From c3586a105d75688c24105c96ea4a2adb4f9e6c29 Mon Sep 17 00:00:00 2001 From: Eron Clarke <64993805+havoc3-3@users.noreply.github.com> Date: Tue, 24 Sep 2024 10:17:14 -0500 Subject: [PATCH 1/6] Add ComputerDefaults --- yml/OSBinaries/ComputerDefaults.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 yml/OSBinaries/ComputerDefaults.yml diff --git a/yml/OSBinaries/ComputerDefaults.yml b/yml/OSBinaries/ComputerDefaults.yml new file mode 100644 index 00000000..6c6b3271 --- /dev/null +++ b/yml/OSBinaries/ComputerDefaults.yml @@ -0,0 +1,29 @@ +--- +Name: ComputerDefaults.exe +Description: ComputerDefaults.exe is a Windows system utility for managing default applications for tasks like web browsing, emailing, and media playback. +Aliases: # Optional field if any common aliases exist of the binary with nearly the same functionality, + - Alias: # but for example, is built for different architecture. +Author: Eron Clarke +Created: 2024-09-24 # YYYY-MM-DD (date the person created this file) +Commands: + - Command: .\ComputerDefaults.exe + Description: Upon execution, ComputerDefaults.exe checks the registry value at HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command, and if this key is created or modified by an attacker, it can force the binary to execute an arbitrary command. + Usecase: Used to execute a binary or script and bypass application whitelisting + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows 10, Windows 11 + Tags: + - Key1: Execute # Optional field for one or more tags +Full_Path: + - Path: C:\Windows\System32\ComputerDefaults.exe + - Path: C:\Windows\SysWOW64\ComputerDefaults.exe +Detection: + - IOC: Event ID 10 + - IOC: A binary or script spawned as a child process of ComputerDefaults.exe + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml +Resources: + - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b +Acknowledgement: + - Person: Eron Clarke + Handle: \ No newline at end of file From 797c53d95a1eaffa7828753623159cd33a032e37 Mon Sep 17 00:00:00 2001 From: Eron Clarke <64993805+havoc3-3@users.noreply.github.com> Date: Tue, 24 Sep 2024 10:40:46 -0500 Subject: [PATCH 2/6] Update ComputerDefaults.yml --- yml/OSBinaries/ComputerDefaults.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/yml/OSBinaries/ComputerDefaults.yml b/yml/OSBinaries/ComputerDefaults.yml index 6c6b3271..5833604c 100644 --- a/yml/OSBinaries/ComputerDefaults.yml +++ b/yml/OSBinaries/ComputerDefaults.yml @@ -26,4 +26,3 @@ Resources: - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b Acknowledgement: - Person: Eron Clarke - Handle: \ No newline at end of file From ead0f598da7ff7079140d8fbc638d5c831c26235 Mon Sep 17 00:00:00 2001 From: Wietze Date: Wed, 25 Sep 2024 23:19:51 +0100 Subject: [PATCH 3/6] Update ComputerDefaults.yml --- yml/OSBinaries/ComputerDefaults.yml | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/yml/OSBinaries/ComputerDefaults.yml b/yml/OSBinaries/ComputerDefaults.yml index 5833604c..216093ec 100644 --- a/yml/OSBinaries/ComputerDefaults.yml +++ b/yml/OSBinaries/ComputerDefaults.yml @@ -1,26 +1,23 @@ --- Name: ComputerDefaults.exe Description: ComputerDefaults.exe is a Windows system utility for managing default applications for tasks like web browsing, emailing, and media playback. -Aliases: # Optional field if any common aliases exist of the binary with nearly the same functionality, - - Alias: # but for example, is built for different architecture. Author: Eron Clarke -Created: 2024-09-24 # YYYY-MM-DD (date the person created this file) +Created: 2024-09-24 Commands: - - Command: .\ComputerDefaults.exe - Description: Upon execution, ComputerDefaults.exe checks the registry value at HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command, and if this key is created or modified by an attacker, it can force the binary to execute an arbitrary command. - Usecase: Used to execute a binary or script and bypass application whitelisting - Category: Execute + - Command: ComputerDefaults.exe + Description: Upon execution, ComputerDefaults.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. + Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. + Category: UAC bypass Privileges: User - MitreID: T1218 + MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 - Tags: - - Key1: Execute # Optional field for one or more tags Full_Path: - Path: C:\Windows\System32\ComputerDefaults.exe - Path: C:\Windows\SysWOW64\ComputerDefaults.exe Detection: - IOC: Event ID 10 - IOC: A binary or script spawned as a child process of ComputerDefaults.exe + - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml Resources: - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b From d506b2f5fbdcc0978c5c3f7530cedb6faed9d515 Mon Sep 17 00:00:00 2001 From: Wietze Date: Wed, 25 Sep 2024 23:21:55 +0100 Subject: [PATCH 4/6] Update ComputerDefaults.yml --- yml/OSBinaries/ComputerDefaults.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/ComputerDefaults.yml b/yml/OSBinaries/ComputerDefaults.yml index 216093ec..0b1098b9 100644 --- a/yml/OSBinaries/ComputerDefaults.yml +++ b/yml/OSBinaries/ComputerDefaults.yml @@ -7,7 +7,7 @@ Commands: - Command: ComputerDefaults.exe Description: Upon execution, ComputerDefaults.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. - Category: UAC bypass + Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 From d733b6e130e82ae3f10b1be807f956fb686cb27e Mon Sep 17 00:00:00 2001 From: Eron Clarke <64993805+havoc3-3@users.noreply.github.com> Date: Thu, 26 Sep 2024 16:31:47 -0500 Subject: [PATCH 5/6] Add files via upload --- yml/OSBinaries/fodhelper.yml | 24 ++++++++++++++++++++++++ yml/OSBinaries/regedit.yml | 25 +++++++++++++++++++++++++ yml/OSBinaries/slui.yml | 24 ++++++++++++++++++++++++ 3 files changed, 73 insertions(+) create mode 100644 yml/OSBinaries/fodhelper.yml create mode 100644 yml/OSBinaries/regedit.yml create mode 100644 yml/OSBinaries/slui.yml diff --git a/yml/OSBinaries/fodhelper.yml b/yml/OSBinaries/fodhelper.yml new file mode 100644 index 00000000..7696435d --- /dev/null +++ b/yml/OSBinaries/fodhelper.yml @@ -0,0 +1,24 @@ +--- +Name: fodhelper.exe +Description: fodhelper.exe is a Windows system utility used for managing optional features and components. +Author: Eron Clarke +Created: 2024-09-26 +Commands: + - Command: fodhelper.exe + Description: Upon execution, fodhelper.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. + Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. + Category: UAC Bypass + Privileges: User + MitreID: T1548.002 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Windows\System32\fodhelper.exe +Detection: + - IOC: Event ID 10 + - IOC: A binary or script spawned as a child process of fodhelper.exe + - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +Resources: + - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b +Acknowledgement: + - Person: Eron Clarke diff --git a/yml/OSBinaries/regedit.yml b/yml/OSBinaries/regedit.yml new file mode 100644 index 00000000..005b9eee --- /dev/null +++ b/yml/OSBinaries/regedit.yml @@ -0,0 +1,25 @@ +--- +Name: regedit.exe +Description: regedit (Registry Editor) is a built-in Windows utility that allows users to view, edit, and manage the Windows Registry. +Author: Eron Clarke +Created: 2024-09-26 +Commands: + - Command: regedit.exe + Description: Upon execution, regedit.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. + Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. + Category: UAC Bypass + Privileges: User + MitreID: T1548.002 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Windows\System32\regedit.exe + - Path: C:\Windows\SysWOW64\regedit.exe +Detection: + - IOC: Event ID 10 + - IOC: A binary or script spawned as a child process of regedit.exe + - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +Resources: + - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b +Acknowledgement: + - Person: Eron Clarke diff --git a/yml/OSBinaries/slui.yml b/yml/OSBinaries/slui.yml new file mode 100644 index 00000000..785a6b2e --- /dev/null +++ b/yml/OSBinaries/slui.yml @@ -0,0 +1,24 @@ +--- +Name: slui.exe +Description: slui.exe (Software Licensing User Interface) is a system file in Windows responsible for managing the activation of the operating system. +Author: Eron Clarke +Created: 2024-09-26 +Commands: + - Command: slui.exe + Description: Upon execution, slui.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. + Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. + Category: UAC Bypass + Privileges: User + MitreID: T1548.002 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Windows\System32\slui.exe +Detection: + - IOC: Event ID 10 + - IOC: A binary or script spawned as a child process of slui.exe + - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +Resources: + - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b +Acknowledgement: + - Person: Eron Clarke From e03a37fdcd8f9df7b9ccbdde0829c555b9383d33 Mon Sep 17 00:00:00 2001 From: Eron Clarke <64993805+havoc3-3@users.noreply.github.com> Date: Thu, 26 Sep 2024 16:48:38 -0500 Subject: [PATCH 6/6] Rename regedit.yml to regedit_2.yml --- yml/OSBinaries/{regedit.yml => regedit_2.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename yml/OSBinaries/{regedit.yml => regedit_2.yml} (100%) diff --git a/yml/OSBinaries/regedit.yml b/yml/OSBinaries/regedit_2.yml similarity index 100% rename from yml/OSBinaries/regedit.yml rename to yml/OSBinaries/regedit_2.yml