mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-26 14:59:03 +01:00
26 lines
886 B
YAML
26 lines
886 B
YAML
---
|
|
Name: Msdt.exe
|
|
Description: Execute
|
|
Author: ''
|
|
Created: '2018-05-25'
|
|
Categories: []
|
|
Commands:
|
|
- Command: Open .diagcab package
|
|
Description: ''
|
|
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml
|
|
/skip TRUE
|
|
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
|
|
Full Path:
|
|
- 'C:\Windows\System32\Msdt.exe '
|
|
- 'C:\Windows\SysWOW64\Msdt.exe '
|
|
Code Sample: []
|
|
Detection: []
|
|
Resources:
|
|
- https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
|
|
- https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
|
- https://twitter.com/harr0ey/status/991338229952598016
|
|
Notes: |
|
|
Thanks to:
|
|
See the Payloads folder for an example PCW8E57.xml file.
|
|
|