Adding app-ctrl bypass bins and a few lolscripts

yml/OtherMSBinaries/Wfc.yml

@@ -0,0 +1,28 @@
+---
+Name: Wfc.exe
+Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).
+Author: Jimmy (@bohops)
+Created: 2021-09-26
+Commands:
+  - Command: wfc.exe c:\path\to\test.xoml
+    Description: Execute arbitrary C# code embedded in a XOML file.
+    Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
+Full_Path:
+  - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
+Code_Sample: 
+  - Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
+Detection: 
+  - IOC: Sysmon Event ID 1 - Process Creation
+Resources:
+  - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
+Acknowledgement:
+  - Person: Matt Graeber
+    Handle: '@mattifestation'
+  - Person: Jimmy
+    Handle: '@bohops'
+---