
||||
Category: Execute
|
||||
@@ -15,8 +15,6 @@ Commands:
|
||||
- Execute: CMD
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft\DefaultPack\DefaultPack.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml
|
||||
- IOC: DefaultPack.EXE spawned an unknown process
|
||||
|
||||
Reference in New Issue
Block a user