.. / OfflineScannerShell.exe
Star

Execute

Windows Defender Offline Shell

Paths:

C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe

Acknowledgements:

Elliot Killick (@elliotkillick)

Detection:

Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml
IOC: OfflineScannerShell.exe should not be run on a normal workstation

Execute

Execute mpclient.dll library in the current working directory

OfflineScannerShell

Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Privileges required: Administrator
OS: Windows 10
MITRE ATT&CK®: T1218

.. / OfflineScannerShell.exe Star

Execute

.. / OfflineScannerShell.exe
Star