diff --git a/_lolbas/Binaries/Microsoft.Workflow.Compiler.md b/_lolbas/Binaries/Microsoft.Workflow.Compiler.md index ab37eeb..78b076f 100644 --- a/_lolbas/Binaries/Microsoft.Workflow.Compiler.md +++ b/_lolbas/Binaries/Microsoft.Workflow.Compiler.md @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows 10S, Windows 11 Tags: - Execute: VB.Net - - Execute: CSharp + - Execute: Csharp - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code diff --git a/_lolbas/Binaries/MpCmdRun.md b/_lolbas/Binaries/MpCmdRun.md index 10b5fa4..4c1e590 100644 --- a/_lolbas/Binaries/MpCmdRun.md +++ b/_lolbas/Binaries/MpCmdRun.md @@ -29,6 +29,9 @@ Full_Path: - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe + - Path: C:\Program Files\Windows Defender\MpCmdRun.exe + - Path: C:\Program Files (x86)\Windows Defender\MpCmdRun.exe + - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23110.3-0\X86\MpCmdRun.exe Code_Sample: - Code: Detection: diff --git a/_lolbas/Binaries/OneDriveStandaloneUpdater.md b/_lolbas/Binaries/OneDriveStandaloneUpdater.md index 063c84f..d1d3c10 100644 --- a/_lolbas/Binaries/OneDriveStandaloneUpdater.md +++ b/_lolbas/Binaries/OneDriveStandaloneUpdater.md @@ -13,6 +13,8 @@ Commands: OperatingSystem: Windows 10 Full_Path: - Path: 'C:\Users\\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe' + - Path: C:\Program Files\Microsoft OneDrive\OneDriveStandaloneUpdater.exe + - Path: C:\Program Files (x86)\Microsoft OneDrive\OneDriveStandaloneUpdater.exe Detection: - IOC: HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL - IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files diff --git a/_lolbas/Binaries/Wuauclt.md b/_lolbas/Binaries/Wuauclt.md index f0ef5a7..66a9f31 100644 --- a/_lolbas/Binaries/Wuauclt.md +++ b/_lolbas/Binaries/Wuauclt.md @@ -15,6 +15,7 @@ Commands: - Execute: DLL Full_Path: - Path: C:\Windows\System32\wuauclt.exe + - Path: C:\Windows\UUS\amd64\wuauclt.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml diff --git a/_lolbas/Binaries/msedgewebview2.md b/_lolbas/Binaries/msedgewebview2.md index 776be27..5ecb857 100644 --- a/_lolbas/Binaries/msedgewebview2.md +++ b/_lolbas/Binaries/msedgewebview2.md @@ -42,6 +42,7 @@ Commands: - Execute: CMD Full_Path: - Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe + - Path: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.70\msedgewebview2.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml - IOC: 'msedgewebview2.exe spawned with any of the following: --gpu-launcher, --utility-cmd-prefix, --renderer-cmd-prefix, --browser-subprocess-path' diff --git a/_lolbas/OtherMSBinaries/OpenConsole.md b/_lolbas/OtherMSBinaries/OpenConsole.md index 9dd7fb3..2aed19d 100644 --- a/_lolbas/OtherMSBinaries/OpenConsole.md +++ b/_lolbas/OtherMSBinaries/OpenConsole.md @@ -17,6 +17,7 @@ Full_Path: - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os86\OpenConsole.exe - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe + - Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.18.10301.0_x64__8wekyb3d8bbwe\OpenConsole.exe Detection: - IOC: OpenConsole.exe spawning unexpected processes - Sigma: https://github.com/SigmaHQ/sigma/blob/9e0ef7251b075f15e7abafbbec16d3230c5fa477/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml