From 93471ba38969d9f4418ad7ec5dc61625d609fc70 Mon Sep 17 00:00:00 2001 From: Liran Ravich <61919718+Liran017@users.noreply.github.com> Date: Mon, 5 Jan 2026 11:42:59 +0200 Subject: [PATCH 1/7] Added UevAppMonitor.yml --- yml/OSBinaries/UevAppMonitor.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 yml/OSBinaries/UevAppMonitor.yml diff --git a/yml/OSBinaries/UevAppMonitor.yml b/yml/OSBinaries/UevAppMonitor.yml new file mode 100644 index 00000000..7433e962 --- /dev/null +++ b/yml/OSBinaries/UevAppMonitor.yml @@ -0,0 +1,21 @@ +--- +Name: UevAppMonitor.exe +Description: Microsoft User Experience Virtualization (UE-V) App Monitor +Author: Liran Ravich +Created: 2026-01-05 +Commands: + - Command: UevAppMonitor.exe + Description: By using a custom config file (UevAppMonitor.exe.config), a malicious DLL can be loaded and the `` flag can be set to false to prevent auditing. + Usecase: Snapshoting of Active Directory NTDS.dit database + Category: Execute + Privileges: User + MitreID: T1574.001, T1562.002 + OperatingSystem: Windows 11, Windows 10, Windows Server +Full_Path: + - Path: C:\Windows\System32\UevAppMonitor.exe +Detection: + - IOC: Unusual modification to UevAppMonitor.exe.config + - IOC: UevAppMonitor.exe executed from unusual path + - IOC: UevAppMonitor.exe executed by unusual parent process (commonly spawned by `svchost.exe -k netsvcs -p -s Schedule`) +Resources: + - Link: https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/ From 74e21b01f470a3cffd659a53023cc15a8d2bafda Mon Sep 17 00:00:00 2001 From: Liran Ravich <61919718+Liran017@users.noreply.github.com> Date: Mon, 5 Jan 2026 11:48:08 +0200 Subject: [PATCH 2/7] Format MitreID and add new resource link --- yml/OSBinaries/UevAppMonitor.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/yml/OSBinaries/UevAppMonitor.yml b/yml/OSBinaries/UevAppMonitor.yml index 7433e962..a00b16d7 100644 --- a/yml/OSBinaries/UevAppMonitor.yml +++ b/yml/OSBinaries/UevAppMonitor.yml @@ -9,7 +9,9 @@ Commands: Usecase: Snapshoting of Active Directory NTDS.dit database Category: Execute Privileges: User - MitreID: T1574.001, T1562.002 + MitreID: + - T1574.001 + - T1562.002 OperatingSystem: Windows 11, Windows 10, Windows Server Full_Path: - Path: C:\Windows\System32\UevAppMonitor.exe @@ -19,3 +21,4 @@ Detection: - IOC: UevAppMonitor.exe executed by unusual parent process (commonly spawned by `svchost.exe -k netsvcs -p -s Schedule`) Resources: - Link: https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/ + - Link: https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/runtime/etwenable-element From 6ecdec097915488f2af1ad2de8591df5725993b5 Mon Sep 17 00:00:00 2001 From: Liran Ravich <61919718+Liran017@users.noreply.github.com> Date: Mon, 5 Jan 2026 11:49:38 +0200 Subject: [PATCH 3/7] Update UevAppMonitor.yml From 7b4999d6581795f2ff35100b91ba2e982f78d045 Mon Sep 17 00:00:00 2001 From: Liran Ravich <61919718+Liran017@users.noreply.github.com> Date: Mon, 5 Jan 2026 11:49:56 +0200 Subject: [PATCH 4/7] Fix indentation for MitreID in UevAppMonitor.yml --- yml/OSBinaries/UevAppMonitor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/UevAppMonitor.yml b/yml/OSBinaries/UevAppMonitor.yml index a00b16d7..bb9d2f5a 100644 --- a/yml/OSBinaries/UevAppMonitor.yml +++ b/yml/OSBinaries/UevAppMonitor.yml @@ -9,7 +9,7 @@ Commands: Usecase: Snapshoting of Active Directory NTDS.dit database Category: Execute Privileges: User - MitreID: + MitreID: - T1574.001 - T1562.002 OperatingSystem: Windows 11, Windows 10, Windows Server From 13394db72b9be5ce5be83ab1884d1c6f4bffc700 Mon Sep 17 00:00:00 2001 From: Liran Ravich <61919718+Liran017@users.noreply.github.com> Date: Mon, 5 Jan 2026 11:52:17 +0200 Subject: [PATCH 5/7] Refactor MitreID format and update links in YAML --- yml/OSBinaries/UevAppMonitor.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/yml/OSBinaries/UevAppMonitor.yml b/yml/OSBinaries/UevAppMonitor.yml index bb9d2f5a..6d592908 100644 --- a/yml/OSBinaries/UevAppMonitor.yml +++ b/yml/OSBinaries/UevAppMonitor.yml @@ -9,9 +9,7 @@ Commands: Usecase: Snapshoting of Active Directory NTDS.dit database Category: Execute Privileges: User - MitreID: - - T1574.001 - - T1562.002 + MitreID: [T1574.001, T1562.002] OperatingSystem: Windows 11, Windows 10, Windows Server Full_Path: - Path: C:\Windows\System32\UevAppMonitor.exe From a96a93ecee2f24830e9d75cec025d0e853879384 Mon Sep 17 00:00:00 2001 From: Liran Ravich <61919718+Liran017@users.noreply.github.com> Date: Mon, 5 Jan 2026 11:53:17 +0200 Subject: [PATCH 6/7] Fix MitreID formatting in UevAppMonitor.yml --- yml/OSBinaries/UevAppMonitor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/UevAppMonitor.yml b/yml/OSBinaries/UevAppMonitor.yml index 6d592908..39ce69c4 100644 --- a/yml/OSBinaries/UevAppMonitor.yml +++ b/yml/OSBinaries/UevAppMonitor.yml @@ -9,7 +9,7 @@ Commands: Usecase: Snapshoting of Active Directory NTDS.dit database Category: Execute Privileges: User - MitreID: [T1574.001, T1562.002] + MitreID: T1574.001, T1562.002 OperatingSystem: Windows 11, Windows 10, Windows Server Full_Path: - Path: C:\Windows\System32\UevAppMonitor.exe From 20f9aae7a125137b9badeba50c0e3f1ce6d3869e Mon Sep 17 00:00:00 2001 From: Liran Ravich <61919718+Liran017@users.noreply.github.com> Date: Mon, 5 Jan 2026 12:49:30 +0200 Subject: [PATCH 7/7] Update UevAppMonitor.yml --- yml/OSBinaries/UevAppMonitor.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/yml/OSBinaries/UevAppMonitor.yml b/yml/OSBinaries/UevAppMonitor.yml index 39ce69c4..5b56f2b1 100644 --- a/yml/OSBinaries/UevAppMonitor.yml +++ b/yml/OSBinaries/UevAppMonitor.yml @@ -5,11 +5,18 @@ Author: Liran Ravich Created: 2026-01-05 Commands: - Command: UevAppMonitor.exe - Description: By using a custom config file (UevAppMonitor.exe.config), a malicious DLL can be loaded and the `` flag can be set to false to prevent auditing. - Usecase: Snapshoting of Active Directory NTDS.dit database + Description: By using a custom config file (UevAppMonitor.exe.config), a malicious DLL can be loaded + Usecase: Execute a malicious DLL Category: Execute Privileges: User - MitreID: T1574.001, T1562.002 + MitreID: T1574.001 + OperatingSystem: Windows 11, Windows 10, Windows Server + - Command: UevAppMonitor.exe + Description: The `` flag can be set to false to prevent auditing + Usecase: Preventing event tracing when executing the process + Category: Execute + Privileges: User + MitreID: T1562.002 OperatingSystem: Windows 11, Windows 10, Windows Server Full_Path: - Path: C:\Windows\System32\UevAppMonitor.exe