From 28227aa714032fdda79f37a933bf666cd6653ec7 Mon Sep 17 00:00:00 2001 From: karminang Date: Mon, 20 Apr 2026 00:32:13 +0800 Subject: [PATCH 01/12] Create setupupc.yml Contribute to lolbas project by submitting a new microsoft binary named setupugc.exe (Setup Unattend Generic Command Processor) which reads command entries from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ UnattendSettings\Setup-Unattend-Settings\RunSynchronous\\Path and executes them via CreateProcessW when invoked with a Windows setup pass argument (e.g. specialize). --- yml/OSBinaries/setupupc.yml | 52 +++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 yml/OSBinaries/setupupc.yml diff --git a/yml/OSBinaries/setupupc.yml b/yml/OSBinaries/setupupc.yml new file mode 100644 index 00000000..4cf44d57 --- /dev/null +++ b/yml/OSBinaries/setupupc.yml @@ -0,0 +1,52 @@ +--- +Name: setupugc.exe +Description: Setup Unattend Generic Command Processor used during Windows deployment +Author: Ang Kar Min +Created: 2026-04-20 +Commands: + - Command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Setup-Unattend-Settings\RunSynchronous\1" /v Path /d "{COMMAND}" /f && setupugc.exe specialize + Description: Write an arbitrary command to the UnattendSettings registry key and trigger execution via setupugc.exe. The command runs as a child process of setupugc.exe at the caller's integrity level. Only the Path value is required; Description and Order are optional. + Usecase: Execute arbitrary commands through a Microsoft-signed binary, proxy process parentage + Category: Execute + Privileges: Administrator + MitreID: T1218 + OperatingSystem: Windows 10, Windows 11, Windows Server 2025 + - Command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Setup-Unattend-Settings\RunSynchronous\1" /v Path /d "{COMMAND}" /f && setupugc.exe auditUser + Description: Same technique using the auditUser pass name instead of specialize. Both pass names trigger command execution; oobeSystem and auditSystem do not. + Usecase: Execute arbitrary commands through a Microsoft-signed binary + Category: Execute + Privileges: Administrator + MitreID: T1218 + OperatingSystem: Windows 10, Windows 11, Windows Server 2025 +Full_Path: + - Path: C:\Windows\System32\setupugc.exe +Detection: + - IOC: setupugc.exe spawning child processes outside of Windows Setup context. Legitimate parent is setuphost.exe or Windows setup infrastructure. + - IOC: Registry writes to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Setup-Unattend-Settings\RunSynchronous\ on a deployed system (post-OOBE). + - IOC: C:\Windows\Panther\commandexec\ directory or commandexec.*.spl spool files on a production system. + - IOC: Registry value CommandExecInProgress (DWORD 0x1) under HKLM\...\UnattendSettings\Setup-Unattend-Settings-Status created by a non-setup process. + - Sigma: | + title: Suspicious setupugc.exe Child Process + status: experimental + description: Detects setupugc.exe spawning child processes outside of Windows Setup context. + logsource: + product: windows + category: process_creation + detection: + selection: + ParentImage|endswith: '\setupugc.exe' + filter_legitimate: + ParentParentImage|endswith: + - '\setuphost.exe' + - '\setup.exe' + condition: selection and not filter_legitimate + level: high + tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 +Resources: + - Link: https://strontic.github.io/xcyclopedia/library/setupugc.exe-3CFE082E8656AD66B5B9FFEB28CF4EC3.html +Acknowledgement: + - Person: Ang Kar Min + Handle: karminang From 6930dbf7705bb25a1232427161475f98677e4fcf Mon Sep 17 00:00:00 2001 From: karminang Date: Sun, 19 Apr 2026 18:26:37 +0100 Subject: [PATCH 02/12] Update setupupc.yml --- yml/OSBinaries/setupupc.yml | 33 ++++++--------------------------- 1 file changed, 6 insertions(+), 27 deletions(-) diff --git a/yml/OSBinaries/setupupc.yml b/yml/OSBinaries/setupupc.yml index 4cf44d57..02623ebb 100644 --- a/yml/OSBinaries/setupupc.yml +++ b/yml/OSBinaries/setupupc.yml @@ -1,18 +1,17 @@ ---- Name: setupugc.exe Description: Setup Unattend Generic Command Processor used during Windows deployment Author: Ang Kar Min Created: 2026-04-20 Commands: - Command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Setup-Unattend-Settings\RunSynchronous\1" /v Path /d "{COMMAND}" /f && setupugc.exe specialize - Description: Write an arbitrary command to the UnattendSettings registry key and trigger execution via setupugc.exe. The command runs as a child process of setupugc.exe at the caller's integrity level. Only the Path value is required; Description and Order are optional. + Description: Write an arbitrary command to the UnattendSettings registry key and trigger execution via setupugc.exe. Usecase: Execute arbitrary commands through a Microsoft-signed binary, proxy process parentage Category: Execute Privileges: Administrator MitreID: T1218 OperatingSystem: Windows 10, Windows 11, Windows Server 2025 - Command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Setup-Unattend-Settings\RunSynchronous\1" /v Path /d "{COMMAND}" /f && setupugc.exe auditUser - Description: Same technique using the auditUser pass name instead of specialize. Both pass names trigger command execution; oobeSystem and auditSystem do not. + Description: Same technique using the auditUser pass name instead of specialize. Usecase: Execute arbitrary commands through a Microsoft-signed binary Category: Execute Privileges: Administrator @@ -21,32 +20,12 @@ Commands: Full_Path: - Path: C:\Windows\System32\setupugc.exe Detection: - - IOC: setupugc.exe spawning child processes outside of Windows Setup context. Legitimate parent is setuphost.exe or Windows setup infrastructure. - - IOC: Registry writes to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Setup-Unattend-Settings\RunSynchronous\ on a deployed system (post-OOBE). - - IOC: C:\Windows\Panther\commandexec\ directory or commandexec.*.spl spool files on a production system. + - IOC: setupugc.exe spawning child processes outside of Windows Setup context. Legitimate parents are setuphost.exe or setup.exe. + - IOC: Registry writes to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Setup-Unattend-Settings\RunSynchronous\ on a deployed system. + - IOC: Presence of C:\Windows\Panther\commandexec\ directory or commandexec.*.spl spool files on a production system. - IOC: Registry value CommandExecInProgress (DWORD 0x1) under HKLM\...\UnattendSettings\Setup-Unattend-Settings-Status created by a non-setup process. - - Sigma: | - title: Suspicious setupugc.exe Child Process - status: experimental - description: Detects setupugc.exe spawning child processes outside of Windows Setup context. - logsource: - product: windows - category: process_creation - detection: - selection: - ParentImage|endswith: '\setupugc.exe' - filter_legitimate: - ParentParentImage|endswith: - - '\setuphost.exe' - - '\setup.exe' - condition: selection and not filter_legitimate - level: high - tags: - - attack.defense_evasion - - attack.execution - - attack.t1218 Resources: - Link: https://strontic.github.io/xcyclopedia/library/setupugc.exe-3CFE082E8656AD66B5B9FFEB28CF4EC3.html Acknowledgement: - Person: Ang Kar Min - Handle: karminang + Handle: '@karminang' From b423d210c5f0758160cdcdafae004e77da0f7e51 Mon Sep 17 00:00:00 2001 From: karminang Date: Sun, 19 Apr 2026 18:28:35 +0100 Subject: [PATCH 03/12] Update setupupc.yml --- yml/OSBinaries/setupupc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/setupupc.yml b/yml/OSBinaries/setupupc.yml index 02623ebb..0c896982 100644 --- a/yml/OSBinaries/setupupc.yml +++ b/yml/OSBinaries/setupupc.yml @@ -4,7 +4,7 @@ Author: Ang Kar Min Created: 2026-04-20 Commands: - Command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Setup-Unattend-Settings\RunSynchronous\1" /v Path /d "{COMMAND}" /f && setupugc.exe specialize - Description: Write an arbitrary command to the UnattendSettings registry key and trigger execution via setupugc.exe. + Description: Write an arbitrary command to the UnattendSettings registry key and trigger execution via setupugc.exe. The command runs as a child process of setupugc.exe at the caller's integrity level. Only the Path value is required; Description and Order are optional. Usecase: Execute arbitrary commands through a Microsoft-signed binary, proxy process parentage Category: Execute Privileges: Administrator From 5f82e08f67a7880099bf82176bf3ed15ef92cfa7 Mon Sep 17 00:00:00 2001 From: karminang Date: Sun, 19 Apr 2026 18:28:56 +0100 Subject: [PATCH 04/12] Update setupupc.yml --- yml/OSBinaries/setupupc.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSBinaries/setupupc.yml b/yml/OSBinaries/setupupc.yml index 0c896982..ccbf2b5b 100644 --- a/yml/OSBinaries/setupupc.yml +++ b/yml/OSBinaries/setupupc.yml @@ -1,3 +1,4 @@ +--- Name: setupugc.exe Description: Setup Unattend Generic Command Processor used during Windows deployment Author: Ang Kar Min From fbd6641d11a07d7cc01ff8f153e223c396e628d5 Mon Sep 17 00:00:00 2001 From: karminang Date: Sun, 19 Apr 2026 18:29:44 +0100 Subject: [PATCH 05/12] Update setupupc.yml From ec03cf664cc6ac720d6a634e01b770f800aea3cc Mon Sep 17 00:00:00 2001 From: karminang Date: Mon, 20 Apr 2026 14:33:35 +0100 Subject: [PATCH 06/12] Create xpsrchvw.yml Contribute to the LOLBAS project by submitting a new Microsoft-signed binary: xpsrchvw.exe (Windows XPS Viewer). xpsrchvw.exe is vulnerable to DLL search order hijacking. When copied from C:\Windows\System32\ to a user-writable directory and executed, it resolves DLLs from its application directory before falling back to System32. Placing a malicious WINMM.dll in the same directory as the copied binary causes it to be loaded and executed under the context of the Microsoft-signed process, allowing an attacker to proxy code execution and mask process parentage. This technique requires only User-level privileges and abuses legitimate Windows DLL resolution behaviour (MITRE T1574.001). A proof-of-concept demonstrating DLL construction for this sideload is available at: https://github.com/karminang/poc/blob/main/x64-sideload-DLL-WINMM.py --- yml/OtherMSBinaries/xpsrchvw.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 yml/OtherMSBinaries/xpsrchvw.yml diff --git a/yml/OtherMSBinaries/xpsrchvw.yml b/yml/OtherMSBinaries/xpsrchvw.yml new file mode 100644 index 00000000..3d7849d4 --- /dev/null +++ b/yml/OtherMSBinaries/xpsrchvw.yml @@ -0,0 +1,25 @@ +--- +Name: xpsrchvw.exe +Description: Windows XPS Viewer, a Microsoft-signed binary for viewing XPS documents +Author: Ang Kar Min +Created: 2026-04-20 +Commands: + - Command: copy C:\Windows\System32\xpsrchvw.exe C:\Users\Public\xpsrchvw.exe && copy WINMM.dll C:\Users\Public\WINMM.dll && C:\Users\Public\xpsrchvw.exe + Description: Copy xpsrchvw.exe to a user-writable directory alongside a malicious WINMM.dll. When executed, the binary resolves DLLs from its application directory before System32, loading the attacker-controlled DLL under the context of the Microsoft-signed binary. + Usecase: Execute arbitrary code via DLL search order hijacking through a Microsoft-signed binary, proxy process parentage + Category: Execute + Privileges: User + MitreID: T1574.001 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Windows\System32\xpsrchvw.exe +Detection: + - IOC: xpsrchvw.exe executing from a non-standard path outside C:\Windows\System32\. + - IOC: xpsrchvw.exe loading WINMM.dll or other DLLs from its own application directory rather than System32. + - IOC: Child processes spawned by xpsrchvw.exe outside of normal XPS document viewing context. + - IOC: Presence of WINMM.dll or other hijackable DLL names in user-writable directories alongside a copy of xpsrchvw.exe. +Resources: + - Link: https://github.com/karminang/poc/blob/main/x64-sideload-DLL-WINMM.py +Acknowledgement: + - Person: Ang Kar Min + Handle: '@karminang' From 19585a9cfc221319cb5e180b7aa8709e0bb61692 Mon Sep 17 00:00:00 2001 From: Wietze Date: Mon, 15 Jun 2026 23:11:52 +0100 Subject: [PATCH 07/12] Delete yml/OtherMSBinaries/xpsrchvw.yml --- yml/OtherMSBinaries/xpsrchvw.yml | 25 ------------------------- 1 file changed, 25 deletions(-) delete mode 100644 yml/OtherMSBinaries/xpsrchvw.yml diff --git a/yml/OtherMSBinaries/xpsrchvw.yml b/yml/OtherMSBinaries/xpsrchvw.yml deleted file mode 100644 index 3d7849d4..00000000 --- a/yml/OtherMSBinaries/xpsrchvw.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -Name: xpsrchvw.exe -Description: Windows XPS Viewer, a Microsoft-signed binary for viewing XPS documents -Author: Ang Kar Min -Created: 2026-04-20 -Commands: - - Command: copy C:\Windows\System32\xpsrchvw.exe C:\Users\Public\xpsrchvw.exe && copy WINMM.dll C:\Users\Public\WINMM.dll && C:\Users\Public\xpsrchvw.exe - Description: Copy xpsrchvw.exe to a user-writable directory alongside a malicious WINMM.dll. When executed, the binary resolves DLLs from its application directory before System32, loading the attacker-controlled DLL under the context of the Microsoft-signed binary. - Usecase: Execute arbitrary code via DLL search order hijacking through a Microsoft-signed binary, proxy process parentage - Category: Execute - Privileges: User - MitreID: T1574.001 - OperatingSystem: Windows 10, Windows 11 -Full_Path: - - Path: C:\Windows\System32\xpsrchvw.exe -Detection: - - IOC: xpsrchvw.exe executing from a non-standard path outside C:\Windows\System32\. - - IOC: xpsrchvw.exe loading WINMM.dll or other DLLs from its own application directory rather than System32. - - IOC: Child processes spawned by xpsrchvw.exe outside of normal XPS document viewing context. - - IOC: Presence of WINMM.dll or other hijackable DLL names in user-writable directories alongside a copy of xpsrchvw.exe. -Resources: - - Link: https://github.com/karminang/poc/blob/main/x64-sideload-DLL-WINMM.py -Acknowledgement: - - Person: Ang Kar Min - Handle: '@karminang' From 4ccae933f9e09c64568a2175ad10ea3ba83f0127 Mon Sep 17 00:00:00 2001 From: Wietze Date: Mon, 15 Jun 2026 23:25:05 +0100 Subject: [PATCH 08/12] Refactor setupupc.yml commands for clarity Updated commands for setupugc.exe with detailed descriptions and use cases. --- yml/OSBinaries/setupupc.yml | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/yml/OSBinaries/setupupc.yml b/yml/OSBinaries/setupupc.yml index ccbf2b5b..2e51d348 100644 --- a/yml/OSBinaries/setupupc.yml +++ b/yml/OSBinaries/setupupc.yml @@ -4,27 +4,33 @@ Description: Setup Unattend Generic Command Processor used during Windows deploy Author: Ang Kar Min Created: 2026-04-20 Commands: - - Command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Setup-Unattend-Settings\RunSynchronous\1" /v Path /d "{COMMAND}" /f && setupugc.exe specialize - Description: Write an arbitrary command to the UnattendSettings registry key and trigger execution via setupugc.exe. The command runs as a child process of setupugc.exe at the caller's integrity level. Only the Path value is required; Description and Order are optional. - Usecase: Execute arbitrary commands through a Microsoft-signed binary, proxy process parentage + - Command: setupugc.exe specialize + Description: | + By first setting a command to a specific `Setup-Unattend-Settings` registry key, e.g.: + + ``` + reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Setup-Unattend-Settings\RunSynchronous\1" /v Path /d "{CMD}" /f + ``` + + Executing the following will cause it to execute the command. + Usecase: Execute binary through legitimate proxy Category: Execute Privileges: Administrator MitreID: T1218 OperatingSystem: Windows 10, Windows 11, Windows Server 2025 - - Command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Setup-Unattend-Settings\RunSynchronous\1" /v Path /d "{COMMAND}" /f && setupugc.exe auditUser - Description: Same technique using the auditUser pass name instead of specialize. - Usecase: Execute arbitrary commands through a Microsoft-signed binary + - Command: setupugc.exe auditUser + Description: Same technique as above, but using the `auditUser` command-line option. + Usecase: Execute binary through legitimate proxy Category: Execute Privileges: Administrator MitreID: T1218 OperatingSystem: Windows 10, Windows 11, Windows Server 2025 Full_Path: - Path: C:\Windows\System32\setupugc.exe + - Path: C:\Windows\SysWOW64\setupugc.exe Detection: - - IOC: setupugc.exe spawning child processes outside of Windows Setup context. Legitimate parents are setuphost.exe or setup.exe. - - IOC: Registry writes to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Setup-Unattend-Settings\RunSynchronous\ on a deployed system. - - IOC: Presence of C:\Windows\Panther\commandexec\ directory or commandexec.*.spl spool files on a production system. - - IOC: Registry value CommandExecInProgress (DWORD 0x1) under HKLM\...\UnattendSettings\Setup-Unattend-Settings-Status created by a non-setup process. + - IOC: "`setupugc.exe` spawning child processes outside of Windows Setup context. Legitimate parents are `setuphost.exe` or `setup.exe`." + - IOC: Registry writes to `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Setup-Unattend-Settings\RunSynchronous\` on a deployed system. Resources: - Link: https://strontic.github.io/xcyclopedia/library/setupugc.exe-3CFE082E8656AD66B5B9FFEB28CF4EC3.html Acknowledgement: From 63b927e29b35b71fe05c49495f7b1d7252f3626e Mon Sep 17 00:00:00 2001 From: Wietze Date: Mon, 15 Jun 2026 23:29:35 +0100 Subject: [PATCH 09/12] Update setupupc.yml --- yml/OSBinaries/setupupc.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yml/OSBinaries/setupupc.yml b/yml/OSBinaries/setupupc.yml index 2e51d348..95ff5167 100644 --- a/yml/OSBinaries/setupupc.yml +++ b/yml/OSBinaries/setupupc.yml @@ -1,12 +1,12 @@ --- Name: setupugc.exe -Description: Setup Unattend Generic Command Processor used during Windows deployment +Description: Setup Unattend Generic Command Processor used during Windows deployment. Author: Ang Kar Min Created: 2026-04-20 Commands: - Command: setupugc.exe specialize - Description: | - By first setting a command to a specific `Setup-Unattend-Settings` registry key, e.g.: + Description: | + By first setting a command to a specific registry under `Setup-Unattend-Settings`, e.g. via: ``` reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Setup-Unattend-Settings\RunSynchronous\1" /v Path /d "{CMD}" /f From d5b882e15e44c33637297cc38d592f8609bb9f1b Mon Sep 17 00:00:00 2001 From: Wietze Date: Mon, 15 Jun 2026 23:33:23 +0100 Subject: [PATCH 10/12] Update setupupc.yml --- yml/OSBinaries/setupupc.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/yml/OSBinaries/setupupc.yml b/yml/OSBinaries/setupupc.yml index 95ff5167..3e7bff20 100644 --- a/yml/OSBinaries/setupupc.yml +++ b/yml/OSBinaries/setupupc.yml @@ -6,13 +6,7 @@ Created: 2026-04-20 Commands: - Command: setupugc.exe specialize Description: | - By first setting a command to a specific registry under `Setup-Unattend-Settings`, e.g. via: - - ``` - reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Setup-Unattend-Settings\RunSynchronous\1" /v Path /d "{CMD}" /f - ``` - - Executing the following will cause it to execute the command. + By first setting a command to a specific registry under `Setup-Unattend-Settings`, e.g. via: ```reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Setup-Unattend-Settings\RunSynchronous\1" /v Path /d "{CMD}" /f```, executing the following will cause it to execute the command. Usecase: Execute binary through legitimate proxy Category: Execute Privileges: Administrator From 4d87ec0bd32e398d5068a76dc0112093f725599c Mon Sep 17 00:00:00 2001 From: Wietze Date: Mon, 15 Jun 2026 23:36:39 +0100 Subject: [PATCH 11/12] Refine command description in setupupc.yml Updated command description formatting for clarity. --- yml/OSBinaries/setupupc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/setupupc.yml b/yml/OSBinaries/setupupc.yml index 3e7bff20..8d43630e 100644 --- a/yml/OSBinaries/setupupc.yml +++ b/yml/OSBinaries/setupupc.yml @@ -6,7 +6,7 @@ Created: 2026-04-20 Commands: - Command: setupugc.exe specialize Description: | - By first setting a command to a specific registry under `Setup-Unattend-Settings`, e.g. via: ```reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Setup-Unattend-Settings\RunSynchronous\1" /v Path /d "{CMD}" /f```, executing the following will cause it to execute the command. + By first setting a command to a specific registry under `Setup-Unattend-Settings`, e.g. via: `reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Setup-Unattend-Settings\RunSynchronous\1" /v Path /d "{CMD}" /f`, executing the following will cause it to execute the command. Usecase: Execute binary through legitimate proxy Category: Execute Privileges: Administrator From 33815cce92e3b8e0aeef55e242bee56e4a574ab4 Mon Sep 17 00:00:00 2001 From: Wietze Date: Mon, 15 Jun 2026 23:38:17 +0100 Subject: [PATCH 12/12] Update setupupc.yml --- yml/OSBinaries/setupupc.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/OSBinaries/setupupc.yml b/yml/OSBinaries/setupupc.yml index 8d43630e..84ccf10c 100644 --- a/yml/OSBinaries/setupupc.yml +++ b/yml/OSBinaries/setupupc.yml @@ -12,6 +12,9 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows 10, Windows 11, Windows Server 2025 + Tags: + - Execute: CMD + - Requires: Registry Change - Command: setupugc.exe auditUser Description: Same technique as above, but using the `auditUser` command-line option. Usecase: Execute binary through legitimate proxy @@ -19,6 +22,9 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows 10, Windows 11, Windows Server 2025 + Tags: + - Execute: CMD + - Requires: Registry Change Full_Path: - Path: C:\Windows\System32\setupugc.exe - Path: C:\Windows\SysWOW64\setupugc.exe