mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 01:45:21 +00:00
25 lines
934 B
YAML
25 lines
934 B
YAML
title: Using AppVLP To Circumvent ASR File Path Rule
|
|
id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
|
|
status: experimental
|
|
description: 'Application Virtualization Utility is included with Microsoft Office.We are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder or to mark a file as a system file'
|
|
author: Sreeman
|
|
date: 2020/03/13
|
|
modified: 2021/06/11
|
|
tags:
|
|
- attack.t1218
|
|
- attack.defense_evasion
|
|
- attack.execution
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
detection:
|
|
selection:
|
|
CommandLine|re: '(?i).*appvlp.exe.*(cmd.exe|powershell.exe).*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf)'
|
|
condition: selection
|
|
falsepositives:
|
|
- unknown
|
|
fields:
|
|
- ParentProcess
|
|
- CommandLine
|
|
- ParentCommandLine
|
|
level: medium |