public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-01-27 14:01:04 +01:00
Code Issues Projects Releases Wiki Activity
feat/add_missing_WDAC_bypasses
LOLBAS/yml/OSBinaries/AddInProcess.yaml
Chris Spehn 5ee2298759 Add AddinProcess
2020-09-03 07:47:43 -06:00

31 lines
1.1 KiB
YAML
Raw Permalink Blame History

---
Name: AddInProcess.exe
Description: Used to compile and execute code
Author: 'Chris Spehn'
Created: '2020-09-03'
Commands:
- Command: AddInProcess.exe /guid:32a91b0f-30cd-4c75-be79-ccbd6345de11 /pid:XXXX
Description: Execute a .NET assembly
Usecase: Code execution
Category: AWL bypass
Privileges: User
MitreID: T1127
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
Code_Sample:
- Code:
Detection:
- IOC: AddInProcess.exe should not normally be executed on workstations
Resources:
- Link: https://www.tiraniddo.dev/2017/07/dg-on-windows-10-s-executing-arbitrary.html
- Link: https://github.com/tyranid/DeviceGuardBypasses
Acknowledgement:
- Person: James Forshaw
Handle: 'https://twitter.com/tiraniddo'
---
Reference in New Issue View Git Blame Copy Permalink