From 57b348fb0377a9bb9e279071621d8a81ec967444 Mon Sep 17 00:00:00 2001
From: Oddvar Moe <oddvar.moe@gmail.com>
Date: Wed, 12 Dec 2018 12:34:59 +0100
Subject: [PATCH] Added AWL Bypass to msdeploy

---
 yml/OtherMSBinaries/Msdeploy.yml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/yml/OtherMSBinaries/Msdeploy.yml b/yml/OtherMSBinaries/Msdeploy.yml
index dd8e2ac..dabf992 100644
--- a/yml/OtherMSBinaries/Msdeploy.yml
+++ b/yml/OtherMSBinaries/Msdeploy.yml
@@ -11,7 +11,15 @@ Commands:
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
-    OperatingSystem: Windows
+    OperatingSystem: Windows server
+  - Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat"
+    Description: Launch calc.bat via msdeploy.exe.
+    Usecase: Local execution of batch file using msdeploy.exe.
+    Category: AWL bypass
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows server
 Full_Path:
   - Path: C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe
 Code_Sample:
@@ -20,6 +28,7 @@ Detection:
   - IOC:
 Resources:
   - Link: https://twitter.com/pabraeken/status/995837734379032576
+  - Link: https://twitter.com/pabraeken/status/999090532839313408
 Acknowledgement:
   - Person: Pierre-Alexandre Braeken
     Handle: '@pabraeken'