From bb814f80fd6085bf0340d11f466a33020a9f021b Mon Sep 17 00:00:00 2001
From: Chris Spehn <chris.spehn@mandiant.com>
Date: Thu, 3 Sep 2020 08:25:51 -0600
Subject: [PATCH] Add AddInProcess32

---
 yml/OSBinaries/AddInProcess32.yaml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 yml/OSBinaries/AddInProcess32.yaml

diff --git a/yml/OSBinaries/AddInProcess32.yaml b/yml/OSBinaries/AddInProcess32.yaml
new file mode 100644
index 0000000..5f6743f
--- /dev/null
+++ b/yml/OSBinaries/AddInProcess32.yaml
@@ -0,0 +1,30 @@
+---
+Name: AddInProcess32.exe 
+Description: Used to compile and execute code
+Author: 'Chris Spehn'
+Created: '2020-09-03'
+Commands:
+  - Command: AddInProcess32.exe /guid:32a91b0f-30cd-4c75-be79-ccbd6345de11 /pid:XXXX
+    Description: Execute a .NET assembly
+    Usecase: Code execution
+    Category: AWL bypass
+    Privileges: User
+    MitreID: T1127
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
+    OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
+Full_Path:
+  - Path: C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe
+  - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe
+  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
+  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
+Code_Sample: 
+- Code:
+Detection:
+ - IOC: AddInProcess32.exe should not normally be executed on workstations
+Resources:
+  - Link: https://www.tiraniddo.dev/2017/07/dg-on-windows-10-s-executing-arbitrary.html
+  - Link: https://github.com/tyranid/DeviceGuardBypasses
+Acknowledgement:
+  - Person: James Forshaw
+    Handle: 'https://twitter.com/tiraniddo'
+---