Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files

yml/OSLibraries/Advpack.yml

@@ -1,7 +1,7 @@
 ---
 Name: Advpack.dll
 Description: Utility for installing software and drivers with rundll32.exe
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,

yml/OSLibraries/Ieadvpack.yml

@@ -1,7 +1,7 @@
 ---
 Name: Ieadvpack.dll
 Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
@@ -49,7 +49,7 @@ Code Sample:
   - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf
   - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct
 Detection:
-  - IOC: ''
+  - IOC:
 Resources:
   - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
   - Link: https://twitter.com/pabraeken/status/991695411902599168

yml/OSLibraries/Ieframe.yml

@@ -1,13 +1,13 @@
 ---
 Name: Ieaframe.dll
 Description: Internet Browser DLL for translating HTML code.
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
     Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
     UseCase: Load an executable payload by calling a .url file with or without quotes.  The .url file extension can be renamed.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -18,7 +18,7 @@ Full Path:
 Code Sample:
   - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
 Detection:
-  - IOC: ''
+  - IOC:
 Resources:
   - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
   - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/

yml/OSLibraries/Mshtml.yml

@@ -1,13 +1,13 @@
 ---
 Name: Mshtml.dll
 Description: Microsoft HTML Viewer
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"
     Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box).
     UseCase: Launch an HTA application.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -16,9 +16,9 @@ Full Path:
   - Path: c:\windows\system32\mshtml.dll
   - Path: c:\windows\syswow64\mshtml.dll
 Code Sample:
-  - Code: ''
+  - Code:
 Detection:
-  - IOC: ''
+  - IOC:
 Resources:
   - Link: https://twitter.com/pabraeken/status/998567549670477824
   - Link: https://windows10dll.nirsoft.net/mshtml_dll.html

yml/OSLibraries/Pcwutl.yml

@@ -1,13 +1,13 @@
 ---
 Name: Pcwutl.dll
 Description: Microsoft HTML Viewer
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe
     Description: Launch executable by calling the LaunchApplication function.
     UseCase: Launch an executable.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -16,7 +16,7 @@ Full Path:
   - Path: c:\windows\system32\pcwutl.dll
   - Path: c:\windows\syswow64\pcwutl.dll
 Code Sample:
-  - Code: ''
+  - Code:
 Detection:
   - IOC:
 Resources:

yml/OSLibraries/Setupapi.yml

@@ -1,7 +1,7 @@
 ---
 Name: Setupapi.dll
 Description: Windows Setup Application Programming Interface
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf

yml/OSLibraries/Shdocvw.yml

@@ -1,13 +1,13 @@
 ---
 Name: Shdocvw.dll
 Description: Shell Doc Object and Control Library.
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
     Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
     UseCase: Load an executable payload by calling a .url file with or without quotes.  The .url file extension can be renamed.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -18,7 +18,7 @@ Full Path:
 Code Sample:
   - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
 Detection:
-  - IOC: ''
+  - IOC:
 Resources:
     - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
     - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/

yml/OSLibraries/Shell32.yml

@@ -1,13 +1,13 @@
 ---
 Name: Shell32.dll
 Description: Windows Shell Common Dll
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll
     Description: Launch a DLL payload by calling the Control_RunDLL function.
     UseCase: Load a DLL payload.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -15,14 +15,14 @@ Commands:
   - Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
     Description: Launch an executable by calling the ShellExec_RunDLL function.
     UseCase: Run an executable payload.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
   - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"
     Description: Launch command line by calling the ShellExec_RunDLL function.
     UseCase: Run an executable payload.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -30,9 +30,9 @@ Full Path:
   - Path: c:\windows\system32\shell32.dll
   - Path: c:\windows\syswow64\shell32.dll
 Code Sample:
-  - Code: ''
+  - Code:
 Detection:
-  - IOC: ''
+  - IOC:
 Resources:
   - Link: https://twitter.com/Hexacorn/status/885258886428725250
   - Link: https://twitter.com/pabraeken/status/991768766898941953

yml/OSLibraries/Syssetup.yml

@@ -1,7 +1,7 @@
 ---
 Name: Syssetup.dll
 Description: Windows NT System Setup
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf

yml/OSLibraries/Url.yml

@@ -1,13 +1,13 @@
 ---
 Name: Url.dll
 Description: Internet Shortcut Shell Extension DLL.
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta"
     Description: Launch a HTML application payload by calling OpenURL.
     UseCase: Invoke an HTML Application via mshta.exe (Default Handler).
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -15,7 +15,7 @@ Commands:
   - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url"
     Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
     UseCase: Load an executable payload by calling a .url file with or without quotes.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -23,7 +23,7 @@ Commands:
   - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
     Description: Launch an executable by calling OpenURL.
     UseCase: Load an executable payload by specifying the file protocol handler (obfuscated).
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -31,7 +31,7 @@ Commands:
   - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe
     Description: Launch an executable by calling FileProtocolHandler.
     UseCase: Launch an executable.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -39,7 +39,7 @@ Commands:
   - Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
     Description: Launch an executable by calling FileProtocolHandler.
     UseCase: Load an executable payload by specifying the file protocol handler (obfuscated).
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -47,7 +47,7 @@ Commands:
   - Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta
     Description: Launch a HTML application payload by calling FileProtocolHandler.
     UseCase: Invoke an HTML Application via mshta.exe (Default Handler).
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -56,9 +56,9 @@ Full Path:
   - Path: c:\windows\system32\url.dll
   - Path: c:\windows\syswow64\url.dll
 Code Sample:
-  - Code: ''
+  - Code:
 Detection:
-  - IOC: ''
+  - IOC:
 Resources:
   - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
   - Link: https://twitter.com/DissectMalware/status/995348436353470465

yml/OSLibraries/Zipfldr.yml

@@ -1,13 +1,13 @@
 ---
 Name: Zipfldr.dll
 Description: Compressed Folder library
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe
     Description: Launch an executable payload by calling RouteTheCall.
     UseCase: Launch an executable.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -15,7 +15,7 @@ Commands:
   - Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
     Description: Launch an executable payload by calling RouteTheCall (obfuscated).
     UseCase: Launch an executable.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -24,9 +24,9 @@ Full Path:
   - Path: c:\windows\system32\zipfldr.dll
   - Path: c:\windows\syswow64\zipfldr.dll
 Code Sample:
-  - Code: ''
+  - Code:
 Detection:
-  - IOC: ''
+  - IOC:
 Resources:
   - Link: https://twitter.com/moriarty_meng/status/977848311603380224
   - Link: https://twitter.com/bohops/status/997896811904929792