Skip to content

Commit 9218c41

Browse files
github-actions[bot]github-actions[bot]
committed
1 parent 369f1ab commit 9218c41

File tree

2 files changed

+52
-0
lines changed

2 files changed

+52
-0
lines changed

_lolbas/Binaries/Eudcedit.md

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
---
2+
Name: Eudcedit.exe
3+
Description: Private Character Editor Windows Utility
4+
Author: Matan Bahar
5+
Created: 2025-08-07
6+
Commands:
7+
- Command: eudcedit
8+
Description: Once executed, the Private Charecter Editor will be opened - click OK, then click File -> Font Links. In the next window choose the option "Link with Selected Fonts" and click on Save As, then in the opened enter the command you want to execute.
9+
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
10+
Category: UAC Bypass
11+
Privileges: Administrator
12+
MitreID: T1548.002
13+
OperatingSystem: Windows 10, Windows 11
14+
Tags:
15+
- Execute: CMD
16+
- Application: GUI
17+
Full_Path:
18+
- Path: c:\windows\system32\eudcedit.exe
19+
- Path: c:\windows\syswow64\eudcedit.exe
20+
Detection:
21+
- IOC: Processes spawned by eudcedit.exe.
22+
Resources:
23+
- Link: https://medium.com/@matanb707/windows-fonts-exploitation-in-2025-bypassing-uac-with-eudcedit-915599705639
24+
Acknowledgement:
25+
- Person: Matan Bahar
26+
Handle: '@Bl4ckShad3'
27+
---

_lolbas/Binaries/Reset.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
---
2+
Name: Reset.exe
3+
Description: Remote Desktop Services Reset Utility
4+
Author: Matan Bahar
5+
Created: 2025-07-31
6+
Commands:
7+
- Command: reset.exe session
8+
Description: Once executed, `reset.exe` will execute `rwinsta.exe` in the same folder. Thus, if `reset.exe` is copied to a folder and an arbitrary executable is renamed to `rwinsta.exe`, `reset.exe` will spawn it.
9+
Usecase: Execute an arbitrary executable via trusted system executable.
10+
Category: Execute
11+
Privileges: User
12+
MitreID: T1218
13+
OperatingSystem: Windows 10, Windows 11
14+
Tags:
15+
- Execute: EXE
16+
- Requires: Rename
17+
Full_Path:
18+
- Path: c:\windows\system32\reset.exe
19+
- Path: c:\windows\syswow64\reset.exe
20+
Detection:
21+
- IOC: reset.exe being executed and executes rwinsta.exe outside of its normal path of c:\windows\system32\ or c:\windows\syswow64\
22+
Acknowledgement:
23+
- Person: Matan Bahar
24+
Handle: '@Bl4ckShad3'
25+
---

0 commit comments

Comments
 (0)