From aba953858120ca8cda0413aa4d9c7169774db4b9 Mon Sep 17 00:00:00 2001
From: Oddvar Moe <oddvar.moe@gmail.com>
Date: Wed, 12 Dec 2018 12:50:27 +0100
Subject: [PATCH] minor changes to Eventvwr

---
 yml/OSBinaries/Eventvwr.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml
index 353a6d0..235cb88 100644
--- a/yml/OSBinaries/Eventvwr.yml
+++ b/yml/OSBinaries/Eventvwr.yml
@@ -12,7 +12,7 @@ Commands:
     MitreID: T1088
     MitreLink: https://attack.mitre.org/wiki/Technique/T1088
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full Path:
+Full_Path:
   - Path: C:\Windows\System32\eventvwr.exe
   - Path: C:\Windows\SysWOW64\eventvwr.exe
 Code Sample:
@@ -22,6 +22,7 @@ Detection:
  - IOC: Creation or modification of the registry value HKCU\Software\Classes\mscfile\shell\open\command
 Resources:
   - Link: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
+  - Link: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1
 Acknowledgement:
   - Person: Matt Nelson
     Handle: '@enigma0x3'