wtfbins
wtfbins copied to clipboard
mttaggart
WTF are these binaries doing?! A list of benign applications that mimic malicious behavior.
* **Contributor Name:**Thurein Oo * **Application/Executable:** draw.io.exe * **WTF Behavior Description:** draw.io.exe uses attrib.exe to hide the file .dtmp using the command `attrib +h filename.dtmp`. * **Link to Documentation of...
* **Contributor Name:** Thurein Oo * **Application/Executable:** EndpointBasecamp.exe, RiskIndexCollector.exe * **WTF Behavior Description:** Trend Micro EndpointBasecamp.exe drops RiskIndexCollector.exe which invoke wmic to get list of Hotfixes/Patches using the command `wmic...
* **Contributor Name:@ImLordOfTheRing** * **Application/Executable:Adobe Update service spawning process RuntimeCustomHook.exe** * **WTF Behavior Description: During the update process it appears that Adobe accesses and modifies windows\sytem32\restore\MachineGuid.txt which may trigger detections...
* **Contributor Name:** 59e5aaf4 * **Application/Executable:** SecurityHealthService.exe * **WTF Behavior Description:** Sets HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL to 0 (= insecure = might raise EDR alerts ahem ahem) just before setting it (back?) to...
* **Huseyin EKSI:** * **DameWare Mini Control.exe:** * **This little guy might look like scanning or making connections to different IPs in your network(which creates more alerts), add to your...
* **Contributor Name: no2aq * **Application/Executable: Cisco AnyConnect * **WTF Behavior Description: If an end user runs Diagnostics from the Cisco AnyConnect agent, this will run WHOAMI as System. *...
Hey, Not a submission for a new WTFBin but a suggestion for an improvement: How about adding a field (list) to the JSON model for paths that the WTFBin is...
* **Contributor Name:** Taggart * **Application/Executable:** Greenbone OpenVAS Vulnerability scanner * **WTF Behavior Description:** When connecting to Windows hosts, OpenVAS will run `impacket-wmiexec` against the host. The resulting events look...
* **Contributor Name:** * **Application/Executable:** * **WTF Behavior Description:** * **Link to Documentation of Behavior:** * **Please provide any images for additional evidence.**
* **Contributor Name: Alexandros Pappas * **Application/Executable: Update.exe * **WTF Behavior Description: 'LOLBIN created a PowerShell script file Prevent' generated by XDR BIOC detected on host XXXX involving user XXXX\XXXX...
