From a45d4ca25cf71578dab0ae9d5ccc827c30157f9f Mon Sep 17 00:00:00 2001
From: checkymander <26147220+checkymander@users.noreply.github.com>
Date: Thu, 1 Oct 2020 22:37:00 -0400
Subject: [PATCH] Create DefaultPack.yml

Added DefaultPack.EXE LOLBin
---
 yml/OtherMSBinaries/DefaultPack.yml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 yml/OtherMSBinaries/DefaultPack.yml

diff --git a/yml/OtherMSBinaries/DefaultPack.yml b/yml/OtherMSBinaries/DefaultPack.yml
new file mode 100644
index 0000000..acf7856
--- /dev/null
+++ b/yml/OtherMSBinaries/DefaultPack.yml
@@ -0,0 +1,26 @@
+---
+Name: DefaultPack.EXE
+Description: This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.
+Author: @checkymander
+Created: '2020-10-01'
+Commands:
+  - Command: DefaultPack.EXE /C:"process.exe args"
+    Description: Use DefaultPack.EXE to execute arbitrary binaries, with added argument support.
+    Usecase: Can be used to execute stagers, binaries, and other malicious commands.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows
+Full_Path:
+  - Path: C:\Program Files (x86)\Microsoft\DefaultPack\
+Code_Sample: 
+  - Code:
+Detection: 
+  - IOC: DefaultPack.EXE spawned an unknown process
+Resources:
+  - Link: https://twitter.com/checkymander/status/1311509470275604480.
+Acknowledgement:
+  - Person: checkymander
+    Handle: @checkymander
+---