From c3586a105d75688c24105c96ea4a2adb4f9e6c29 Mon Sep 17 00:00:00 2001 From: Eron Clarke <64993805+havoc3-3@users.noreply.github.com> Date: Tue, 24 Sep 2024 10:17:14 -0500 Subject: [PATCH 1/9] Add ComputerDefaults --- yml/OSBinaries/ComputerDefaults.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 yml/OSBinaries/ComputerDefaults.yml diff --git a/yml/OSBinaries/ComputerDefaults.yml b/yml/OSBinaries/ComputerDefaults.yml new file mode 100644 index 000000000..6c6b32711 --- /dev/null +++ b/yml/OSBinaries/ComputerDefaults.yml @@ -0,0 +1,29 @@ +--- +Name: ComputerDefaults.exe +Description: ComputerDefaults.exe is a Windows system utility for managing default applications for tasks like web browsing, emailing, and media playback. +Aliases: # Optional field if any common aliases exist of the binary with nearly the same functionality, + - Alias: # but for example, is built for different architecture. +Author: Eron Clarke +Created: 2024-09-24 # YYYY-MM-DD (date the person created this file) +Commands: + - Command: .\ComputerDefaults.exe + Description: Upon execution, ComputerDefaults.exe checks the registry value at HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command, and if this key is created or modified by an attacker, it can force the binary to execute an arbitrary command. + Usecase: Used to execute a binary or script and bypass application whitelisting + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows 10, Windows 11 + Tags: + - Key1: Execute # Optional field for one or more tags +Full_Path: + - Path: C:\Windows\System32\ComputerDefaults.exe + - Path: C:\Windows\SysWOW64\ComputerDefaults.exe +Detection: + - IOC: Event ID 10 + - IOC: A binary or script spawned as a child process of ComputerDefaults.exe + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml +Resources: + - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b +Acknowledgement: + - Person: Eron Clarke + Handle: \ No newline at end of file From 797c53d95a1eaffa7828753623159cd33a032e37 Mon Sep 17 00:00:00 2001 From: Eron Clarke <64993805+havoc3-3@users.noreply.github.com> Date: Tue, 24 Sep 2024 10:40:46 -0500 Subject: [PATCH 2/9] Update ComputerDefaults.yml --- yml/OSBinaries/ComputerDefaults.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/yml/OSBinaries/ComputerDefaults.yml b/yml/OSBinaries/ComputerDefaults.yml index 6c6b32711..5833604c0 100644 --- a/yml/OSBinaries/ComputerDefaults.yml +++ b/yml/OSBinaries/ComputerDefaults.yml @@ -26,4 +26,3 @@ Resources: - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b Acknowledgement: - Person: Eron Clarke - Handle: \ No newline at end of file From ead0f598da7ff7079140d8fbc638d5c831c26235 Mon Sep 17 00:00:00 2001 From: Wietze Date: Wed, 25 Sep 2024 23:19:51 +0100 Subject: [PATCH 3/9] Update ComputerDefaults.yml --- yml/OSBinaries/ComputerDefaults.yml | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/yml/OSBinaries/ComputerDefaults.yml b/yml/OSBinaries/ComputerDefaults.yml index 5833604c0..216093ecd 100644 --- a/yml/OSBinaries/ComputerDefaults.yml +++ b/yml/OSBinaries/ComputerDefaults.yml @@ -1,26 +1,23 @@ --- Name: ComputerDefaults.exe Description: ComputerDefaults.exe is a Windows system utility for managing default applications for tasks like web browsing, emailing, and media playback. -Aliases: # Optional field if any common aliases exist of the binary with nearly the same functionality, - - Alias: # but for example, is built for different architecture. Author: Eron Clarke -Created: 2024-09-24 # YYYY-MM-DD (date the person created this file) +Created: 2024-09-24 Commands: - - Command: .\ComputerDefaults.exe - Description: Upon execution, ComputerDefaults.exe checks the registry value at HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command, and if this key is created or modified by an attacker, it can force the binary to execute an arbitrary command. - Usecase: Used to execute a binary or script and bypass application whitelisting - Category: Execute + - Command: ComputerDefaults.exe + Description: Upon execution, ComputerDefaults.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. + Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. + Category: UAC bypass Privileges: User - MitreID: T1218 + MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 - Tags: - - Key1: Execute # Optional field for one or more tags Full_Path: - Path: C:\Windows\System32\ComputerDefaults.exe - Path: C:\Windows\SysWOW64\ComputerDefaults.exe Detection: - IOC: Event ID 10 - IOC: A binary or script spawned as a child process of ComputerDefaults.exe + - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml Resources: - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b From d506b2f5fbdcc0978c5c3f7530cedb6faed9d515 Mon Sep 17 00:00:00 2001 From: Wietze Date: Wed, 25 Sep 2024 23:21:55 +0100 Subject: [PATCH 4/9] Update ComputerDefaults.yml --- yml/OSBinaries/ComputerDefaults.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/ComputerDefaults.yml b/yml/OSBinaries/ComputerDefaults.yml index 216093ecd..0b1098b9b 100644 --- a/yml/OSBinaries/ComputerDefaults.yml +++ b/yml/OSBinaries/ComputerDefaults.yml @@ -7,7 +7,7 @@ Commands: - Command: ComputerDefaults.exe Description: Upon execution, ComputerDefaults.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. - Category: UAC bypass + Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 From d733b6e130e82ae3f10b1be807f956fb686cb27e Mon Sep 17 00:00:00 2001 From: Eron Clarke <64993805+havoc3-3@users.noreply.github.com> Date: Thu, 26 Sep 2024 16:31:47 -0500 Subject: [PATCH 5/9] Add files via upload --- yml/OSBinaries/fodhelper.yml | 24 ++++++++++++++++++++++++ yml/OSBinaries/regedit.yml | 25 +++++++++++++++++++++++++ yml/OSBinaries/slui.yml | 24 ++++++++++++++++++++++++ 3 files changed, 73 insertions(+) create mode 100644 yml/OSBinaries/fodhelper.yml create mode 100644 yml/OSBinaries/regedit.yml create mode 100644 yml/OSBinaries/slui.yml diff --git a/yml/OSBinaries/fodhelper.yml b/yml/OSBinaries/fodhelper.yml new file mode 100644 index 000000000..7696435d1 --- /dev/null +++ b/yml/OSBinaries/fodhelper.yml @@ -0,0 +1,24 @@ +--- +Name: fodhelper.exe +Description: fodhelper.exe is a Windows system utility used for managing optional features and components. +Author: Eron Clarke +Created: 2024-09-26 +Commands: + - Command: fodhelper.exe + Description: Upon execution, fodhelper.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. + Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. + Category: UAC Bypass + Privileges: User + MitreID: T1548.002 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Windows\System32\fodhelper.exe +Detection: + - IOC: Event ID 10 + - IOC: A binary or script spawned as a child process of fodhelper.exe + - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +Resources: + - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b +Acknowledgement: + - Person: Eron Clarke diff --git a/yml/OSBinaries/regedit.yml b/yml/OSBinaries/regedit.yml new file mode 100644 index 000000000..005b9eee9 --- /dev/null +++ b/yml/OSBinaries/regedit.yml @@ -0,0 +1,25 @@ +--- +Name: regedit.exe +Description: regedit (Registry Editor) is a built-in Windows utility that allows users to view, edit, and manage the Windows Registry. +Author: Eron Clarke +Created: 2024-09-26 +Commands: + - Command: regedit.exe + Description: Upon execution, regedit.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. + Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. + Category: UAC Bypass + Privileges: User + MitreID: T1548.002 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Windows\System32\regedit.exe + - Path: C:\Windows\SysWOW64\regedit.exe +Detection: + - IOC: Event ID 10 + - IOC: A binary or script spawned as a child process of regedit.exe + - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +Resources: + - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b +Acknowledgement: + - Person: Eron Clarke diff --git a/yml/OSBinaries/slui.yml b/yml/OSBinaries/slui.yml new file mode 100644 index 000000000..785a6b2e4 --- /dev/null +++ b/yml/OSBinaries/slui.yml @@ -0,0 +1,24 @@ +--- +Name: slui.exe +Description: slui.exe (Software Licensing User Interface) is a system file in Windows responsible for managing the activation of the operating system. +Author: Eron Clarke +Created: 2024-09-26 +Commands: + - Command: slui.exe + Description: Upon execution, slui.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. + Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. + Category: UAC Bypass + Privileges: User + MitreID: T1548.002 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Windows\System32\slui.exe +Detection: + - IOC: Event ID 10 + - IOC: A binary or script spawned as a child process of slui.exe + - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +Resources: + - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b +Acknowledgement: + - Person: Eron Clarke From e03a37fdcd8f9df7b9ccbdde0829c555b9383d33 Mon Sep 17 00:00:00 2001 From: Eron Clarke <64993805+havoc3-3@users.noreply.github.com> Date: Thu, 26 Sep 2024 16:48:38 -0500 Subject: [PATCH 6/9] Rename regedit.yml to regedit_2.yml --- yml/OSBinaries/{regedit.yml => regedit_2.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename yml/OSBinaries/{regedit.yml => regedit_2.yml} (100%) diff --git a/yml/OSBinaries/regedit.yml b/yml/OSBinaries/regedit_2.yml similarity index 100% rename from yml/OSBinaries/regedit.yml rename to yml/OSBinaries/regedit_2.yml From 5aaef7295018aae920e6cdf23f4ac0ec6b25bce3 Mon Sep 17 00:00:00 2001 From: Wietze Date: Mon, 16 Mar 2026 12:59:26 +0000 Subject: [PATCH 7/9] Changes --- yml/OSBinaries/ComputerDefaults.yml | 4 +++- yml/OSBinaries/Regedit.yml | 10 ++++++++++ yml/OSBinaries/fodhelper.yml | 5 +++-- yml/OSBinaries/regedit_2.yml | 25 ------------------------- yml/OSBinaries/slui.yml | 5 +++-- 5 files changed, 19 insertions(+), 30 deletions(-) delete mode 100644 yml/OSBinaries/regedit_2.yml diff --git a/yml/OSBinaries/ComputerDefaults.yml b/yml/OSBinaries/ComputerDefaults.yml index 0b1098b9b..9933049ee 100644 --- a/yml/OSBinaries/ComputerDefaults.yml +++ b/yml/OSBinaries/ComputerDefaults.yml @@ -5,12 +5,14 @@ Author: Eron Clarke Created: 2024-09-24 Commands: - Command: ComputerDefaults.exe - Description: Upon execution, ComputerDefaults.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. + Description: Upon execution, `ComputerDefaults` checks two registry values at `HKCU\Software\Classes\ms-settings\Shell\open\command`; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 + Tags: + - Requires: Registry Change Full_Path: - Path: C:\Windows\System32\ComputerDefaults.exe - Path: C:\Windows\SysWOW64\ComputerDefaults.exe diff --git a/yml/OSBinaries/Regedit.yml b/yml/OSBinaries/Regedit.yml index d55399d47..40305db5c 100644 --- a/yml/OSBinaries/Regedit.yml +++ b/yml/OSBinaries/Regedit.yml @@ -18,6 +18,15 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + - Command: regedit.exe + Description: Upon execution, `regedit` checks two registry values at `HKCU\Software\Classes\exefile\Shell\open\command`; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. + Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. + Category: UAC Bypass + Privileges: User + MitreID: T1548.002 + OperatingSystem: Windows 10, Windows 11 + Tags: + - Requires: Registry Change Full_Path: - Path: C:\Windows\regedit.exe Detection: @@ -26,6 +35,7 @@ Detection: - IOC: regedit.exe should normally not be executed by end-users Resources: - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f + - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' diff --git a/yml/OSBinaries/fodhelper.yml b/yml/OSBinaries/fodhelper.yml index 7696435d1..3265143a1 100644 --- a/yml/OSBinaries/fodhelper.yml +++ b/yml/OSBinaries/fodhelper.yml @@ -5,16 +5,17 @@ Author: Eron Clarke Created: 2024-09-26 Commands: - Command: fodhelper.exe - Description: Upon execution, fodhelper.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. + Description: Upon execution, `fodhelper` checks two registry values at `HKCU\Software\Classes\exefile\Shell\open\command`; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 + Tags: + - Requires: Registry Change Full_Path: - Path: C:\Windows\System32\fodhelper.exe Detection: - - IOC: Event ID 10 - IOC: A binary or script spawned as a child process of fodhelper.exe - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml diff --git a/yml/OSBinaries/regedit_2.yml b/yml/OSBinaries/regedit_2.yml deleted file mode 100644 index 005b9eee9..000000000 --- a/yml/OSBinaries/regedit_2.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -Name: regedit.exe -Description: regedit (Registry Editor) is a built-in Windows utility that allows users to view, edit, and manage the Windows Registry. -Author: Eron Clarke -Created: 2024-09-26 -Commands: - - Command: regedit.exe - Description: Upon execution, regedit.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. - Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. - Category: UAC Bypass - Privileges: User - MitreID: T1548.002 - OperatingSystem: Windows 10, Windows 11 -Full_Path: - - Path: C:\Windows\System32\regedit.exe - - Path: C:\Windows\SysWOW64\regedit.exe -Detection: - - IOC: Event ID 10 - - IOC: A binary or script spawned as a child process of regedit.exe - - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command - - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml -Resources: - - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b -Acknowledgement: - - Person: Eron Clarke diff --git a/yml/OSBinaries/slui.yml b/yml/OSBinaries/slui.yml index 785a6b2e4..c8d2ecb2f 100644 --- a/yml/OSBinaries/slui.yml +++ b/yml/OSBinaries/slui.yml @@ -5,16 +5,17 @@ Author: Eron Clarke Created: 2024-09-26 Commands: - Command: slui.exe - Description: Upon execution, slui.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. + Description: Upon execution, `slui` checks two registry values at `HKCU\Software\Classes\exefile\Shell\open\command`; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 + Tags: + - Requires: Registry Change Full_Path: - Path: C:\Windows\System32\slui.exe Detection: - - IOC: Event ID 10 - IOC: A binary or script spawned as a child process of slui.exe - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml From 0597c4577625459153a09f7b1f7e3613eaf9eff1 Mon Sep 17 00:00:00 2001 From: Wietze Date: Mon, 16 Mar 2026 13:02:58 +0000 Subject: [PATCH 8/9] indentation --- yml/OSBinaries/Regedit.yml | 2 +- yml/OSBinaries/fodhelper.yml | 2 +- yml/OSBinaries/slui.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/yml/OSBinaries/Regedit.yml b/yml/OSBinaries/Regedit.yml index 40305db5c..04b19ca3a 100644 --- a/yml/OSBinaries/Regedit.yml +++ b/yml/OSBinaries/Regedit.yml @@ -26,7 +26,7 @@ Commands: MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 Tags: - - Requires: Registry Change + - Requires: Registry Change Full_Path: - Path: C:\Windows\regedit.exe Detection: diff --git a/yml/OSBinaries/fodhelper.yml b/yml/OSBinaries/fodhelper.yml index 3265143a1..c3f455545 100644 --- a/yml/OSBinaries/fodhelper.yml +++ b/yml/OSBinaries/fodhelper.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 Tags: - - Requires: Registry Change + - Requires: Registry Change Full_Path: - Path: C:\Windows\System32\fodhelper.exe Detection: diff --git a/yml/OSBinaries/slui.yml b/yml/OSBinaries/slui.yml index c8d2ecb2f..4b83239cb 100644 --- a/yml/OSBinaries/slui.yml +++ b/yml/OSBinaries/slui.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 Tags: - - Requires: Registry Change + - Requires: Registry Change Full_Path: - Path: C:\Windows\System32\slui.exe Detection: From 2f58ea25d21844a347e66ee17af58e302e10f789 Mon Sep 17 00:00:00 2001 From: Wietze Date: Mon, 16 Mar 2026 13:15:34 +0000 Subject: [PATCH 9/9] Adding CMD execution tag --- yml/OSBinaries/ComputerDefaults.yml | 3 ++- yml/OSBinaries/Regedit.yml | 1 + yml/OSBinaries/fodhelper.yml | 1 + yml/OSBinaries/slui.yml | 1 + 4 files changed, 5 insertions(+), 1 deletion(-) diff --git a/yml/OSBinaries/ComputerDefaults.yml b/yml/OSBinaries/ComputerDefaults.yml index 9933049ee..dd14dcd01 100644 --- a/yml/OSBinaries/ComputerDefaults.yml +++ b/yml/OSBinaries/ComputerDefaults.yml @@ -12,7 +12,8 @@ Commands: MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 Tags: - - Requires: Registry Change + - Execute: CMD + - Requires: Registry Change Full_Path: - Path: C:\Windows\System32\ComputerDefaults.exe - Path: C:\Windows\SysWOW64\ComputerDefaults.exe diff --git a/yml/OSBinaries/Regedit.yml b/yml/OSBinaries/Regedit.yml index 04b19ca3a..3845c847c 100644 --- a/yml/OSBinaries/Regedit.yml +++ b/yml/OSBinaries/Regedit.yml @@ -26,6 +26,7 @@ Commands: MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 Tags: + - Execute: CMD - Requires: Registry Change Full_Path: - Path: C:\Windows\regedit.exe diff --git a/yml/OSBinaries/fodhelper.yml b/yml/OSBinaries/fodhelper.yml index c3f455545..4a8f55d21 100644 --- a/yml/OSBinaries/fodhelper.yml +++ b/yml/OSBinaries/fodhelper.yml @@ -12,6 +12,7 @@ Commands: MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 Tags: + - Execute: CMD - Requires: Registry Change Full_Path: - Path: C:\Windows\System32\fodhelper.exe diff --git a/yml/OSBinaries/slui.yml b/yml/OSBinaries/slui.yml index 4b83239cb..7fe5e411a 100644 --- a/yml/OSBinaries/slui.yml +++ b/yml/OSBinaries/slui.yml @@ -12,6 +12,7 @@ Commands: MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 Tags: + - Execute: CMD - Requires: Registry Change Full_Path: - Path: C:\Windows\System32\slui.exe