From f2fa2ef9890257b088909ffb4caff6b37f8a9453 Mon Sep 17 00:00:00 2001
From: Oddvar Moe <oddvar.moe@gmail.com>
Date: Wed, 25 Mar 2020 10:26:59 +0100
Subject: [PATCH] Added additional example to wsl.exe

---
 yml/OtherMSBinaries/Wsl.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/yml/OtherMSBinaries/Wsl.yml b/yml/OtherMSBinaries/Wsl.yml
index 0922afc..257ec57 100644
--- a/yml/OtherMSBinaries/Wsl.yml
+++ b/yml/OtherMSBinaries/Wsl.yml
@@ -20,6 +20,14 @@ Commands:
     MitreID: T1202
     MitreLink: https://attack.mitre.org/techniques/T1202
     OperatingSystem: Windows 10, Windows 19 Server
+  - Command: wsl.exe --exec bash -c 'cat file'
+    Description: Cats /etc/shadow file as root
+    Usecase: Performs execution of arbitrary Linux commands.
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    MitreLink: https://attack.mitre.org/techniques/T1202
+    OperatingSystem: Windows 10, Windows 19 Server
 Full_Path:
   - Path: C:\Windows\System32\wsl.exe
 Code_Sample:
@@ -33,4 +41,6 @@ Acknowledgement:
     Handle: '@aionescu'
   - Person: Matt
     Handle: '@NotoriousRebel1'
+  - Person: Asif Matadar
+    Handle: '@d1r4c'
 ---