.. /Change.exe

Star

Paths:

• c:\windows\system32\change.exe
• c:\windows\syswow64\change.exe

Acknowledgements:

• Idan Lerman (@IdanLerman)

Detections:

• IOC: change.exe being executed and executes a child process outside of its normal path of c:\windows\system32\ or c:\windows\syswow64\

Execute

1. Once executed, `change.exe` will execute `chgusr.exe` in the same folder. Thus, if `change.exe` is copied to a folder and an arbitrary executable is renamed to `chgusr.exe`, `change.exe` will spawn it. Instead of `user`, it is also possible to use `port` or `logon` as command-line option.

   change.exe user

   Use case

   Execute an arbitrary executable via trusted system executable.

   Privileges required

   User

   Operating systems

   Windows 10, Windows 11

   ATT&CK® technique

   T1218

   Tags

   Execute: EXE

   Requires: Rename