diff --git a/yml/OSBinaries/DeviceCredentialDeployment.yml b/yml/OSBinaries/DeviceCredentialDeployment.yml new file mode 100644 index 0000000..195f3d2 --- /dev/null +++ b/yml/OSBinaries/DeviceCredentialDeployment.yml @@ -0,0 +1,22 @@ +--- +Name: DeviceCredentialDeployment.exe +Description: Device Credential Deployment +Author: 'Elliot Killick' +Created: '2021-08-16' +Commands: + - Command: DeviceCredentialDeployment + Description: Grab the console window handle and set it to hidden + Usecase: Can be used to stealthily run a console application (e.g. cmd.exe) in the background + Category: Hide window + Privileges: User + MitreID: T1564 + MitreLink: https://attack.mitre.org/techniques/T1564/003/ + OperatingSystem: Windows 10 +Full_Path: + - Path: C:\Windows\System32\DeviceCredentialDeployment.exe +Detection: + - IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation +Acknowledgement: + - Person: Elliot Killick + Handle: '@elliotkillick' +---