From 3710c1c9721428012c5ae01f93998f354a7c4195 Mon Sep 17 00:00:00 2001
From: Eleftherios Panos <e.panos@encodegroup.com>
Date: Thu, 23 Jul 2020 13:58:30 +0300
Subject: [PATCH] Added method for AgentExecutor

---
 yml/OtherMSBinaries/agentexecutor.yml | 34 +++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 yml/OtherMSBinaries/agentexecutor.yml

diff --git a/yml/OtherMSBinaries/agentexecutor.yml b/yml/OtherMSBinaries/agentexecutor.yml
new file mode 100644
index 0000000..79a19d4
--- /dev/null
+++ b/yml/OtherMSBinaries/agentexecutor.yml
@@ -0,0 +1,34 @@
+---
+Name: AgentExecutor.exe
+Description: Intune Management Extension included on Intune Managed Devices
+Author: 'Eleftherios Panos'
+Created: '23/07/2020'
+Commands:
+  - Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\Windows\SysWOW64\WindowsPowerShell\v1.0" 0 1
+    Description: Spawns powershell.exe and executes a provided powershell script with ExecutionPolicy Bypass argument
+    Usecase: Execute unsigned powershell scripts
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 10
+  - Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1
+    Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully
+    Usecase: Execute a provided EXE
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 10
+Full_Path:
+  - Path: C:\Program Files (x86)\Microsoft Intune Management Extension
+Code_Sample: 
+  - Code:
+Detection: 
+  - IOC:
+Resources:
+  - Link: 
+Acknowledgement:
+  - Person: Eleftherios Panos
+    Handle: @lefterispan
+---
\ No newline at end of file