mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-11-04 02:29:34 +01:00
Conor Richard
GitHub
26
yml/OtherMSBinaries/DefaultPack.yml
Normal file
26
yml/OtherMSBinaries/DefaultPack.yml
Normal file
@@ -0,0 +1,26 @@
|
||||
---
|
||||
Name: DefaultPack.EXE
|
||||
Description: This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.
|
||||
Author: @checkymander
|
||||
Created: '2020-10-01'
|
||||
Commands:
|
||||
- Command: DefaultPack.EXE /C:"process.exe args"
|
||||
Description: Use DefaultPack.EXE to execute arbitrary binaries, with added argument support.
|
||||
Usecase: Can be used to execute stagers, binaries, and other malicious commands.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft\DefaultPack\
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: DefaultPack.EXE spawned an unknown process
|
||||
Resources:
|
||||
- Link: https://twitter.com/checkymander/status/1311509470275604480.
|
||||
Acknowledgement:
|
||||
- Person: checkymander
|
||||
Handle: @checkymander
|
||||
---
|
||||
Reference in New Issue
Block a user