2018-04-18 13:41:44 +00:00
|
|
|
## PresentationHost.exe
|
|
|
|
|
|
|
|
|
|
* Functions: Execute
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
Presentationhost.exe C:\temp\Evil.xbap
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Acknowledgements:
|
2018-04-18 21:12:38 +00:00
|
|
|
* Casey Smith - @subtee
|
|
|
|
|
|
|
|
|
|
Code sample:
|
|
|
|
|
*
|
|
|
|
|
|
|
|
|
|
Resources:
|
|
|
|
|
* https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
|
|
|
|
* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
|
|
|
|
|
|
|
|
|
Full path:
|
|
|
|
|
```
|
|
|
|
|
c:\windows\system32\PresentationHost.exe
|
|
|
|
|
c:\windows\sysWOW64\PresentationHost.exe
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Notes:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
