From 8892ad207079046cd4c060d8f0fff3deead8acb7 Mon Sep 17 00:00:00 2001 From: Majkel Skopniarz <44535764+mblzk@users.noreply.github.com> Date: Wed, 18 Jun 2025 01:00:50 +0200 Subject: [PATCH 1/6] Create write.yml Added a write.exe abuse to execute arbitrary binary through registry values --- yml/OSBinaries/write.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 yml/OSBinaries/write.yml diff --git a/yml/OSBinaries/write.yml b/yml/OSBinaries/write.yml new file mode 100644 index 000000000..a2441ffc0 --- /dev/null +++ b/yml/OSBinaries/write.yml @@ -0,0 +1,29 @@ +--- +Name: write.exe +Description: Wrapper binary for launching wordpad. Historically it was used to launch Microsoft Write, a very basic word processor from pre-2000 era. Currently it's left as a compatibility stub after Windows 95 onwards +Author: Michal Belzak +Created: 2025-06-17 +Commands: + - Command: write.exe + Description: Executes a binary provided in default value of (HKCU|HKLM):\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe. + Usecase: This might be utilized to confuse detection solutions that rely on parent-child relationships (process will be spawned as a child to the write.exe). HKCU is checked first, allowing for user exploitation. + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows + Tags: + - Execute: EXE +Full_Path: + - Path: C:\Windows\write.exe + - Path: C:\Windows\System32\write.exe + - Path: C:\Windows\SysWOW64\write.exe +Detection: + - IOC: Changes to HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe + - IOC: Changes to HKLM:\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml +Resources: + - Link: https://gist.github.com/mblzk/b8c5ff7c2bd0fb2b385cc2fdd119874b + - Link: https://learn.microsoft.com/en-us/windows/win32/shell/app-registration + - Link: https://en.wikipedia.org/wiki/Microsoft_Write +Acknowledgement: + - Person: Michal Belzak From 478d552633dbfe2ff761a3410173a6be90909379 Mon Sep 17 00:00:00 2001 From: Majkel Skopniarz <44535764+mblzk@users.noreply.github.com> Date: Wed, 18 Jun 2025 16:18:31 +0200 Subject: [PATCH 2/6] Update write.yml updated with providing arguments through registry and execution of remote binaries through UNC paths --- yml/OSBinaries/write.yml | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/yml/OSBinaries/write.yml b/yml/OSBinaries/write.yml index a2441ffc0..5640c27e5 100644 --- a/yml/OSBinaries/write.yml +++ b/yml/OSBinaries/write.yml @@ -1,29 +1,47 @@ --- Name: write.exe -Description: Wrapper binary for launching wordpad. Historically it was used to launch Microsoft Write, a very basic word processor from pre-2000 era. Currently it's left as a compatibility stub after Windows 95 onwards +Description: Wrapper binary for launching wordpad. Historically it was used to launch Microsoft Write, a very basic word processor from pre-2000 era. Currently it's left as a compatibility stub after Windows 95 onwards. Author: Michal Belzak Created: 2025-06-17 Commands: - Command: write.exe Description: Executes a binary provided in default value of (HKCU|HKLM):\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe. - Usecase: This might be utilized to confuse detection solutions that rely on parent-child relationships (process will be spawned as a child to the write.exe). HKCU is checked first, allowing for user exploitation. + Usecase: Execute binary through legitimate proxy. This might be utilized to confuse detection solutions that rely on parent-child relationships. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows Tags: - Execute: EXE + - Command: write.exe + Description: It is possible to provide arguments by modifying HKCU:\Software\Classes\exefile\shell\open\command to include the following value: `"%1" ` + Usecase: Execute binary through legitimate proxy. This might be utilized to confuse detection solutions that rely on parent-child relationships. + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows + Tags: + - Execute: EXE + - Execute: CMD + - Command: write.exe + Description: It is possible to execute remote binaries when using UNC path instead. This will display security prompt and fail in non-interactive environments. To offset for that, one needs to control a custom domain, be able to set A DNS record in it and register this record in `HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\`. For details, refer to Resources. + Usecase: Execute remote binary. + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows + Tags: + - Execute: Remote Full_Path: - Path: C:\Windows\write.exe - Path: C:\Windows\System32\write.exe - Path: C:\Windows\SysWOW64\write.exe Detection: - IOC: Changes to HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe - - IOC: Changes to HKLM:\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe + - IOC: Changes to HKCU:\Software\Classes\exefile\shell\open\command + - IOC: (related to UNC prompt bypass) Changes to HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml Resources: - Link: https://gist.github.com/mblzk/b8c5ff7c2bd0fb2b385cc2fdd119874b - - Link: https://learn.microsoft.com/en-us/windows/win32/shell/app-registration - - Link: https://en.wikipedia.org/wiki/Microsoft_Write Acknowledgement: - Person: Michal Belzak From 51a6410c4b48108adf55b6c4044cdafd4a5b01b9 Mon Sep 17 00:00:00 2001 From: Majkel Skopniarz <44535764+mblzk@users.noreply.github.com> Date: Wed, 18 Jun 2025 16:26:50 +0200 Subject: [PATCH 3/6] Update write.yml added quotes around problematic lines --- yml/OSBinaries/write.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/yml/OSBinaries/write.yml b/yml/OSBinaries/write.yml index 5640c27e5..f0daced10 100644 --- a/yml/OSBinaries/write.yml +++ b/yml/OSBinaries/write.yml @@ -1,11 +1,11 @@ --- Name: write.exe -Description: Wrapper binary for launching wordpad. Historically it was used to launch Microsoft Write, a very basic word processor from pre-2000 era. Currently it's left as a compatibility stub after Windows 95 onwards. +Description: "Wrapper binary for launching wordpad. Historically it was used to launch Microsoft Write, a very basic word processor from pre-2000 era. Currently it's left as a compatibility stub after Windows 95 onwards." Author: Michal Belzak Created: 2025-06-17 Commands: - Command: write.exe - Description: Executes a binary provided in default value of (HKCU|HKLM):\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe. + Description: "Executes a binary provided in default value of (HKCU|HKLM):\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe." Usecase: Execute binary through legitimate proxy. This might be utilized to confuse detection solutions that rely on parent-child relationships. Category: Execute Privileges: User @@ -14,7 +14,7 @@ Commands: Tags: - Execute: EXE - Command: write.exe - Description: It is possible to provide arguments by modifying HKCU:\Software\Classes\exefile\shell\open\command to include the following value: `"%1" ` + Description: "It is possible to provide arguments by modifying HKCU:\Software\Classes\exefile\shell\open\command to include the following value: `'%1' `" Usecase: Execute binary through legitimate proxy. This might be utilized to confuse detection solutions that rely on parent-child relationships. Category: Execute Privileges: User @@ -24,7 +24,7 @@ Commands: - Execute: EXE - Execute: CMD - Command: write.exe - Description: It is possible to execute remote binaries when using UNC path instead. This will display security prompt and fail in non-interactive environments. To offset for that, one needs to control a custom domain, be able to set A DNS record in it and register this record in `HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\`. For details, refer to Resources. + Description: "It is possible to execute remote binaries when using UNC path instead. This will display security prompt and fail in non-interactive environments. To offset for that, one needs to control a custom domain, be able to set A DNS record in it and register this record in `HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\`. For details on bypass, refer to Resources." Usecase: Execute remote binary. Category: Execute Privileges: User From c455bf461358fd57f9b8117dce35435b4937608f Mon Sep 17 00:00:00 2001 From: Majkel Skopniarz <44535764+mblzk@users.noreply.github.com> Date: Wed, 18 Jun 2025 16:30:25 +0200 Subject: [PATCH 4/6] Update write.yml apparently single quotes are better --- yml/OSBinaries/write.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/yml/OSBinaries/write.yml b/yml/OSBinaries/write.yml index f0daced10..ae5f50a98 100644 --- a/yml/OSBinaries/write.yml +++ b/yml/OSBinaries/write.yml @@ -1,11 +1,11 @@ --- Name: write.exe -Description: "Wrapper binary for launching wordpad. Historically it was used to launch Microsoft Write, a very basic word processor from pre-2000 era. Currently it's left as a compatibility stub after Windows 95 onwards." +Description: 'Wrapper binary for launching wordpad. Historically it was used to launch Microsoft Write, a very basic word processor from pre-2000 era. Currently its left as a compatibility stub after Windows 95 onwards.' Author: Michal Belzak Created: 2025-06-17 Commands: - Command: write.exe - Description: "Executes a binary provided in default value of (HKCU|HKLM):\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe." + Description: 'Executes a binary provided in default value of (HKCU|HKLM):\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe.' Usecase: Execute binary through legitimate proxy. This might be utilized to confuse detection solutions that rely on parent-child relationships. Category: Execute Privileges: User @@ -14,7 +14,7 @@ Commands: Tags: - Execute: EXE - Command: write.exe - Description: "It is possible to provide arguments by modifying HKCU:\Software\Classes\exefile\shell\open\command to include the following value: `'%1' `" + Description: 'It is possible to provide arguments by modifying HKCU:\Software\Classes\exefile\shell\open\command to include the following value: "%1" ' Usecase: Execute binary through legitimate proxy. This might be utilized to confuse detection solutions that rely on parent-child relationships. Category: Execute Privileges: User @@ -24,7 +24,7 @@ Commands: - Execute: EXE - Execute: CMD - Command: write.exe - Description: "It is possible to execute remote binaries when using UNC path instead. This will display security prompt and fail in non-interactive environments. To offset for that, one needs to control a custom domain, be able to set A DNS record in it and register this record in `HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\`. For details on bypass, refer to Resources." + Description: 'It is possible to execute remote binaries when using UNC path instead. This will display security prompt and fail in non-interactive environments. To offset for that, one needs to control a custom domain, be able to set A DNS record in it and register this record in `HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\`. For details on bypass, refer to Resources.' Usecase: Execute remote binary. Category: Execute Privileges: User @@ -33,13 +33,13 @@ Commands: Tags: - Execute: Remote Full_Path: - - Path: C:\Windows\write.exe - - Path: C:\Windows\System32\write.exe - - Path: C:\Windows\SysWOW64\write.exe + - Path: 'C:\Windows\write.exe' + - Path: 'C:\Windows\System32\write.exe' + - Path: 'C:\Windows\SysWOW64\write.exe' Detection: - - IOC: Changes to HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe - - IOC: Changes to HKCU:\Software\Classes\exefile\shell\open\command - - IOC: (related to UNC prompt bypass) Changes to HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ + - IOC: 'Changes to HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe' + - IOC: 'Changes to HKCU:\Software\Classes\exefile\shell\open\command' + - IOC: '(related to UNC prompt bypass) Changes to HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\' - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml Resources: - Link: https://gist.github.com/mblzk/b8c5ff7c2bd0fb2b385cc2fdd119874b From 8fc50235067b9716c4e54fb04669af3156c80fa9 Mon Sep 17 00:00:00 2001 From: Wietze Date: Mon, 16 Mar 2026 13:16:58 +0000 Subject: [PATCH 5/6] Cleaned up write.yml --- yml/OSBinaries/write.yml | 28 ++++------------------------ 1 file changed, 4 insertions(+), 24 deletions(-) diff --git a/yml/OSBinaries/write.yml b/yml/OSBinaries/write.yml index ae5f50a98..883353f62 100644 --- a/yml/OSBinaries/write.yml +++ b/yml/OSBinaries/write.yml @@ -1,45 +1,25 @@ --- Name: write.exe -Description: 'Wrapper binary for launching wordpad. Historically it was used to launch Microsoft Write, a very basic word processor from pre-2000 era. Currently its left as a compatibility stub after Windows 95 onwards.' +Description: 'Windows Write' Author: Michal Belzak Created: 2025-06-17 Commands: - Command: write.exe - Description: 'Executes a binary provided in default value of (HKCU|HKLM):\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe.' + Description: 'Executes a binary provided in default value of `(HKCU|HKLM)\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe`.' Usecase: Execute binary through legitimate proxy. This might be utilized to confuse detection solutions that rely on parent-child relationships. Category: Execute Privileges: User MitreID: T1218 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 (before 24H2) Tags: - Execute: EXE - - Command: write.exe - Description: 'It is possible to provide arguments by modifying HKCU:\Software\Classes\exefile\shell\open\command to include the following value: "%1" ' - Usecase: Execute binary through legitimate proxy. This might be utilized to confuse detection solutions that rely on parent-child relationships. - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows - Tags: - - Execute: EXE - - Execute: CMD - - Command: write.exe - Description: 'It is possible to execute remote binaries when using UNC path instead. This will display security prompt and fail in non-interactive environments. To offset for that, one needs to control a custom domain, be able to set A DNS record in it and register this record in `HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\`. For details on bypass, refer to Resources.' - Usecase: Execute remote binary. - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows - Tags: - - Execute: Remote + - Requires: Registry Change Full_Path: - Path: 'C:\Windows\write.exe' - Path: 'C:\Windows\System32\write.exe' - Path: 'C:\Windows\SysWOW64\write.exe' Detection: - IOC: 'Changes to HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe' - - IOC: 'Changes to HKCU:\Software\Classes\exefile\shell\open\command' - - IOC: '(related to UNC prompt bypass) Changes to HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\' - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml Resources: - Link: https://gist.github.com/mblzk/b8c5ff7c2bd0fb2b385cc2fdd119874b From 3e6f52d26ee1947a9c8db598af1b177aa558148a Mon Sep 17 00:00:00 2001 From: Wietze Date: Mon, 16 Mar 2026 13:18:27 +0000 Subject: [PATCH 6/6] HKCU only --- yml/OSBinaries/write.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/write.yml b/yml/OSBinaries/write.yml index 883353f62..f31c757be 100644 --- a/yml/OSBinaries/write.yml +++ b/yml/OSBinaries/write.yml @@ -5,7 +5,7 @@ Author: Michal Belzak Created: 2025-06-17 Commands: - Command: write.exe - Description: 'Executes a binary provided in default value of `(HKCU|HKLM)\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe`.' + Description: 'Executes a binary provided in default value of `HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe`.' Usecase: Execute binary through legitimate proxy. This might be utilized to confuse detection solutions that rely on parent-child relationships. Category: Execute Privileges: User