From ff0155f599e2d8ce8d338ddddc8130f1aa45ec0c Mon Sep 17 00:00:00 2001
From: NotoriousRebel <matt12299@yahoo.com>
Date: Fri, 28 Jun 2019 09:20:56 -0400
Subject: [PATCH] Moved Wsl.yml location to OtherMSBinaries and added another
 example for possible usecases.

---
 yml/{OSBinaries => OtherMSBinaries}/Wsl.yml | 8 ++++++++
 1 file changed, 8 insertions(+)
 rename yml/{OSBinaries => OtherMSBinaries}/Wsl.yml (67%)

diff --git a/yml/OSBinaries/Wsl.yml b/yml/OtherMSBinaries/Wsl.yml
similarity index 67%
rename from yml/OSBinaries/Wsl.yml
rename to yml/OtherMSBinaries/Wsl.yml
index 4f8880e..68afc82 100644
--- a/yml/OSBinaries/Wsl.yml
+++ b/yml/OtherMSBinaries/Wsl.yml
@@ -12,6 +12,14 @@ Commands:
     MitreID: T1202
     MitreLink: https://attack.mitre.org/techniques/T1202
     OperatingSystem: Windows 10, Windows 19 Server
+  - Command: wsl.exe -u root -e cat /etc/shadow
+      Description: Cats /etc/shadow file as root
+      Usecase: Performs execution of arbitrary Linux commands as root without need for password.
+      Category: Execute
+      Privileges: User
+      MitreID: T1202
+      MitreLink: https://attack.mitre.org/techniques/T1202
+      OperatingSystem: Windows 10, Windows 19 Server
 Full_Path:
   - Path: C:\Windows\System32\wsl.exe
 Code_Sample: