Changed to latest template

yml/OSLibraries/Syssetup.yml

@@ -1,24 +1,42 @@
----
-Name: Syssetup.dll
-Description: Execute
-Author: ''
-Created: '2018-05-25'
-Categories: []
-Commands:
-  - Command: rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\calc.INF
-    Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
-  - Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\\test\\shady.inf
-    Description: Remote fetch and execute a COM Scriptlet by calling an information file directive.
-Full Path:
-  - c:\windows\system32\Syssetup.dll
-  - c:\windows\sysWOW64\Syssetup.dll
-Code Sample:
-  - https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
-  - https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
-  - https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
-Detection: []
-Resources:
-  - https://twitter.com/pabraeken/status/994392481927258113
-  - https://twitter.com/harr0ey/status/975350238184697857
-  - https://twitter.com/bohops/status/975549525938135040
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Execute), Matt harr0ey - @harr0ey (Execute), Jimmy - @bohops (COM Scriptlet)
+---
+Name: Syssetup.dll
+Description: Windows NT System Setup
+Author: ''
+Created: '2018-05-25'
+Commands:
+  - Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf
+    Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
+    Usecase: Run local or remote script(let) code through INF file specification (Note: May pop an error window).
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1085
+    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
+    OperatingSystem: Windows
+  - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
+    Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
+    Usecase: Load an executable payload.
+    Category: Execution
+    Privileges: User
+    MitreID: T1085
+    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
+    OperatingSystem: Windows
+Full Path:
+  - path: c:\windows\system32\syssetup.dll
+  - path: c:\windows\syswow64\syssetup.dll
+Code Sample:
+  - https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
+  - https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
+  - https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415
+Detection: []
+Resources:
+  - resource: https://twitter.com/pabraeken/status/994392481927258113
+  - resource: https://twitter.com/harr0ey/status/975350238184697857
+  - resource: https://twitter.com/bohops/status/975549525938135040
+  - resource: https://windows10dll.nirsoft.net/syssetup_dll.html
+Acknowledgment:
+  - Person: Pierre-Alexandre Braeken (Execute)
+    Handle: '@pabraeken'
+  - Person: Matt harr0ey (Execute)
+    Handle: '@harr0ey'
+  - Person: Jimmy (Scriptlet)
+    Handle: '@bohops'