Adding Execute tags to most LOLBas (#405)

yml/OSScripts/CL_LoadAssembly.yml

@@ -12,7 +12,7 @@ Commands:
     MitreID: T1216
     OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
     Tags:
-      - Execute: DLL
+      - Execute: DLL (.NET)
 Full_Path:
   - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
 Code_Sample:

yml/OSScripts/CL_mutexverifiers.yml

@@ -11,6 +11,8 @@ Commands:
     Privileges: User
     MitreID: T1216
     OperatingSystem: Windows 10
+    Tags:
+      - Execute: PowerShell
 Full_Path:
   - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
   - Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1

yml/OSScripts/Cl_invocation.yml

@@ -11,6 +11,8 @@ Commands:
     Privileges: User
     MitreID: T1216
     OperatingSystem: Windows 10
+    Tags:
+      - Execute: CMD
 Full_Path:
   - Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
   - Path: C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1

yml/OSScripts/Launch-VsDevShell.yml

@@ -11,6 +11,8 @@ Commands:
     Privileges: User
     MitreID: T1216
     OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
   - Command: 'powershell -ep RemoteSigned -f .\Launch-VsDevShell.ps1 -VsInstallationPath "/../../../../../; calc.exe ;"'
     Description: Execute binaries and commands from the context of the signed script using the "VsInstallationPath" flag.
     Usecase: Proxy execution
@@ -18,6 +20,8 @@ Commands:
     Privileges: User
     MitreID: T1216
     OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
 Full_Path:
   - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools\Launch-VsDevShell.ps1
   - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\Tools\Launch-VsDevShell.ps1

yml/OSScripts/Manage-bde.yml

@@ -11,6 +11,8 @@ Commands:
     Privileges: User
     MitreID: T1216
     OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
   - Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf
     Description: Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file.
     Usecase: Proxy execution from script
@@ -18,6 +20,8 @@ Commands:
     Privileges: User
     MitreID: T1216
     OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
 Full_Path:
   - Path: C:\Windows\System32\manage-bde.wsf
 Code_Sample:

yml/OSScripts/Pubprn.yml

@@ -11,6 +11,8 @@ Commands:
     Privileges: User
     MitreID: T1216.001
     OperatingSystem: Windows 10
+    Tags:
+      - Execute: SCT
 Full_Path:
   - Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
   - Path: C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs

yml/OSScripts/Syncappvpublishingserver.yml

@@ -11,6 +11,8 @@ Commands:
     Privileges: User
     MitreID: T1216.002
     OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: PowerShell
 Full_Path:
   - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs
 Detection:

yml/OSScripts/UtilityFunctions.yml

@@ -12,7 +12,7 @@ Commands:
     MitreID: T1216
     OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
     Tags:
-      - Execute: DLL
+      - Execute: DLL (.NET)
 Full_Path:
   - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
 Code_Sample:

yml/OSScripts/Winrm.yml

@@ -11,6 +11,9 @@ Commands:
     Privileges: User
     MitreID: T1216
     OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: CMD
+      - Execute: Remote
   - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985'
     Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol
     Usecase: Proxy execution
@@ -18,6 +21,9 @@ Commands:
     Privileges: Admin
     MitreID: T1216
     OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: CMD
+      - Execute: Remote
   - Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'
     Description: Bypass AWL solutions by copying cscript.exe to an attacker-controlled location; creating a malicious WsmPty.xsl in the same location, and executing winrm.vbs via the relocated cscript.exe.
     Usecase: Execute arbitrary, unsigned code via XSL script
@@ -25,6 +31,8 @@ Commands:
     Privileges: User
     MitreID: T1220
     OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: XSL
 Full_Path:
   - Path: C:\Windows\System32\winrm.vbs
   - Path: C:\Windows\SysWOW64\winrm.vbs

yml/OSScripts/pester.yml

@@ -11,6 +11,8 @@ Commands:
     Privileges: User
     MitreID: T1216
     OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
   - Command: Pester.bat ;calc.exe
     Description: Execute code using Pester. Example here executes calc.exe
     Usecase: Proxy execution
@@ -18,13 +20,8 @@ Commands:
     Privileges: User
     MitreID: T1216
     OperatingSystem: Windows 10, Windows 11
-  - Command: Pester.bat ;calc.exe
-    Description: Execute code using Pester. Example here executes calc.exe
-    Usecase: Proxy execution
-    Category: Execute
-    Privileges: User
-    MitreID: T1216
-    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
 Full_Path:
   - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\<version>\bin\Pester.bat
 Code_Sample: