mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-01-02 18:17:09 +01:00
28 lines
1.1 KiB
YAML
28 lines
1.1 KiB
YAML
---
|
|
Name: DefaultPack.EXE
|
|
Description: This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.
|
|
Author: '@checkymander'
|
|
Created: 2020-10-01
|
|
Commands:
|
|
- Command: DefaultPack.EXE /C:"process.exe args"
|
|
Description: Use DefaultPack.EXE to execute arbitrary binaries, with added argument support.
|
|
Usecase: Can be used to execute stagers, binaries, and other malicious commands.
|
|
Category: Execute
|
|
Privileges: User
|
|
MitreID: T1218
|
|
OperatingSystem: Windows
|
|
Tags:
|
|
- Execute: EXE
|
|
Full_Path:
|
|
- Path: C:\Program Files (x86)\Microsoft\DefaultPack\DefaultPack.exe
|
|
Code_Sample:
|
|
- Code:
|
|
Detection:
|
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml
|
|
- IOC: DefaultPack.EXE spawned an unknown process
|
|
Resources:
|
|
- Link: https://twitter.com/checkymander/status/1311509470275604480.
|
|
Acknowledgement:
|
|
- Person: checkymander
|
|
Handle: '@checkymander'
|