From 8892ad207079046cd4c060d8f0fff3deead8acb7 Mon Sep 17 00:00:00 2001 From: Majkel Skopniarz <44535764+mblzk@users.noreply.github.com> Date: Wed, 18 Jun 2025 01:00:50 +0200 Subject: [PATCH 1/4] Create write.yml Added a write.exe abuse to execute arbitrary binary through registry values --- yml/OSBinaries/write.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 yml/OSBinaries/write.yml diff --git a/yml/OSBinaries/write.yml b/yml/OSBinaries/write.yml new file mode 100644 index 00000000..a2441ffc --- /dev/null +++ b/yml/OSBinaries/write.yml @@ -0,0 +1,29 @@ +--- +Name: write.exe +Description: Wrapper binary for launching wordpad. Historically it was used to launch Microsoft Write, a very basic word processor from pre-2000 era. Currently it's left as a compatibility stub after Windows 95 onwards +Author: Michal Belzak +Created: 2025-06-17 +Commands: + - Command: write.exe + Description: Executes a binary provided in default value of (HKCU|HKLM):\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe. + Usecase: This might be utilized to confuse detection solutions that rely on parent-child relationships (process will be spawned as a child to the write.exe). HKCU is checked first, allowing for user exploitation. + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows + Tags: + - Execute: EXE +Full_Path: + - Path: C:\Windows\write.exe + - Path: C:\Windows\System32\write.exe + - Path: C:\Windows\SysWOW64\write.exe +Detection: + - IOC: Changes to HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe + - IOC: Changes to HKLM:\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml +Resources: + - Link: https://gist.github.com/mblzk/b8c5ff7c2bd0fb2b385cc2fdd119874b + - Link: https://learn.microsoft.com/en-us/windows/win32/shell/app-registration + - Link: https://en.wikipedia.org/wiki/Microsoft_Write +Acknowledgement: + - Person: Michal Belzak From 478d552633dbfe2ff761a3410173a6be90909379 Mon Sep 17 00:00:00 2001 From: Majkel Skopniarz <44535764+mblzk@users.noreply.github.com> Date: Wed, 18 Jun 2025 16:18:31 +0200 Subject: [PATCH 2/4] Update write.yml updated with providing arguments through registry and execution of remote binaries through UNC paths --- yml/OSBinaries/write.yml | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/yml/OSBinaries/write.yml b/yml/OSBinaries/write.yml index a2441ffc..5640c27e 100644 --- a/yml/OSBinaries/write.yml +++ b/yml/OSBinaries/write.yml @@ -1,29 +1,47 @@ --- Name: write.exe -Description: Wrapper binary for launching wordpad. Historically it was used to launch Microsoft Write, a very basic word processor from pre-2000 era. Currently it's left as a compatibility stub after Windows 95 onwards +Description: Wrapper binary for launching wordpad. Historically it was used to launch Microsoft Write, a very basic word processor from pre-2000 era. Currently it's left as a compatibility stub after Windows 95 onwards. Author: Michal Belzak Created: 2025-06-17 Commands: - Command: write.exe Description: Executes a binary provided in default value of (HKCU|HKLM):\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe. - Usecase: This might be utilized to confuse detection solutions that rely on parent-child relationships (process will be spawned as a child to the write.exe). HKCU is checked first, allowing for user exploitation. + Usecase: Execute binary through legitimate proxy. This might be utilized to confuse detection solutions that rely on parent-child relationships. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows Tags: - Execute: EXE + - Command: write.exe + Description: It is possible to provide arguments by modifying HKCU:\Software\Classes\exefile\shell\open\command to include the following value: `"%1" ` + Usecase: Execute binary through legitimate proxy. This might be utilized to confuse detection solutions that rely on parent-child relationships. + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows + Tags: + - Execute: EXE + - Execute: CMD + - Command: write.exe + Description: It is possible to execute remote binaries when using UNC path instead. This will display security prompt and fail in non-interactive environments. To offset for that, one needs to control a custom domain, be able to set A DNS record in it and register this record in `HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\`. For details, refer to Resources. + Usecase: Execute remote binary. + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows + Tags: + - Execute: Remote Full_Path: - Path: C:\Windows\write.exe - Path: C:\Windows\System32\write.exe - Path: C:\Windows\SysWOW64\write.exe Detection: - IOC: Changes to HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe - - IOC: Changes to HKLM:\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe + - IOC: Changes to HKCU:\Software\Classes\exefile\shell\open\command + - IOC: (related to UNC prompt bypass) Changes to HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml Resources: - Link: https://gist.github.com/mblzk/b8c5ff7c2bd0fb2b385cc2fdd119874b - - Link: https://learn.microsoft.com/en-us/windows/win32/shell/app-registration - - Link: https://en.wikipedia.org/wiki/Microsoft_Write Acknowledgement: - Person: Michal Belzak From 51a6410c4b48108adf55b6c4044cdafd4a5b01b9 Mon Sep 17 00:00:00 2001 From: Majkel Skopniarz <44535764+mblzk@users.noreply.github.com> Date: Wed, 18 Jun 2025 16:26:50 +0200 Subject: [PATCH 3/4] Update write.yml added quotes around problematic lines --- yml/OSBinaries/write.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/yml/OSBinaries/write.yml b/yml/OSBinaries/write.yml index 5640c27e..f0daced1 100644 --- a/yml/OSBinaries/write.yml +++ b/yml/OSBinaries/write.yml @@ -1,11 +1,11 @@ --- Name: write.exe -Description: Wrapper binary for launching wordpad. Historically it was used to launch Microsoft Write, a very basic word processor from pre-2000 era. Currently it's left as a compatibility stub after Windows 95 onwards. +Description: "Wrapper binary for launching wordpad. Historically it was used to launch Microsoft Write, a very basic word processor from pre-2000 era. Currently it's left as a compatibility stub after Windows 95 onwards." Author: Michal Belzak Created: 2025-06-17 Commands: - Command: write.exe - Description: Executes a binary provided in default value of (HKCU|HKLM):\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe. + Description: "Executes a binary provided in default value of (HKCU|HKLM):\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe." Usecase: Execute binary through legitimate proxy. This might be utilized to confuse detection solutions that rely on parent-child relationships. Category: Execute Privileges: User @@ -14,7 +14,7 @@ Commands: Tags: - Execute: EXE - Command: write.exe - Description: It is possible to provide arguments by modifying HKCU:\Software\Classes\exefile\shell\open\command to include the following value: `"%1" ` + Description: "It is possible to provide arguments by modifying HKCU:\Software\Classes\exefile\shell\open\command to include the following value: `'%1' `" Usecase: Execute binary through legitimate proxy. This might be utilized to confuse detection solutions that rely on parent-child relationships. Category: Execute Privileges: User @@ -24,7 +24,7 @@ Commands: - Execute: EXE - Execute: CMD - Command: write.exe - Description: It is possible to execute remote binaries when using UNC path instead. This will display security prompt and fail in non-interactive environments. To offset for that, one needs to control a custom domain, be able to set A DNS record in it and register this record in `HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\`. For details, refer to Resources. + Description: "It is possible to execute remote binaries when using UNC path instead. This will display security prompt and fail in non-interactive environments. To offset for that, one needs to control a custom domain, be able to set A DNS record in it and register this record in `HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\`. For details on bypass, refer to Resources." Usecase: Execute remote binary. Category: Execute Privileges: User From c455bf461358fd57f9b8117dce35435b4937608f Mon Sep 17 00:00:00 2001 From: Majkel Skopniarz <44535764+mblzk@users.noreply.github.com> Date: Wed, 18 Jun 2025 16:30:25 +0200 Subject: [PATCH 4/4] Update write.yml apparently single quotes are better --- yml/OSBinaries/write.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/yml/OSBinaries/write.yml b/yml/OSBinaries/write.yml index f0daced1..ae5f50a9 100644 --- a/yml/OSBinaries/write.yml +++ b/yml/OSBinaries/write.yml @@ -1,11 +1,11 @@ --- Name: write.exe -Description: "Wrapper binary for launching wordpad. Historically it was used to launch Microsoft Write, a very basic word processor from pre-2000 era. Currently it's left as a compatibility stub after Windows 95 onwards." +Description: 'Wrapper binary for launching wordpad. Historically it was used to launch Microsoft Write, a very basic word processor from pre-2000 era. Currently its left as a compatibility stub after Windows 95 onwards.' Author: Michal Belzak Created: 2025-06-17 Commands: - Command: write.exe - Description: "Executes a binary provided in default value of (HKCU|HKLM):\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe." + Description: 'Executes a binary provided in default value of (HKCU|HKLM):\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe.' Usecase: Execute binary through legitimate proxy. This might be utilized to confuse detection solutions that rely on parent-child relationships. Category: Execute Privileges: User @@ -14,7 +14,7 @@ Commands: Tags: - Execute: EXE - Command: write.exe - Description: "It is possible to provide arguments by modifying HKCU:\Software\Classes\exefile\shell\open\command to include the following value: `'%1' `" + Description: 'It is possible to provide arguments by modifying HKCU:\Software\Classes\exefile\shell\open\command to include the following value: "%1" ' Usecase: Execute binary through legitimate proxy. This might be utilized to confuse detection solutions that rely on parent-child relationships. Category: Execute Privileges: User @@ -24,7 +24,7 @@ Commands: - Execute: EXE - Execute: CMD - Command: write.exe - Description: "It is possible to execute remote binaries when using UNC path instead. This will display security prompt and fail in non-interactive environments. To offset for that, one needs to control a custom domain, be able to set A DNS record in it and register this record in `HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\`. For details on bypass, refer to Resources." + Description: 'It is possible to execute remote binaries when using UNC path instead. This will display security prompt and fail in non-interactive environments. To offset for that, one needs to control a custom domain, be able to set A DNS record in it and register this record in `HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\`. For details on bypass, refer to Resources.' Usecase: Execute remote binary. Category: Execute Privileges: User @@ -33,13 +33,13 @@ Commands: Tags: - Execute: Remote Full_Path: - - Path: C:\Windows\write.exe - - Path: C:\Windows\System32\write.exe - - Path: C:\Windows\SysWOW64\write.exe + - Path: 'C:\Windows\write.exe' + - Path: 'C:\Windows\System32\write.exe' + - Path: 'C:\Windows\SysWOW64\write.exe' Detection: - - IOC: Changes to HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe - - IOC: Changes to HKCU:\Software\Classes\exefile\shell\open\command - - IOC: (related to UNC prompt bypass) Changes to HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ + - IOC: 'Changes to HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe' + - IOC: 'Changes to HKCU:\Software\Classes\exefile\shell\open\command' + - IOC: '(related to UNC prompt bypass) Changes to HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\' - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml Resources: - Link: https://gist.github.com/mblzk/b8c5ff7c2bd0fb2b385cc2fdd119874b