.. /Query.exe

Star

Paths:

• c:\windows\system32\query.exe
• c:\windows\syswow64\query.exe

Acknowledgements:

• Idan Lerman (@IdanLerman)

Detections:

• IOC: query.exe being executed and executes a child process outside of its normal path of c:\windows\system32\ or c:\windows\syswow64\

Execute

1. Once executed, query.exe will execute quser.exe in the same folder. Thus, if query.exe is copied to a folder and an arbitrary executable is renamed to quser.exe, query.exe will spawn it. Instead of user, it is also possible to use session, termsession or process as command-line option.

   query.exe user

   Use case

   Execute an arbitrary executable via trusted system executable.

   Privileges required

   User

   Operating systems

   Windows 10, Windows 11

   ATT&CK® technique

   T1218

   Tags

   Execute: EXE

   Requires: Rename