From ef8048344dae90151b17e2c50a7f869348cfebdb Mon Sep 17 00:00:00 2001 From: "mr.d0x" Date: Sat, 27 May 2023 12:11:05 -0400 Subject: [PATCH] Update msedge.exe & add teams.exe --- yml/OSBinaries/Msedge.yml | 7 +++++++ yml/OSBinaries/Teams.yml | 19 +++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 yml/OSBinaries/Teams.yml diff --git a/yml/OSBinaries/Msedge.yml b/yml/OSBinaries/Msedge.yml index 4ec4118..1384bd5 100644 --- a/yml/OSBinaries/Msedge.yml +++ b/yml/OSBinaries/Msedge.yml @@ -18,6 +18,13 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 + - Command: msedge.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&" + Description: Edge spawns cmd.exe as a child process of msedge.exe and executes the ping command + Usecase: Executes a process under a trusted Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe - Path: c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe diff --git a/yml/OSBinaries/Teams.yml b/yml/OSBinaries/Teams.yml new file mode 100644 index 0000000..ff36f78 --- /dev/null +++ b/yml/OSBinaries/Teams.yml @@ -0,0 +1,19 @@ +--- +Name: Teams.exe +Description: Microsoft Teams +Author: mr.d0x +Created: 2023-05-27 +Commands: + - Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&" + Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command + Usecase: Executes a process under a trusted Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: c:\Users\username\AppData\Local\Microsoft\Teams\current\Teams.exe +Resources: +Acknowledgement: + - Person: mr.d0x + Handle: '@mrd0x'