Updating entries that have been confirmed to be working on Windows 11 (21H2)

yml/OSScripts/CL_LoadAssembly.yml

@@ -4,13 +4,13 @@ Description: PowerShell Diagnostic Script
 Author: Jimmy (@bohops)
 Created: 2021-09-26
 Commands:
-  - Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()'
+  - Command: 'powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()'
     Description: Proxy execute Managed DLL with PowerShell
     Usecase: Execute proxied payload with Microsoft signed binary
     Category: Execute
     Privileges: User
     MitreID: T1216
-    OperatingSystem: Windows 10 21H1 (likely other versions as well)
+    OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
 Full_Path:
   - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
 Code_Sample:

yml/OSScripts/Manage-bde.yml

@@ -10,14 +10,14 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1216
-    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
   - Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf
     Description: Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file.
     Usecase: Proxy execution from script
     Category: Execute
     Privileges: User
     MitreID: T1216
-    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
 Full_Path:
   - Path: C:\Windows\System32\manage-bde.wsf
 Code_Sample:

yml/OSScripts/UtilityFunctions.yml

@@ -10,7 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1216
-    OperatingSystem: Windows 10 21H1 (likely other versions as well)
+    OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
 Full_Path:
   - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
 Code_Sample:

yml/OSScripts/Winrm.yml

@@ -10,21 +10,21 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1216
-    OperatingSystem: Windows 10
+    OperatingSystem: Windows 10, Windows 11
   - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985   \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985'
     Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol
     Usecase: Proxy execution
     Category: Execute
     Privileges: User
     MitreID: T1216
-    OperatingSystem: Windows 10
+    OperatingSystem: Windows 10, Windows 11
   - Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'
     Description: Bypass AWL solutions by copying and executing cscript.exe and malicious XSL documents from attacker controlled location
     Usecase: Execute aribtrary, unsigned code via XSL script
     Category: AWL Bypass
     Privileges: User
     MitreID: T1216
-    OperatingSystem: Windows 10
+    OperatingSystem: Windows 10, Windows 11
 Full_Path:
   - Path: C:\Windows\System32\winrm.vbs
   - Path: C:\Windows\SysWOW64\winrm.vbs

yml/OSScripts/pester.yml

@@ -10,7 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1216
-    OperatingSystem: Windows 10
+    OperatingSystem: Windows 10, Windows 11
 Full_Path:
   - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
   - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat