choice.exe

File Path: C:\windows\system32\choice.exe
Description: Offers the user a choice

Hashes

Type	Hash
MD5	`5078D50A9D570C72E95D4CD689F28879`
SHA1	`64BD5EF35ABF5E808A913664243918DBF7CF6368`
SHA256	`A0AC4AD10A633E0FEAB5D674818043FE2EAB7814FDB6BE67F0CE84CDBAD46A6B`
SHA384	`296FFECCC6196428A1D492A89C8461D4FD3EDEB2B9B4D1CF157269B02314D070FEF06F0DB386651AFFCD41AD7B45BACE`
SHA512	`59B338F13BB8D634DA04D46540139F2A0B451A675F4BBEA65EDD8D690C80072C9CE5E322863D12ABD2FF053CA4E6EFDF34C368D2CA9D0EF33E79CA1808B1F3B7`
SSDEEP	`768:YrfGlB2JS5YQDvL/HyHegHUaquMHFFxYqLHv4T0FhoN5NxLWnd:YrfYB0mYQ7LfyRay2PBoZxynd`

Signature

Status: The file C:\windows\system32\choice.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
Serial: ``
Thumbprint: ``
Issuer:
Subject:

File Metadata

Original Filename: choice.exe.mui
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
Product Version: 6.3.9600.16384
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of choice.exe being misused. While choice.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	edr_command_execution_by_office_applications.yml	`#useful_information: Add more office applications to the rule logic of choice`	DRL 1.0
sigma	file_event_win_script_creation_by_office_using_file_ext.yml	`description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.`	DRL 1.0
sigma	file_event_win_script_creation_by_office_using_file_ext.yml	`#useful_information: Please add more file extensions to the logic of your choice.`	DRL 1.0
sigma	proc_creation_win_lolbins_by_office_applications.yml	`#useful_information: add more LOLBins to the rules logic of your choice.`	DRL 1.0
sigma	proc_creation_win_lolbins_with_wmiprvse_parent_process.yml	`#useful_information: add more LOLBins to the rules logic of your choice.`	DRL 1.0
sigma	proc_creation_win_office_applications_spawning_wmi_commandline.yml	`#useful_information: Add more office applications to the rule logic of choice`	DRL 1.0
sigma	proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml	`#useful_information: add more LOLBins to the rules logic of your choice.`	DRL 1.0
sigma	proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml	`#useful_information: add more LOLBins to the rules logic of your choice.`	DRL 1.0
sigma	proc_creation_win_office_spawning_wmi_commandline.yml	`#useful_information: Add more office applications to the rule logic of choice`	DRL 1.0
sigma	registry_event_wab_dllpath_reg_change.yml	`title: Execution DLL of Choice Using WAB.EXE`	DRL 1.0
sigma	file_event_executable_and_script_creation_by_office_using_file_ext.yml	`description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.`	DRL 1.0
sigma	file_event_executable_and_script_creation_by_office_using_file_ext.yml	`#useful_information: Please add more file extensions and magic bytes to the logic of your choice.`	DRL 1.0
LOLBAS	Wab.yml	`Description: Change HKLM\Software\Microsoft\WAB\DLLPath and execute DLL of choice`
atomic-red-team	index.md	- Atomic Test #3: Maldoc choice flags command execution [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #3: Maldoc choice flags command execution [windows]	MIT License. © 2018 Red Canary
atomic-red-team	T1204.002.md	- Atomic Test #3 - Maldoc choice flags command execution	MIT License. © 2018 Red Canary
atomic-red-team	T1204.002.md	## Atomic Test #3 - Maldoc choice flags command execution	MIT License. © 2018 Red Canary
atomic-red-team	T1204.002.md	$macrocode = “ a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`”, vbNormalFocus)”	MIT License. © 2018 Red Canary
signature-base	apt_eqgrp_apr17.yar	$x5 = “If one choice fails, you may want to try another.” fullword ascii	CC BY-NC 4.0
signature-base	apt_eqgrp_apr17.yar	$x1 = “[-] Error: Exploit choice not supported for target OS!!” fullword ascii	CC BY-NC 4.0
signature-base	gen_mal_backnet.yar	$s6 = “/C choice /C Y /N /D Y /T 4 & Del” wide	CC BY-NC 4.0
signature-base	gen_webshells.yar	// a good choice is a string with good atom quality = ideally 4 unusual characters next to each other	CC BY-NC 4.0
signature-base	thor-hacktools.yar	$s1 = “if not "%Choice%"=="" set Choice=%Choice:~0,1%” ascii	CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

choice

Prompts the user to select one item from a list of single-character choices in a batch program, and then returns the index of the selected choice. If used without parameters, choice displays the default choices Y and N.

Syntax

choice [/c [<choice1><choice2><â€¦>]] [/n] [/cs] [/t <timeout> /d <choice>] [/m <text>]

Parameters

Parameter	Description
/c `<choice1><choice2><â€¦>`	Specifies the list of choices to be created. Valid choices include a-z, A-Z, 0-9, and extended ASCII characters (128-254). The default list is YN, which is displayed as `[Y,N]?`.
/n	Hides the list of choices, although the choices are still enabled and the message text (if specified by /m) is still displayed.
/cs	Specifies that the choices are case-sensitive. By default, the choices are not case-sensitive.
/t `<timeout>`	Specifies the number of seconds to pause before using the default choice specified by /d. Acceptable values are from 0 to 9999. If /t is set to 0, choice does not pause before returning the default choice.
/d `<choice>`	Specifies the default choice to use after waiting the number of seconds specified by /t. The default choice must be in the list of choices specified by /c.
/m `<text>`	Specifies a message to display before the list of choices. If /m is not specified, only the choice prompt is displayed.
/?	Displays help at the command prompt.

Remarks

The ERRORLEVEL environment variable is set to the index of the key that the user selects from the list of choices. The first choice in the list returns a value of 1, the second a value of 2, and so on. If the user presses a key that is not a valid choice, choice sounds a warning beep.
If choice detects an error condition, it returns an ERRORLEVEL value of 255. If the user presses CTRL+BREAK or CTRL+C, choice returns an ERRORLEVEL value of 0.

[!NOTE] When you use ERRORLEVEL values in a batch program, you must list them in decreasing order.

Examples

To present the choices Y, N, and C, type the following line in a batch file:

choice /c ync

The following prompt appears when the batch file runs the choice command:

[Y,N,C]?

To hide the choices Y, N, and C, but display the text Yes, No, or Continue, type the following line in a batch file:

choice /c ync /n /m "Yes, No, or Continue?"

[!NOTE] If you use the /n parameter, but do not use /m, the user is not prompted when choice is waiting for input.

To show both the text and the options used in the previous examples, type the following line in a batch file:

choice /c ync /m "Yes, No, or Continue"

To set a time limit of five seconds and specify N as the default value, type the following line in a batch file:

choice /c ync /t 5 /d n

[!NOTE] In this example, if the user doesn’t press a key within five seconds, choice selects N by default and returns an error value of 2. Otherwise, choice returns the value corresponding to the user’s choice.

Additional References

Command-Line Syntax Key