Applying update LOLBAS-Project/LOLBAS@e62749f

Author: github-actions[bot]

_lolbas/Binaries/Microsoft.Workflow.Compiler.md

@@ -13,7 +13,7 @@ Commands:
     OperatingSystem: Windows 10S, Windows 11
     Tags:
       - Execute: VB.Net
-      - Execute: CSharp
+      - Execute: Csharp
   - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
     Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
     Usecase: Compile and run code

_lolbas/Binaries/MpCmdRun.md

@@ -29,6 +29,9 @@ Full_Path:
   - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe
   - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe
   - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe
+  - Path: C:\Program Files\Windows Defender\MpCmdRun.exe
+  - Path: C:\Program Files (x86)\Windows Defender\MpCmdRun.exe
+  - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23110.3-0\X86\MpCmdRun.exe
 Code_Sample:
   - Code:
 Detection:

_lolbas/Binaries/OneDriveStandaloneUpdater.md

@@ -13,6 +13,8 @@ Commands:
     OperatingSystem: Windows 10
 Full_Path:
   - Path: 'C:\Users\<username>\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe'
+  - Path: C:\Program Files\Microsoft OneDrive\OneDriveStandaloneUpdater.exe
+  - Path: C:\Program Files (x86)\Microsoft OneDrive\OneDriveStandaloneUpdater.exe
 Detection:
   - IOC: HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL
   - IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files

_lolbas/Binaries/Wuauclt.md

@@ -15,6 +15,7 @@ Commands:
       - Execute: DLL
 Full_Path:
   - Path: C:\Windows\System32\wuauclt.exe
+  - Path: C:\Windows\UUS\amd64\wuauclt.exe
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml
   - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml

_lolbas/Binaries/msedgewebview2.md

@@ -42,6 +42,7 @@ Commands:
       - Execute: CMD
 Full_Path:
   - Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe
+  - Path: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.70\msedgewebview2.exe
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml
   - IOC: 'msedgewebview2.exe spawned with any of the following: --gpu-launcher, --utility-cmd-prefix, --renderer-cmd-prefix, --browser-subprocess-path'

_lolbas/OtherMSBinaries/OpenConsole.md

@@ -17,6 +17,7 @@ Full_Path:
   - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe
   - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os86\OpenConsole.exe
   - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe
+  - Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.18.10301.0_x64__8wekyb3d8bbwe\OpenConsole.exe
 Detection:
   - IOC: OpenConsole.exe spawning unexpected processes
   - Sigma: https://github.com/SigmaHQ/sigma/blob/9e0ef7251b075f15e7abafbbec16d3230c5fa477/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml