Adding app-ctrl bypass bins and a few lolscripts

yml/OtherMSBinaries/Fsi.yml

@@ -0,0 +1,38 @@
+---
+Name: Fsi.exe
+Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.
+Author: Jimmy (@bohops)
+Created: 2021-09-26
+Commands:
+  - Command: fsi.exe c:\path\to\test.fsscript
+    Description: Execute F# code via script file
+    Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1059
+    MitreLink: https://attack.mitre.org/techniques/T1059/
+    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
+  - Command: fsi.exe
+    Description: Execute F# code via interactive command line 
+    Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1059
+    MitreLink: https://attack.mitre.org/techniques/T1059/
+    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
+Full_Path:
+  - Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
+Code_Sample: 
+  - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
+Detection: 
+  - IOC: Sysmon Event ID 1 - Process Creation
+Resources:
+  - Link: https://twitter.com/NickTyrer/status/904273264385589248
+  - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
+Acknowledgement:
+  - Person: Nick Tyrer 
+    Handle: '@NickTyrer'
+  - Person: Jimmy
+    Handle: '@bohops'
+---

yml/OtherMSBinaries/FsiAnyCpu.yml

@@ -0,0 +1,36 @@
+---
+Name: FsiAnyCpu.exe
+Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio.
+Author: Jimmy (@bohops)
+Created: 2021-09-26
+Commands:
+  - Command: fsianycpu.exe c:\path\to\test.fsscript
+    Description: Execute F# code via script file
+    Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1059
+    MitreLink: https://attack.mitre.org/techniques/T1059/
+    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
+  - Command: fsianycpu.exe
+    Description: Execute F# code via interactive command line 
+    Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1059
+    MitreLink: https://attack.mitre.org/techniques/T1059/
+    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
+Full_Path:
+  - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe
+Code_Sample: 
+  - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
+Detection: 
+  - IOC: Sysmon Event ID 1 - Process Creation
+Resources:
+  - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
+Acknowledgement:
+  - Person: Nick Tyrer 
+    Handle: '@NickTyrer'
+  - Person: Jimmy
+    Handle: '@bohops'
+---

yml/OtherMSBinaries/VisualUiaVerifyNative.yml

@@ -0,0 +1,31 @@
+---
+Name: VisualUiaVerifyNative.exe
+Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.
+Author: Jimmy (@bohops)
+Created: 2021-09-26
+Commands:
+  - Command: VisualUiaVerifyNative.exe
+    Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing.
+    Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
+Full_Path:
+  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe
+  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe
+  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
+Code_Sample: 
+  - Code: 
+Detection: 
+  - IOC: Sysmon Event ID 1 - Process Creation
+Resources:
+  - Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
+  - Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
+Acknowledgement:
+  - Person: Lee Christensen
+    Handle: '@tifkin'
+  - Person: Jimmy
+    Handle: '@bohops'
+---

yml/OtherMSBinaries/Wfc.yml

@@ -0,0 +1,28 @@
+---
+Name: Wfc.exe
+Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).
+Author: Jimmy (@bohops)
+Created: 2021-09-26
+Commands:
+  - Command: wfc.exe c:\path\to\test.xoml
+    Description: Execute arbitrary C# code embedded in a XOML file.
+    Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
+Full_Path:
+  - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
+Code_Sample: 
+  - Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
+Detection: 
+  - IOC: Sysmon Event ID 1 - Process Creation
+Resources:
+  - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
+Acknowledgement:
+  - Person: Matt Graeber
+    Handle: '@mattifestation'
+  - Person: Jimmy
+    Handle: '@bohops'
+---