Adjustments

2018-04-18 17:24:56 +02:00 · 2018-04-18 17:24:56 +02:00 · cde3fc7f7f
parent 88a2f34899
commit cde3fc7f7f
6 changed files with 97 additions and 3 deletions
--- a/LOLBins.md
+++ b/LOLBins.md
@ -8,6 +8,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
 [Atbroker.exe](OSBinaries/Atbroker.md)    
 [Cmstp.exe](OSBinaries/Cmstp.md)     
 [Control.exe](OSBinaries/Control.md)     
+[Dfsvc.exe](OSBinaries/Dfsvc.md)     
 [Forfiles.exe](OSBinaries/Forfiles.md)    
 [Ieexec.exe](OSBinaries/Ieexec.md)     
 [Ie4unit.exe](OSBinaries/Ie4unit.md)     
--- a/LOLScripts.md
+++ b/LOLScripts.md
@ -5,6 +5,8 @@ If you are missing from the acknowledgement, please let me know (I did not forge

 # OS SCRIPTS

-[Cl_invocation.ps1](OSScripts/Cl_invocation.md)    
-[Pubprn.vbs](OSScripts/Pubprn.md)    
-[Slmgr.vbs](OSScripts/Slmgr.md)    
+[Cl_invocation.ps1](OSScripts/Cl_invocation.md)         
+[Manage-bde.vbs](OSScripts/Manage-bde.md)     
+[Slmgr.vbs](OSScripts/Slmgr.md)      
+[Pubprn.vbs](OSScripts/Pubprn.md)     
+[Winrm.vbs](OSScripts/Winrm.md)      
--- a/OSBinaries/Dfsvc.md
+++ b/OSBinaries/Dfsvc.md
@ -0,0 +1,30 @@
+## Dfsvc.exe
+
+* Functions: Execute
+
+```
+Missing Example
+```
+
+Acknowledgements:
+* Casey Smith - @subtee
+
+Code sample:
+* 
+
+Resources:
+* https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
+
+Full path:
+```
+C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe     
+C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe    
+C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe    
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe    
+```
+
+Notes:
+
+
+
+ 
--- a/OSScripts/Manage-bde.md
+++ b/OSScripts/Manage-bde.md
@ -0,0 +1,29 @@
+## Manage-bde.wsf
+
+* Functions: Execute
+
+```
+set comspec=C:\windows\system32\calc.exe   
+cscript C:\windows\system32\manage-bde.wsf    
+```
+
+Acknowledgements:
+* Jimmy - @bophops
+
+Code sample:
+* 
+
+Resources:
+* https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
+* https://twitter.com/bohops/status/980659399495741441
+
+Full path:
+```
+c:\windows\system32\manage-bde.wsf
+```
+
+Notes:
+
+
+
+ 
--- a/OSScripts/Pubprn.md
+++ b/OSScripts/Pubprn.md
@ -15,6 +15,7 @@ Code sample:
 Resources:
 * https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
 * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+* https://github.com/enigma0x3/windows-operating-system-archaeology

 Full path:
 ```
--- a/OSScripts/Winrm.md
+++ b/OSScripts/Winrm.md
@ -0,0 +1,31 @@
+## Winrm.vbs
+
+* Functions: Execute
+
+```
+winrm quickconfig
+```
+
+Acknowledgements:
+* Matt Nelson - @enigma0x3
+* Casey Smith - @subtee
+
+Code sample:
+* Missing Code sample 
+
+Resources:
+* https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology    
+* https://www.youtube.com/watch?v=3gz1QmiMhss    
+* https://github.com/enigma0x3/windows-operating-system-archaeology
+
+Full path:
+```
+C:\windows\system32\winrm.vbs
+C:\windows\SysWOW64\winrm.vbs
+```
+
+Notes:
+Some specific details about the binary file.
+
+
+