From f20158d73480d927db4f29fccb32f178b1b6561d Mon Sep 17 00:00:00 2001
From: tbaker57 <tim.h.baker@gmail.com>
Date: Sun, 16 Feb 2025 00:33:23 +1000
Subject: [PATCH] Create WFMFormat.yml (#413)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
---
 yml/OtherMSBinaries/WFMFormat.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 yml/OtherMSBinaries/WFMFormat.yml

diff --git a/yml/OtherMSBinaries/WFMFormat.yml b/yml/OtherMSBinaries/WFMFormat.yml
new file mode 100644
index 0000000..b3c0f1e
--- /dev/null
+++ b/yml/OtherMSBinaries/WFMFormat.yml
@@ -0,0 +1,25 @@
+---
+Name: WFMFormat.exe
+Description: Command-line tool used for pretty-print a dump file generated by Message Farm Analyzer tool.
+Author: Tim Baker
+Created: 2024-12-05
+Commands:
+  - Command: WFMFormat.exe
+    Description: Executes the file `tracerpt.exe` in the same folder as `WFMFormat.exe`. If the file `dumpfile.txt` (any content) exists in the current working directory, no arguments are required. Note that `WFMFormat.exe` requires .NET Framework 3.5.
+    Usecase: Proxy execution of binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1127
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
+      - Requires: .NET Framework 3.5
+Full_Path:
+  - Path: C:\there\is\no\default\installation\path\WFMFormat.exe
+Detection:
+  - IOC: Child process from WFMFormat.exe
+  - IOC: tracerpt.exe processes located anywhere other than c:\windows\system32
+Resources:
+  - Link: https://www.microsoft.com/en-us/download/details.aspx?id=103244
+Acknowledgement:
+  - Person: Tim Baker (https://www.dotsec.com)