From ec676cbd93d68d7383342bba4265907cdae21034 Mon Sep 17 00:00:00 2001
From: Grzegorz Tworek <gtworek@users.noreply.github.com>
Date: Sat, 17 Dec 2022 18:30:30 +0100
Subject: [PATCH] Create Runexehelper.yml (#269)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
---
 yml/OSBinaries/Runexehelper.yml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 yml/OSBinaries/Runexehelper.yml

diff --git a/yml/OSBinaries/Runexehelper.yml b/yml/OSBinaries/Runexehelper.yml
new file mode 100644
index 0000000..ddcdb6c
--- /dev/null
+++ b/yml/OSBinaries/Runexehelper.yml
@@ -0,0 +1,23 @@
+---
+Name: Runexehelper.exe
+Description: Launcher process
+Author: Grzegorz Tworek
+Created: 2022-12-13
+Commands:
+  - Command: runexehelper.exe c:\windows\system32\calc.exe
+    Description: 'Launches the specified exe. Prerequisites: (1) diagtrack_action_output environment variable must be set to an existing, writable folder; (2) runexewithargs_output.txt file cannot exist in the folder indicated by the variable.'
+    Usecase: Executes arbitrary code
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022
+Full_Path:
+  - Path: c:\windows\system32\runexehelper.exe
+Detection:
+  - IOC: c:\windows\system32\runexehelper.exe is run
+  - IOC: Existence of runexewithargs_output.txt file
+Resources:
+  - Link: https://twitter.com/0gtweet/status/1206692239839289344
+Acknowledgement:
+  - Person: Grzegorz Tworek
+    Handle: '@0gtweet'