public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-01-24 20:42:09 +01:00
Code Issues Projects Releases Wiki Activity

Add AddInProcess32

Browse Source
This commit is contained in:
Chris Spehn 2020-09-03 08:25:51 -06:00
parent 5ee2298759
commit bb814f80fd
1 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
yml/OSBinaries/AddInProcess32.yaml Normal file
View File

@ -0,0 +1,30 @@
---
Name: AddInProcess32.exe
Description: Used to compile and execute code
Author: 'Chris Spehn'
Created: '2020-09-03'
Commands:
- Command: AddInProcess32.exe /guid:32a91b0f-30cd-4c75-be79-ccbd6345de11 /pid:XXXX
Description: Execute a .NET assembly
Usecase: Code execution
Category: AWL bypass
Privileges: User
MitreID: T1127
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
Code_Sample:
- Code:
Detection:
- IOC: AddInProcess32.exe should not normally be executed on workstations
Resources:
- Link: https://www.tiraniddo.dev/2017/07/dg-on-windows-10-s-executing-arbitrary.html
- Link: https://github.com/tyranid/DeviceGuardBypasses
Acknowledgement:
- Person: James Forshaw
Handle: 'https://twitter.com/tiraniddo'
---