mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-11-03 18:19:25 +01:00
ADD reset.exe (#454)
Co-authored-by: Wietze <wietze@users.noreply.github.com>
This commit is contained in:
Black Shade
GitHub
26
yml/OSBinaries/Eudcedit.yml
Normal file
26
yml/OSBinaries/Eudcedit.yml
Normal file
@@ -0,0 +1,26 @@
|
||||
---
|
||||
Name: Eudcedit.exe
|
||||
Description: Private Character Editor Windows Utility
|
||||
Author: Matan Bahar
|
||||
Created: 2025-08-07
|
||||
Commands:
|
||||
- Command: eudcedit
|
||||
Description: Once executed, the Private Charecter Editor will be opened - click OK, then click File -> Font Links. In the next window choose the option "Link with Selected Fonts" and click on Save As, then in the opened enter the command you want to execute.
|
||||
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
|
||||
Category: UAC Bypass
|
||||
Privileges: Administrator
|
||||
MitreID: T1548.002
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: CMD
|
||||
- Application: GUI
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\eudcedit.exe
|
||||
- Path: c:\windows\syswow64\eudcedit.exe
|
||||
Detection:
|
||||
- IOC: Processes spawned by eudcedit.exe.
|
||||
Resources:
|
||||
- Link: https://medium.com/@matanb707/windows-fonts-exploitation-in-2025-bypassing-uac-with-eudcedit-915599705639
|
||||
Acknowledgement:
|
||||
- Person: Matan Bahar
|
||||
Handle: '@Bl4ckShad3'
|
||||
24
yml/OSBinaries/Reset.yml
Normal file
24
yml/OSBinaries/Reset.yml
Normal file
@@ -0,0 +1,24 @@
|
||||
---
|
||||
Name: Reset.exe
|
||||
Description: Remote Desktop Services Reset Utility
|
||||
Author: Matan Bahar
|
||||
Created: 2025-07-31
|
||||
Commands:
|
||||
- Command: reset.exe session
|
||||
Description: Once executed, `reset.exe` will execute `rwinsta.exe` in the same folder. Thus, if `reset.exe` is copied to a folder and an arbitrary executable is renamed to `rwinsta.exe`, `reset.exe` will spawn it.
|
||||
Usecase: Execute an arbitrary executable via trusted system executable.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Requires: Rename
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\reset.exe
|
||||
- Path: c:\windows\syswow64\reset.exe
|
||||
Detection:
|
||||
- IOC: reset.exe being executed and executes rwinsta.exe outside of its normal path of c:\windows\system32\ or c:\windows\syswow64\
|
||||
Acknowledgement:
|
||||
- Person: Matan Bahar
|
||||
Handle: '@Bl4ckShad3'
|
||||
Reference in New Issue
Block a user