File tree Expand file tree Collapse file tree 1 file changed +28
-0
lines changed
Expand file tree Collapse file tree 1 file changed +28
-0
lines changed Original file line number Diff line number Diff line change 1+ ---
2+ Name : write.exe
3+ Description : ' Windows Write'
4+ Author : Michal Belzak
5+ Created : 2025-06-17
6+ Commands :
7+ - Command : write.exe
8+ Description : ' Executes a binary provided in default value of `HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe`.'
9+ Usecase : Execute binary through legitimate proxy. This might be utilized to confuse detection solutions that rely on parent-child relationships.
10+ Category : Execute
11+ Privileges : User
12+ MitreID : T1218
13+ OperatingSystem : Windows 10, Windows 11 (before 24H2)
14+ Tags :
15+ - Execute : EXE
16+ - Requires : Registry Change
17+ Full_Path :
18+ - Path : ' C:\Windows\write.exe'
19+ - Path : ' C:\Windows\System32\write.exe'
20+ - Path : ' C:\Windows\SysWOW64\write.exe'
21+ Detection :
22+ - IOC : ' Changes to HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe'
23+ - Sigma : https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml
24+ Resources :
25+ - Link : https://gist.github.com/mblzk/b8c5ff7c2bd0fb2b385cc2fdd119874b
26+ Acknowledgement :
27+ - Person : Michal Belzak
28+ ---
You can’t perform that action at this time.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments