Skip to content
Open
Show file tree
Hide file tree
Changes from 8 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion yml/OSBinaries/ComputerDefaults.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,14 @@
Created: 2024-09-24
Commands:
- Command: ComputerDefaults.exe
Description: Upon execution, ComputerDefaults.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set.
Description: Upon execution, `ComputerDefaults` checks two registry values at `HKCU\Software\Classes\ms-settings\Shell\open\command`; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set.
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
Category: UAC Bypass
Privileges: User
MitreID: T1548.002
OperatingSystem: Windows 10, Windows 11
Tags:
- Requires: Registry Change

Check failure on line 15 in yml/OSBinaries/ComputerDefaults.yml

View workflow job for this annotation

GitHub Actions / lintFiles

15:5 [indentation] wrong indentation: expected 6 but found 4
Full_Path:
- Path: C:\Windows\System32\ComputerDefaults.exe
- Path: C:\Windows\SysWOW64\ComputerDefaults.exe
Expand Down
10 changes: 10 additions & 0 deletions yml/OSBinaries/Regedit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,15 @@
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: regedit.exe
Description: Upon execution, `regedit` checks two registry values at `HKCU\Software\Classes\exefile\Shell\open\command`; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set.
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
Category: UAC Bypass
Privileges: User
MitreID: T1548.002
OperatingSystem: Windows 10, Windows 11
Tags:
- Requires: Registry Change

Check failure on line 29 in yml/OSBinaries/Regedit.yml

View workflow job for this annotation

GitHub Actions / lintFiles

29:5 [indentation] wrong indentation: expected 6 but found 4
Full_Path:
- Path: C:\Windows\regedit.exe
Detection:
Expand All @@ -26,6 +35,7 @@
- IOC: regedit.exe should normally not be executed by end-users
Resources:
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
- Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
25 changes: 25 additions & 0 deletions yml/OSBinaries/fodhelper.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
---
Name: fodhelper.exe
Description: fodhelper.exe is a Windows system utility used for managing optional features and components.
Author: Eron Clarke
Created: 2024-09-26
Commands:
- Command: fodhelper.exe
Description: Upon execution, `fodhelper` checks two registry values at `HKCU\Software\Classes\exefile\Shell\open\command`; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set.
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
Category: UAC Bypass
Privileges: User
MitreID: T1548.002
OperatingSystem: Windows 10, Windows 11
Tags:
- Requires: Registry Change

Check failure on line 15 in yml/OSBinaries/fodhelper.yml

View workflow job for this annotation

GitHub Actions / lintFiles

15:5 [indentation] wrong indentation: expected 6 but found 4
Full_Path:
- Path: C:\Windows\System32\fodhelper.exe
Detection:
- IOC: A binary or script spawned as a child process of fodhelper.exe
- IOC: Changes to HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml
Resources:
- Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b
Acknowledgement:
- Person: Eron Clarke
25 changes: 25 additions & 0 deletions yml/OSBinaries/slui.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
---
Name: slui.exe
Description: slui.exe (Software Licensing User Interface) is a system file in Windows responsible for managing the activation of the operating system.
Author: Eron Clarke
Created: 2024-09-26
Commands:
- Command: slui.exe
Description: Upon execution, `slui` checks two registry values at `HKCU\Software\Classes\exefile\Shell\open\command`; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set.
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
Category: UAC Bypass
Privileges: User
MitreID: T1548.002
OperatingSystem: Windows 10, Windows 11
Tags:
- Requires: Registry Change

Check failure on line 15 in yml/OSBinaries/slui.yml

View workflow job for this annotation

GitHub Actions / lintFiles

15:5 [indentation] wrong indentation: expected 6 but found 4
Full_Path:
- Path: C:\Windows\System32\slui.exe
Detection:
- IOC: A binary or script spawned as a child process of slui.exe
- IOC: Changes to HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml
Resources:
- Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b
Acknowledgement:
- Person: Eron Clarke
Loading