diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index 99a96a3..3f1ad49 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -23,7 +23,7 @@ Commands: - Command: rundll32.exe advpack.dll,RegisterOCX test.dll Description: Launch a DLL payload by calling the RegisterOCX function. UseCase: Load a DLL payload. - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 @@ -31,14 +31,14 @@ Commands: - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe Description: Launch an executable by calling the RegisterOCX function. UseCase: Run an executable payload. - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" Description: Launch command line by calling the RegisterOCX function. UseCase: Run an executable payload. - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 @@ -55,7 +55,7 @@ Resources: - Link: https://twitter.com/ItsReallyNick/status/967859147977850880 - Link: https://twitter.com/bohops/status/974497123101179904 - Link: https://twitter.com/moriarty_meng/status/977848311603380224 -Acknowledgment: +Acknowledegment: - Person: Jimmy (LaunchINFSection) Handle: '@bohops' - Person: Fabrizio (RegisterOCX - DLL) diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index 317beac..b9c6770 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -23,7 +23,7 @@ Commands: - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll Description: Launch a DLL payload by calling the RegisterOCX function. UseCase: Load a DLL payload. - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 @@ -31,14 +31,14 @@ Commands: - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe Description: Launch an executable by calling the RegisterOCX function. UseCase: Run an executable payload. - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" Description: Launch command line by calling the RegisterOCX function. UseCase: Run an executable payload. - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 @@ -54,7 +54,7 @@ Resources: - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ - Link: https://twitter.com/pabraeken/status/991695411902599168 - Link: https://twitter.com/0rbz_/status/974472392012689408 -Acknowledgment: +Acknowledgement: - Person: Jimmy (LaunchINFSection) Handle: '@bohops' - Person: Fabrizio (RegisterOCX - DLL) diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index d30ea52..3ecd88a 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -24,9 +24,10 @@ Resources: - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ - Link: https://twitter.com/bohops/status/997690405092290561 - Link: https://windows10dll.nirsoft.net/ieframe_dll.html -Acknowledgment: +Acknowledgement: - Person: Jimmy Handle: '@bohops' - Person: Adam Handle: '@hexacorn' --- + diff --git a/yml/OSLibraries/Mshtml.yml b/yml/OSLibraries/Mshtml.yml index a61b70b..705a934 100644 --- a/yml/OSLibraries/Mshtml.yml +++ b/yml/OSLibraries/Mshtml.yml @@ -22,7 +22,7 @@ Detection: Resources: - Link: https://twitter.com/pabraeken/status/998567549670477824 - Link: https://windows10dll.nirsoft.net/mshtml_dll.html -Acknowledgment: +Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' --- diff --git a/yml/OSLibraries/Pcwutl.yml b/yml/OSLibraries/Pcwutl.yml index a1329eb..2cf63bd 100644 --- a/yml/OSLibraries/Pcwutl.yml +++ b/yml/OSLibraries/Pcwutl.yml @@ -22,6 +22,6 @@ Detection: Resources: - Link: https://twitter.com/harr0ey/status/989617817849876488 - Link: https://windows10dll.nirsoft.net/pcwutl_dll.html -Acknowledgment: +Acknowledgement: - Person: Matt harr0ey Handle: '@harr0ey' diff --git a/yml/OSLibraries/Setupapi.yml b/yml/OSLibraries/Setupapi.yml index 90939ed..558f779 100644 --- a/yml/OSLibraries/Setupapi.yml +++ b/yml/OSLibraries/Setupapi.yml @@ -15,7 +15,7 @@ Commands: - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. UseCase: Load an executable payload. - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MitreLink: https://attack.mitre.org/wiki/Technique/T1085 @@ -34,7 +34,7 @@ Resources: - Link: https://github.com/huntresslabs/evading-autoruns - Link: https://twitter.com/pabraeken/status/994742106852941825 - Link: https://windows10dll.nirsoft.net/setupapi_dll.html -Acknowledgment: +Acknowledgement: - Person: Kyle Hanslovan (COM Scriptlet) Handle: '@KyleHanslovan' - Person: Huntress Labs (COM Scriptlet) diff --git a/yml/OSLibraries/Shdocvw.yml b/yml/OSLibraries/Shdocvw.yml index 16226fd..d375231 100644 --- a/yml/OSLibraries/Shdocvw.yml +++ b/yml/OSLibraries/Shdocvw.yml @@ -24,7 +24,7 @@ Resources: - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ - Link: https://twitter.com/bohops/status/997690405092290561 - Link: https://windows10dll.nirsoft.net/shdocvw_dll.html -Acknowledgment: +Acknowledgement: - Person: Adam Handle: '@hexacorn' - Person: Jimmy diff --git a/yml/OSLibraries/Shell32.yml b/yml/OSLibraries/Shell32.yml index 81f469d..ead3084 100644 --- a/yml/OSLibraries/Shell32.yml +++ b/yml/OSLibraries/Shell32.yml @@ -39,7 +39,7 @@ Resources: - Link: https://twitter.com/mattifestation/status/776574940128485376 - Link: https://twitter.com/KyleHanslovan/status/905189665120149506 - Link: https://windows10dll.nirsoft.net/shell32_dll.html -Acknowledgment: +Acknowledgement: - Person: Adam (Control_RunDLL) Handle: '@hexacorn' - Person: Pierre-Alexandre Braeken (ShellExec_RunDLL) diff --git a/yml/OSLibraries/Syssetup.yml b/yml/OSLibraries/Syssetup.yml index a021e4a..862b33e 100644 --- a/yml/OSLibraries/Syssetup.yml +++ b/yml/OSLibraries/Syssetup.yml @@ -15,7 +15,7 @@ Commands: - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive. UseCase: Load an executable payload. - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MitreLink: https://attack.mitre.org/wiki/Technique/T1085 @@ -34,7 +34,7 @@ Resources: - Link: https://twitter.com/harr0ey/status/975350238184697857 - Link: https://twitter.com/bohops/status/975549525938135040 - Link: https://windows10dll.nirsoft.net/syssetup_dll.html -Acknowledgment: +Acknowledgement: - Person: Pierre-Alexandre Braeken (Execute) Handle: '@pabraeken' - Person: Matt harr0ey (Execute) diff --git a/yml/OSLibraries/Url.yml b/yml/OSLibraries/Url.yml index 4aac63e..39309e7 100644 --- a/yml/OSLibraries/Url.yml +++ b/yml/OSLibraries/Url.yml @@ -66,7 +66,7 @@ Resources: - Link: https://twitter.com/yeyint_mth/status/997355558070927360 - Link: https://twitter.com/Hexacorn/status/974063407321223168 - Link: https://windows10dll.nirsoft.net/url_dll.html -Acknowledgment: +Acknowledgement: - Person: Adam (OpenURL) Handle: '@hexacorn' - Person: Jimmy (OpenURL) diff --git a/yml/OSLibraries/Zipfldr.yml b/yml/OSLibraries/Zipfldr.yml index 1fc3bc7..b080f4c 100644 --- a/yml/OSLibraries/Zipfldr.yml +++ b/yml/OSLibraries/Zipfldr.yml @@ -31,7 +31,7 @@ Resources: - Link: https://twitter.com/moriarty_meng/status/977848311603380224 - Link: https://twitter.com/bohops/status/997896811904929792 - Link: https://windows10dll.nirsoft.net/zipfldr_dll.html -Acknowledgment: +Acknowledgement: - Person: Moriarty (Execution) Handle: '@moriarty_meng' - Person: r0lan (Obfuscation)