public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-01-14 07:41:38 +01:00
Code Issues Projects Releases Wiki Activity

Update ComputerDefaults.yml

Browse Source
This commit is contained in:
Wietze 2024-09-25 23:19:51 +01:00 committed by GitHub
parent 797c53d95a
commit ead0f598da
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 7 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
yml/OSBinaries/ComputerDefaults.yml
View File

@ -1,26 +1,23 @@
---
Name: ComputerDefaults.exe
Description: ComputerDefaults.exe is a Windows system utility for managing default applications for tasks like web browsing, emailing, and media playback.
Aliases: # Optional field if any common aliases exist of the binary with nearly the same functionality,
- Alias: # but for example, is built for different architecture.
Author: Eron Clarke
Created: 2024-09-24 # YYYY-MM-DD (date the person created this file)
Created: 2024-09-24
Commands:
- Command: .\ComputerDefaults.exe
Description: Upon execution, ComputerDefaults.exe checks the registry value at HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command, and if this key is created or modified by an attacker, it can force the binary to execute an arbitrary command.
Usecase: Used to execute a binary or script and bypass application whitelisting
Category: Execute
- Command: ComputerDefaults.exe
Description: Upon execution, ComputerDefaults.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set.
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
Category: UAC bypass
Privileges: User
MitreID: T1218
MitreID: T1548.002
OperatingSystem: Windows 10, Windows 11
Tags:
- Key1: Execute # Optional field for one or more tags
Full_Path:
- Path: C:\Windows\System32\ComputerDefaults.exe
- Path: C:\Windows\SysWOW64\ComputerDefaults.exe
Detection:
- IOC: Event ID 10
- IOC: A binary or script spawned as a child process of ComputerDefaults.exe
- IOC: Changes to HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml
Resources:
- Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b