Updated module descriptions (#790)

* Added annotations to module yamls

* First batch of C# module descriptions updated

* a few more

* a few more

* Fixed misspellings and formatting

* fixed accidental formatting of code block in yamls

* reverted the C# yamls formatting changes

* additional fixes

* Improved descriptions for clipboard_monitor and screenshot modules to be LLM-friendly

* Update PersistAutorun.yaml

* cleaned up formatting mistakes

* updated SA bofs

* updated more bof descriptions

* Updated descriptions for ps lateral modules

* Updated descriptions for management modules

* updated module descriptions

* complete powershell/collection

* update powrshell situational awareness modules

* updated powershell privesc

* updated mimikatz modules

* update powrshell exploitation modules

* updated powershell management modules

* update mailraider modules

* updated powershell persistence modules

* fixed formatting

* reverted yaml changes

* reverted lint and test yaml

* added new line to lint-and-test

* Updated module descriptions

* fixed invoke-downloadfile.yaml

* fixed formated string mistakes

* run yamlfmt

---------

Co-authored-by: hubbl3 <Jake,Krasnov@bc-security.org>
Co-authored-by: Paul Olushile <paul.olushile@redseersecurity.com>
Co-authored-by: Vince Rose <vrose04@gmail.com>

Author: 4 people

empire/server/modules/bof/injection/SpawnProcess.yaml

@@ -3,9 +3,10 @@ authors:
   - name: Anthony Rose
     handle: '@Cx01N'
     link: https://twitter.com/Cx01N_
-description: Spawns a new sacrificial process in a suspended state. Non-Microsoft
-  signed binaries are blocked.
-software: ''
+description: |
+  Beacon Object File (BOF) that creates a sacrificial process in a suspended state for
+  process injection techniques. Spawns a Microsoft-signed binary (default: calc.exe) as a child of
+  a specified parent process (default: explorer.exe) to establish a legitimate process tree.
 tactics: [TA0002]
 techniques: [T1134.004, T1106]
 background: false

empire/server/modules/bof/nanodump.yaml

@@ -3,7 +3,12 @@ authors:
   - name: Anthony Rose
     handle: '@Cx01N'
     link: https://twitter.com/Cx01N_
-description: A flexible tool that creates a minidump of the LSASS process.
+description: Beacon Object File (BOF) that creates a minidump of the LSASS process
+  using various evasion techniques to bypass security monitoring. Supports multiple
+  dumping methods including handle duplication, process forking, snapshot creation,
+  and seclogon handle leaking. Can generate both valid and invalid signature dumps,
+  with options for chunked writing and various privilege escalation techniques to
+  access LSASS memory while avoiding detection.
 software: ''
 tactics: [TA0006]
 techniques: [T1003.001]

empire/server/modules/bof/secinject.yaml

@@ -3,7 +3,10 @@ authors:
   - name: Anthony Rose
     handle: '@Cx01N'
     link: https://twitter.com/Cx01N_
-description: Section Mapping Process Injection (secinject)
+description: Beacon Object File (BOF) that performs section mapping process injection
+  by allocating memory in a target process and mapping PE sections directly into
+  the remote process memory space. This technique avoids traditional process injection
+  APIs by manually copying section data and applying proper memory protection flags.
 software: ''
 tactics: [TA0004]
 techniques: [T1055]

empire/server/modules/bof/situational_awareness/adcs_enum.yaml

@@ -3,7 +3,11 @@ authors:
   - name: Anthony Rose
     handle: '@Cx01N'
     link: https://twitter.com/Cx01N_
-description: Enumerate CAs and templates in the AD using Win32 functions.
+description: |
+  Enumerates Active Directory Certificate Services (AD CS) information
+  using native Win32 API calls to identify enterprise Certificate Authorities (CAs)
+  and their certificate templates. Serves as an alternative to COM-based enumeration
+  by invoking low-level Windows API functions directly.
 software: ''
 tactics: [TA0043, TA0007]
 techniques: [T1590.001, T1590.003, T1482, T1106]

empire/server/modules/bof/situational_awareness/adcs_enum_com.yaml

@@ -1,9 +1,12 @@
-name: adcs_enum
+name: adcs_enum_com
 authors:
   - name: Anthony Rose
     handle: '@Cx01N'
     link: https://twitter.com/Cx01N_
-description: Enumerate CAs and templates in the AD using ICertConfig COM object.
+description: |
+  Enumerates the Active Directory Certificate Services (AD CS) configuration
+  in the current domain using the ICertConfig COM interface. Outputs all enterprise
+  Certificate Authorities (CAs) and their published certificate templates.
 software: ''
 tactics: [TA0043, TA0007]
 techniques: [T1590.001, T1590.003, T1482, T1559.001]

empire/server/modules/bof/situational_awareness/adcs_enum_com2.yaml

@@ -3,8 +3,11 @@ authors:
   - name: Anthony Rose
     handle: '@Cx01N'
     link: https://twitter.com/Cx01N_
-description: Enumerate CAs and templates in the AD using IX509PolicyServerListManager
-  COM object.
+description: |
+  Enumerates enterprise Certificate Authorities (CAs) and their certificate
+  templates in Active Directory using the IX509PolicyServerListManager COM interface.
+  Unlike the ICertConfig-based variant, this method uses a more modern COM interface
+  associated with AD CS policy management.
 software: ''
 tactics: [TA0043, TA0007]
 techniques: [T1590.001, T1590.003, T1482, T1559.001]

empire/server/modules/bof/situational_awareness/adv_audit_policies.yaml

@@ -3,7 +3,10 @@ authors:
   - name: Anthony Rose
     handle: '@Cx01N'
     link: https://twitter.com/Cx01N_
-description: Retrieve advanced security audit policies.
+description: |
+  Retrieves advanced security audit policy settings from the target system
+  using native Windows APIs. Useful for identifying which event types are being
+  logged, including process creation, logon events, and privilege use.
 software: ''
 tactics: [TA0007, TA0043]
 techniques: [T1615, T1592.002, T1012]

empire/server/modules/bof/situational_awareness/arp.yaml

@@ -3,7 +3,10 @@ authors:
   - name: Anthony Rose
     handle: '@Cx01N'
     link: https://twitter.com/Cx01N_
-description: List ARP table.
+description: |
+  Lists the local Address Resolution Protocol (ARP) table to reveal IP-to-MAC
+  address mappings. Useful for identifying other hosts on the same subnet and gathering
+  network reconnaissance data.
 software: ''
 tactics: [TA0007]
 techniques: [T1016, T1018, T1106]

empire/server/modules/bof/situational_awareness/cacls.yaml

@@ -3,8 +3,10 @@ authors:
   - name: Anthony Rose
     handle: '@Cx01N'
     link: https://twitter.com/Cx01N_
-description: Display access control lists on specificed files. If a folder enumerates
-  recursively
+description: |
+  Displays access control lists (ACLs) for a specified file or directory.
+  If a folder is provided, permissions are enumerated recursively to identify access
+  rights across all nested items.
 software: ''
 tactics: [TA0007]
 techniques: [T1083, T1106]

empire/server/modules/bof/situational_awareness/driversigs.yaml

@@ -3,8 +3,10 @@ authors:
   - name: Anthony Rose
     handle: '@Cx01N'
     link: https://twitter.com/Cx01N_
-description: Enumerate installed services Imagepaths to check the signing cert against
-  known AV/EDR vendors.
+description: |
+  Enumerates installed service image paths and checks their code signing
+  certificates against known AV and EDR vendors. Useful for detecting security
+  products and assessing defensive tooling present on the host.
 software: ''
 tactics: [TA0007, TA0009]
 techniques: [T1005, T1518.001, T1652]