Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SystemSettingsAdminFlow.exe as a LOLBin #420

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions yml/OSBinaries/SystemSettingsAdminFlow.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---
Name: SystemSettingsAdminFlow.exe
Description: SystemSettingsAdminFlows.exe is responsible for the administrator privileges that are required for opening/editing/removing files.
Author: 'Jason Phang Vern-Onn'
Created: 2025-01-19
Commands:
- Command: C:\Windows\System32\SystemSettingsFlowAdmin.exe Defender RTP 1
Description: SystemSettingsFlowAdmin.exe can be abused to modify Windows Defender settings, such as disabling enhanced notifications, submission consent, and real-time protection.
Usecase: Attackers can exploit this binary to disable critical Windows Defender settings and bypass security measures, enabling malware execution.
Category: Execute
Privileges: Administrator
MitreID: T1562.001
OperatingSystem: Windows 10 1803, Windows 10 1703
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Windows\System32\SystemSettingsFlowAdmin.exe
- Path: C:\Windows\Syswow64\SystemSettingsFlowAdmin.exe
Detection:
- IOC: Microsoft-Windows-Windows Defender/Operational Event Log Event ID 5007 for changes
- IOC: SystemSettingsFlowAdmin.exe spawned with parent image not SystemSettings.exe
- Sigma: https://gist.githubusercontent.com/ald3n5/b1a3f4138b1a1624f7e183a3d0859d17/raw/29e6f67fa3920a39cb4c4bc5226f21a6057fa5ad/susp_adminflows_tampering_defender.yml
Resources:
- Link: https://www.huntress.com/blog/lolbin-to-inc-ransomware
- Link: https://www.huntress.com/blog/its-not-safe-to-pay-safepay
Acknowledgement:
- Person: Alden Schmidt
- Person: Matt Anderson
Loading