Merge branch 'master' into feat/yamllinting

yml/LOLUtilz/OSBinaries/Explorer.yml

@@ -14,4 +14,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://twitter.com/bohops/status/986984122563391488
-Notes: Thanks to Jimmy - @bohops
+Acknowledgement:
+  - Person: Jimmy
+    Handle: '@bohops'

yml/LOLUtilz/OSBinaries/Netsh.yml

@@ -22,4 +22,6 @@ Resources:
   - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
   - https://attack.mitre.org/wiki/Technique/T1128
   - https://twitter.com/teemuluotio/status/990532938952527873
-Notes: ''
+Acknowledgement:
+  - Person: ''
+  - Handle: ''

yml/LOLUtilz/OSBinaries/Nltest.yml

@@ -2,8 +2,7 @@
 Name: Nltest.exe
 Description: Credentials
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
   - Command: nltest.exe /SERVER:192.168.1.10 /QUERY
     Description: ''
@@ -14,4 +13,6 @@ Detection: []
 Resources:
   - https://twitter.com/sysopfb/status/986799053668139009
   - https://ss64.com/nt/nltest.html
-Notes: Thanks to Sysopfb - @sysopfb
+Acknowledgement:
+  - Person: Sysopfb
+    Handle: '@sysopfb'

yml/LOLUtilz/OSBinaries/Openwith.yml

@@ -3,7 +3,6 @@ Name: Openwith.exe
 Description: Execute
 Author: ''
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: OpenWith.exe /c C:\test.hta
     Description: Opens the target file with the default application.
@@ -16,4 +15,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://twitter.com/harr0ey/status/991670870384021504
-Notes: Thanks to Matt harr0ey - @harr0ey
+Acknowledgement:
+  - Person: Matt harr0ey
+    Handle: '@harr0ey'

yml/LOLUtilz/OSBinaries/Powershell.yml

@@ -3,7 +3,6 @@ Name: Powershell.exe
 Description: Execute, Read ADS
 Author: ''
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: powershell -ep bypass - < c:\temp:ttt
     Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
@@ -14,4 +13,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://twitter.com/Moriarty_Meng/status/984380793383370752
-Notes: Thanks to Moriarty - @Moriarty_Meng
+Acknowledgement:
+  - Person: Moriarty
+    Handle: '@Moriarty_Meng'

yml/LOLUtilz/OSBinaries/Psr.yml

@@ -18,4 +18,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
-Notes: 'Thanks to '
+Acknowledgement:
+  - Person: ''
+  - Handle: ''

yml/LOLUtilz/OSBinaries/Robocopy.yml

@@ -2,7 +2,7 @@
 Name: Robocopy.exe
 Description: Copy
 Author: ''
-Created: '2018-05-25'
+Created: 2018-05-25
 Categories: []
 Commands:
   - Command: Robocopy.exe C:\SourceFolder C:\DestFolder
@@ -16,4 +16,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
-Notes: Thanks to Name of guy - @twitterhandle
+Acknowledgement:
+  - Person: ''
+  - Handle: ''

yml/LOLUtilz/OtherBinaries/AcroRd32.yml

@@ -2,8 +2,7 @@
 Name: AcroRd32.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
   - Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
     Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
@@ -13,4 +12,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://twitter.com/pabraeken/status/997997818362155008
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

yml/LOLUtilz/OtherBinaries/Gpup.yml

@@ -2,8 +2,7 @@
 Name: Gpup.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
   - Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
     Description: Execute another command through gpup.exe (Notepad++ binary).
@@ -13,4 +12,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://twitter.com/pabraeken/status/997892519827558400
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

yml/LOLUtilz/OtherBinaries/Nlnotes.yml

@@ -2,8 +2,7 @@
 Name: Nlnotes.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
   - Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
     Description: Run PowerShell via LotusNotes.
@@ -14,4 +13,6 @@ Detection: []
 Resources:
   - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
   - https://twitter.com/HanseSecure/status/995578436059127808
-Notes: Thanks to Daniel Bohannon - @danielhbohannon
+Acknowledgement:
+  - Person: Daniel Bohannon
+    Handle: '@danielhbohannon'

yml/LOLUtilz/OtherBinaries/Notes.yml

@@ -2,8 +2,7 @@
 Name: Notes.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
   - Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
     Description: Run PowerShell via LotusNotes.
@@ -14,4 +13,6 @@ Detection: []
 Resources:
   - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
   - https://twitter.com/HanseSecure/status/995578436059127808
-Notes: Thanks to Daniel Bohannon - @danielhbohannon
+Acknowledgement:
+  - Person: Daniel Bohannon
+    Handle: '@danielhbohannon'

yml/LOLUtilz/OtherBinaries/Nvudisp.yml

@@ -2,8 +2,7 @@
 Name: Nvudisp.exe
 Description: Execute, Copy, Add registry, Create shortcut, kill process
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
   - Command: Nvudisp.exe System calc.exe
     Description: Execute calc.exe as a subprocess.
@@ -23,4 +22,7 @@ Code_Sample: []
 Detection: []
 Resources:
   - http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'
+

yml/LOLUtilz/OtherBinaries/Nvuhda6.yml

@@ -2,8 +2,7 @@
 Name: Nvuhda6.exe
 Description: Execute, Copy, Add registry, Create shortcut, kill process
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
   - Command: nvuhda6.exe System calc.exe
     Description: Execute calc.exe as a subprocess.
@@ -23,4 +22,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
-Notes: Thanks to Adam - @hexacorn
+Acknowledgement:
+  - Person: Adam
+    Handle: '@hexacorn'

yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml

@@ -2,8 +2,7 @@
 Name: ROCCAT_Swarm.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
   - Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
     Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
@@ -13,4 +12,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://twitter.com/pabraeken/status/994213164484001793
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

yml/LOLUtilz/OtherBinaries/Setup.yml

@@ -2,8 +2,7 @@
 Name: Setup.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
   - Command: Run Setup.exe
     Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
@@ -13,4 +12,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://twitter.com/pabraeken/status/994381620588236800
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

yml/LOLUtilz/OtherBinaries/Usbinst.yml

@@ -2,8 +2,7 @@
 Name: Usbinst.exe
 Description: Execute
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
   - Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
     Description: Execute calc.exe through DefaultInstall Section Directive in INF file.
@@ -13,4 +12,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://twitter.com/pabraeken/status/993514357807108096
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml

@@ -2,8 +2,7 @@
 Name: VBoxDrvInst.exe
 Description: Persistence
 Author: ''
-Created: '2018-05-25'
-Categories: []
+Created: 2018-05-25
 Commands:
   - Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
     Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
@@ -13,4 +12,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://twitter.com/pabraeken/status/993497996179492864
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

yml/LOLUtilz/OtherBinaries/aswrundll.yml

@@ -1,7 +1,7 @@
 Name: aswrundll.exe
 Description: This process is used by AVAST antivirus to run and execute any modules
 Author: Eli Salem
-Created: 19\03\2019
+Created: '2019-03-19'
 Commands:
   - Command: '"C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll"'
     Description: Load and execute modules using aswrundll
@@ -17,4 +17,4 @@ Resources:
  - Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
 Acknowledgement:
   - Person: Eli Salem 
-    handle: https://www.linkedin.com/in/eli-salem-954728150
+    handle: 'https://www.linkedin.com/in/eli-salem-954728150'

yml/LOLUtilz/OtherMSBinaries/Winword.yml

@@ -2,7 +2,7 @@
 Name: winword.exe
 Description: Document editor included with Microsoft Office.
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: winword.exe /l dllfile.dll
     Description: Launch DLL payload.
@@ -10,7 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
-    MItreLink: https://attack.mitre.org/wiki/Technique/T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
 Full_Path:
   - Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
@@ -26,4 +26,4 @@ Acknowledgement:
     Handle: '@@vysecurity'
   - Person: Adam (Internals)
     Handle: '@Hexacorn'
----
+---

yml/LOLUtilz/OtherScripts/Testxlst.yml

@@ -2,18 +2,18 @@
 Name: testxlst.js
 Description: Script included with Pywin32.
 Author: 'Oddvar Moe'
-Created: '2018-05-25'
+Created: 2018-05-25
 Commands:
   - Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
     Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
-    Categories: Execution
+    Category: Execution
     Privileges: User
     MitreID: T1064
     MitreLink: https://attack.mitre.org/wiki/Technique/T1064
     OperatingSystem: Windows
   - Command: wscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
     Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
-    Categories: Execution
+    Category: Execution
     Privileges: User
     MitreID: T1064
     MitreLink: https://attack.mitre.org/wiki/Technique/T1064
@@ -25,4 +25,6 @@ Detection: []
 Resources:
   - https://twitter.com/bohops/status/993314069116485632
   - https://github.com/mhammond/pywin32
-Notes: Thanks to Jimmy - @bohops
+Acknowledgement:
+  - Person: Jimmy
+    Handle: '@bohops'