public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-10-22 16:49:11 +02:00
Code Issues Projects Releases Wiki Activity
master
LOLBAS/yml/OtherMSBinaries/AccCheckConsole.yml
Wietze ebbf08ec4d
Adding tags (closes #9, #318) (#362) 
* Adding various tags as a first iteration

* Adding quotes

* Adding 'Custom Format' properly

* Updating to key:value pairs

* Update template
2024-04-03 11:53:36 -04:00

42 lines
2.0 KiB
YAML
Raw Permalink Blame History

---
Name: AccCheckConsole.exe
Description: Verifies UI accessibility requirements
Author: 'bohops'
Created: 2022-01-02
Commands:
- Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
Usecase: Local execution of managed code from assembly DLL.
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: DLL
- Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
Usecase: Local execution of managed code to bypass AppLocker.
Category: AWL Bypass
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm\AccChecker\AccCheckConsole.exe
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm64\AccChecker\AccCheckConsole.exe
Code_Sample:
- Code: https://docs.microsoft.com/en-us/windows/win32/winauto/custom-verification-routines
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml
- IOC: Sysmon Event ID 1 - Process Creation
- Analysis: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
Resources:
- Link: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
- Link: https://twitter.com/bohops/status/1477717351017680899
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'
Reference in New Issue View Git Blame Copy Permalink