Home Original page

LOLBAS

AddinUtil.exe

Execute (.NetObjects)

Binaries

T1218

AppInstaller.exe

Download (INetCache)

Binaries

T1105

Aspnet_Compiler.exe

AWL bypass

Binaries

T1127

At.exe

Execute (CMD)

Binaries

T1053.002

Atbroker.exe

Execute (EXE)

Binaries

T1218

Bash.exe

Execute (CMD)

AWL bypass (CMD)

Binaries

T1202

T1218

Bitsadmin.exe

Alternate data streams

Download

Copy

Execute

Binaries

T1564.004

T1105

T1218

CertOC.exe

Execute (DLL)

Download

Binaries

T1218

T1105

CertReq.exe

Download

Upload

Binaries

T1105

Certutil.exe

Download (GUI)

Alternate data streams

Encode

Decode

Binaries

T1105

T1564.004

T1027.013

T1140

Change.exe

Execute (EXE, Rename)

Binaries

T1218

Cipher.exe

Tamper

Binaries

T1485

Cmd.exe

Alternate data streams

Download

Upload

Binaries

T1564.004

T1059.003

T1105

T1048.003

Cmdkey.exe

Credentials

Binaries

T1078

cmdl32.exe

Download

Binaries

T1105

Cmstp.exe

Execute (INF)

AWL bypass (INF, Remote)

Binaries

T1218.003

Colorcpl.exe

Copy

Binaries

T1036.005

ComputerDefaults.exe

UAC bypass

Binaries

T1548.002

ConfigSecurityPolicy.exe

Upload

Download (INetCache)

Binaries

T1567

T1105

Conhost.exe

Execute (CMD)

Binaries

T1202

Control.exe

Alternate data streams (DLL)

Execute (DLL)

Binaries

T1218.002

Csc.exe

Compile

Binaries

T1127

Cscript.exe

Alternate data streams (WSH)

Binaries

T1564.004

CustomShellHost.exe

Execute (EXE)

Binaries

T1218

DataSvcUtil.exe

Upload

Binaries

T1567

Desktopimgdownldr.exe

Download

Binaries

T1105

DeviceCredentialDeployment.exe

Conceal

Binaries

T1564

Dfsvc.exe

AWL bypass (ClickOnce, Remote)

Binaries

T1127.002

Diantz.exe

Alternate data streams (Compression)

Download (Compression)

Execute (Compression)

Binaries

T1564.004

T1105

T1036

Diskshadow.exe

Dump (CMD)

Execute (CMD)

Binaries

T1003.003

T1202

Dnscmd.exe

Execute (DLL, Remote)

Binaries

T1543.003

Esentutl.exe

Copy

Alternate data streams

Download

Binaries

T1105

T1564.004

T1003.003

Eudcedit.exe

UAC bypass (CMD, GUI)

Binaries

T1548.002

Eventvwr.exe

UAC bypass (GUI, EXE, .NetObjects)

Binaries

T1548.002

Expand.exe

Download

Copy

Alternate data streams

Binaries

T1105

T1564.004

Explorer.exe

Execute (EXE)

Binaries

T1202

Extexport.exe

Execute (DLL)

Binaries

T1218

Extrac32.exe

Alternate data streams (Compression)

Download

Copy

Binaries

T1564.004

T1105

Findstr.exe

Alternate data streams

Credentials

Download

Binaries

T1564.004

T1552.001

T1105

Finger.exe

Download

Binaries

T1105

fltMC.exe

Tamper

Binaries

T1562.001

Forfiles.exe

Execute (EXE)

Alternate data streams (EXE)

Binaries

T1202

T1564.004

Fsutil.exe

Tamper

Execute (EXE)

Binaries

T1485

T1218

Ftp.exe

Execute (CMD)

Download

Binaries

T1202

T1105

Gpscript.exe

Execute (CMD)

Binaries

T1218

Hh.exe

Download (EXE, GUI)

Execute (EXE, GUI, CMD, CHM, Remote)

Binaries

T1105

T1218.001

IMEWDBLD.exe

Download (INetCache)

Binaries

T1105

Ie4uinit.exe

Execute (INF)

Binaries

T1218

iediagcmd.exe

Execute (EXE)

Binaries

T1218

Ieexec.exe

Download (Remote, EXE (.NET))

Execute (Remote, EXE (.NET))

Binaries

T1105

T1218

Ilasm.exe

Compile

Binaries

T1127

Infdefaultinstall.exe

Execute (INF)

Binaries

T1218

Installutil.exe

AWL bypass (DLL (.NET), EXE (.NET))

Execute (DLL (.NET), EXE (.NET))

Download (INetCache)

Binaries

T1218.004

T1105

iscsicpl.exe

UAC bypass (DLL, CMD, GUI)

Binaries

T1548.002

Jsc.exe

Compile (JScript)

Binaries

T1127

Ldifde.exe

Download

Binaries

T1105

Makecab.exe

Alternate data streams (Compression)

Download (Compression)

Execute (Compression)

Binaries

T1564.004

T1105

T1036

Mavinject.exe

Execute (DLL)

Alternate data streams (DLL)

Binaries

T1218.013

T1564.004

Microsoft.Workflow.Compiler.exe

Execute (VB.Net, Csharp, XOML)

AWL bypass (XOML)

Binaries

T1127

Mmc.exe

Execute (COM)

UAC bypass (DLL)

Download (GUI)

Binaries

T1218.014

MpCmdRun.exe

Download

Alternate data streams

Binaries

T1105

T1564.004

Msbuild.exe

AWL bypass (CSharp)

Execute (CSharp, DLL, XSL, CMD)

Binaries

T1127.001

T1036

Msconfig.exe

Execute (CMD)

Binaries

T1218

Msdt.exe

Execute (GUI, MSI)

AWL bypass (GUI, MSI, CMD)

Binaries

T1218

T1202

Msedge.exe

Download

Execute (CMD)

Binaries

T1105

T1218.015

Mshta.exe

Execute (HTA, Remote, VBScript, JScript)

Alternate data streams (HTA)

Download (INetCache)

Binaries

T1218.005

T1105

Msiexec.exe

Execute (MSI, Remote, DLL, MST)

Binaries

T1218.007

Netsh.exe

Execute (DLL)

Binaries

T1546.007

Ngen.exe

Download (INetCache)

Binaries

T1105

Odbcconf.exe

Execute (DLL)

Binaries

T1218.008

OfflineScannerShell.exe

Execute (DLL)

Binaries

T1218

OneDriveStandaloneUpdater.exe

Download

Binaries

T1105

Pcalua.exe

Execute (EXE, DLL, Remote)

Binaries

T1202

Pcwrun.exe

Execute (EXE)

Binaries

T1218

T1202

Pktmon.exe

Reconnaissance

Binaries

T1040

Pnputil.exe

Execute (INF)

Binaries

T1547

Presentationhost.exe

Execute (XBAP)

Download (INetCache)

Binaries

T1218

T1105

Print.exe

Alternate data streams

Copy

Binaries

T1564.004

T1105

PrintBrm.exe

Download (Compression)

Alternate data streams (Compression)

Binaries

T1105

T1564.004

Provlaunch.exe

Execute (CMD)

Binaries

T1218

Psr.exe

Reconnaissance

Binaries

T1113

Query.exe

Execute (EXE, Rename)

Binaries

T1218

Rasautou.exe

Execute (DLL)

Binaries

T1218

rdrleakdiag.exe

Dump

Binaries

T1003

T1003.001

Reg.exe

Alternate data streams

Credentials

Binaries

T1564.004

T1003.002

Regasm.exe

AWL bypass (DLL (.NET))

Execute (DLL (.NET))

Binaries

T1218.009

Regedit.exe

Alternate data streams

Binaries

T1564.004

Regini.exe

Alternate data streams

Binaries

T1564.004

Register-cimprovider.exe

Execute (DLL)

Binaries

T1218

Regsvcs.exe

Execute (DLL (.NET))

AWL bypass (DLL (.NET))

Binaries

T1218.009

Regsvr32.exe

AWL bypass (SCT, Remote)

Execute (SCT, Remote, DLL)

Binaries

T1218.010

Replace.exe

Copy

Download

Binaries

T1105

Reset.exe

Execute (EXE, Rename)

Binaries

T1218

Rpcping.exe

Credentials

Binaries

T1003

T1187

Rundll32.exe

Execute (DLL, Remote, JScript, COM)

Alternate data streams (DLL)

Binaries

T1218.011

T1564.004

Runexehelper.exe

Execute (EXE)

Binaries

T1218

Runonce.exe

Execute (CMD)

Binaries

T1218

Runscripthelper.exe

Execute (PowerShell)

Binaries

T1218

Sc.exe

Alternate data streams (EXE)

Binaries

T1564.004

Schtasks.exe

Execute (CMD)

Binaries

T1053.005

Scriptrunner.exe

Execute (EXE, Remote, CMD)

Binaries

T1202

T1218

Setres.exe

Execute (EXE)

Binaries

T1218

SettingSyncHost.exe

Execute (EXE, CMD)

Binaries

T1218

Sftp.exe

Execute (CMD)

Binaries

T1202

ssh.exe

Execute (CMD)

Binaries

T1202

Stordiag.exe

Execute (EXE)

Binaries

T1218

SyncAppvPublishingServer.exe

Execute (PowerShell)

Binaries

T1218

Tar.exe

Alternate data streams (Compression)

Copy (Compression)

Binaries

T1564.004

T1105

Ttdinject.exe

Execute (EXE)

Binaries

T1127

Tttracer.exe

Execute (EXE)

Dump

Binaries

T1127

T1003

Unregmp2.exe

Execute (EXE)

Binaries

T1202

vbc.exe

Compile

Binaries

T1127

Verclsid.exe

Execute (COM)

Binaries

T1218.012

Wab.exe

Execute (DLL)

Binaries

T1218

wbadmin.exe

Dump

Binaries

T1003.003

wbemtest.exe

Execute (GUI, CMD)

Binaries

T1047

winget.exe

Execute (Remote, EXE)

Download

AWL bypass

Binaries

T1105

Wlrmdr.exe

Execute (EXE)

Binaries

T1202

Wmic.exe

Alternate data streams (EXE)

Execute (CMD, Remote, XSL)

Copy

Binaries

T1564.004

T1218

T1105

WorkFolders.exe

Execute (EXE)

Binaries

T1218

Wscript.exe

Alternate data streams (WSH)

Binaries

T1564.004

Wsreset.exe

UAC bypass

Binaries

T1548.002

wuauclt.exe

Execute (DLL)

Binaries

T1218

Xwizard.exe

Execute (COM)

Download (INetCache)

Binaries

T1218

T1105

msedge_proxy.exe

Download

Execute (CMD)

Binaries

T1105

T1218.015

msedgewebview2.exe

Execute (EXE, CMD)

Binaries

T1218.015

wt.exe

Execute (CMD)

Binaries

T1202

Advpack.dll

AWL bypass (INF)

Execute (DLL, EXE, CMD)

Libraries

T1218.011

Desk.cpl

Execute (EXE, Remote)

Libraries

T1218.011

Dfshim.dll

AWL bypass (ClickOnce, Remote)

Libraries

T1127.002

Ieadvpack.dll

AWL bypass (INF)

Execute (DLL, EXE, CMD)

Libraries

T1218.011

Ieframe.dll

Execute (URL)

Libraries

T1218.011

Mshtml.dll

Execute (HTA)

Libraries

T1218.011

Pcwutl.dll

Execute (EXE)

Libraries

T1218.011

PhotoViewer.dll

Download (INetCache)

Libraries

T1105

Scrobj.dll

Download (INetCache)

Libraries

T1105

Setupapi.dll

AWL bypass (INF)

Execute (INF)

Libraries

T1218.011

Shdocvw.dll

Execute (URL)

Libraries

T1218.011

Shell32.dll

Execute (DLL, EXE, CMD)

Libraries

T1218.011

Shimgvw.dll

Download (INetCache)

Libraries

T1105

Syssetup.dll

AWL bypass (INF)

Execute (INF)

Libraries

T1218.011

Url.dll

Execute (HTA, URL, EXE)

Libraries

T1218.011

Zipfldr.dll

Execute (EXE)

Libraries

T1218.011

Comsvcs.dll

Dump

Libraries

T1003.001

AccCheckConsole.exe

Execute (DLL (.NET))

AWL bypass (DLL (.NET))

OtherMSBinaries

T1218

adplus.exe

Dump

Execute (CMD, EXE)

OtherMSBinaries

T1003.001

T1127

AgentExecutor.exe

Execute (PowerShell, EXE)

OtherMSBinaries

T1218

AppLauncher.exe

Execute (EXE)

OtherMSBinaries

T1127

AppCert.exe

Execute (EXE, MSI)

OtherMSBinaries

T1127

T1218.007

Appvlp.exe

Execute (CMD, EXE)

OtherMSBinaries

T1218

Bcp.exe

Download

OtherMSBinaries

T1105

Bginfo.exe

Execute (WSH, Remote)

AWL bypass (WSH, Remote)

OtherMSBinaries

T1218

Cdb.exe

Execute (Shellcode, CMD)

OtherMSBinaries

T1127

coregen.exe

Execute (DLL)

AWL bypass (DLL)

OtherMSBinaries

T1055

T1218

Createdump.exe

Dump

OtherMSBinaries

T1003

csi.exe

Execute (CSharp)

OtherMSBinaries

T1127

DefaultPack.EXE

Execute (CMD)

OtherMSBinaries

T1218

Devinit.exe

Execute (MSI, Remote)

OtherMSBinaries

T1218.007

Devtoolslauncher.exe

Execute (CMD)

OtherMSBinaries

T1127

dnx.exe

Execute (CSharp)

OtherMSBinaries

T1127

Dotnet.exe

AWL bypass (DLL (.NET), CSharp)

Execute (DLL (.NET), FSharp)

OtherMSBinaries

T1218

T1059

dsdbutil.exe

Dump

OtherMSBinaries

T1003.003

dtutil.exe

Copy

OtherMSBinaries

T1105

Dump64.exe

Dump

OtherMSBinaries

T1003.001

DumpMinitool.exe

Dump

OtherMSBinaries

T1003.001

Dxcap.exe

Execute (EXE)

OtherMSBinaries

T1127

ECMangen.exe

Download (INetCache)

OtherMSBinaries

T1105

Excel.exe

Download (INetCache)

OtherMSBinaries

T1105

Fsi.exe

AWL bypass (FSharp)

OtherMSBinaries

T1059

FsiAnyCpu.exe

AWL bypass (FSharp)

OtherMSBinaries

T1059

IntelliTrace.exe

Execute (EXE)

OtherMSBinaries

T1127

Mftrace.exe

Execute (EXE)

OtherMSBinaries

T1127

Microsoft.NodejsTools.PressAnyKey.exe

Execute (EXE)

OtherMSBinaries

T1127

Mpiexec.exe

Execute (CMD)

OtherMSBinaries

T1127

MSAccess.exe

Download (INetCache)

OtherMSBinaries

T1105

Msdeploy.exe

Execute (CMD)

AWL bypass (CMD)

Copy

OtherMSBinaries

T1218

T1105

MsoHtmEd.exe

Download (INetCache)

OtherMSBinaries

T1105

Mspub.exe

Download (INetCache)

OtherMSBinaries

T1105

msxsl.exe

Execute (XSL, Remote)

AWL bypass (XSL, Remote)

Download

Alternate data streams

OtherMSBinaries

T1220

T1105

T1564

ntdsutil.exe

Dump

OtherMSBinaries

T1003.003

Ntsd.exe

Execute (CMD)

OtherMSBinaries

T1127

OpenConsole.exe

Execute (EXE)

OtherMSBinaries

T1202

Pixtool.exe

Execute (EXE)

OtherMSBinaries

T1127

Powerpnt.exe

Download (INetCache)

OtherMSBinaries

T1105

Procdump.exe

Execute (DLL)

OtherMSBinaries

T1202

ProtocolHandler.exe

Download

OtherMSBinaries

T1105

rcsi.exe

Execute (CSharp)

AWL bypass (CSharp)

OtherMSBinaries

T1127

Remote.exe

AWL bypass (EXE)

Execute (EXE, Remote)

OtherMSBinaries

T1127

Sqldumper.exe

Dump

OtherMSBinaries

T1003

T1003.001

Sqlps.exe

Execute (PowerShell)

OtherMSBinaries

T1218

SQLToolsPS.exe

Execute (PowerShell)

OtherMSBinaries

T1218

Squirrel.exe

Download

AWL bypass (Nuget, Remote)

Execute (Nuget, Remote)

OtherMSBinaries

T1218

te.exe

Execute (WSH, DLL, Custom Format)

OtherMSBinaries

T1127

Teams.exe

Execute (Node.JS, CMD)

OtherMSBinaries

T1218.015

TestWindowRemoteAgent.exe

Upload

OtherMSBinaries

T1048

Tracker.exe

Execute (DLL)

AWL bypass (DLL)

OtherMSBinaries

T1127

Update.exe

Download

AWL bypass (Nuget, Remote, CMD)

Execute (Nuget, Remote, CMD, EXE)

OtherMSBinaries

T1218

T1547

T1070

VSDiagnostics.exe

Execute (EXE, CMD)

OtherMSBinaries

T1127

VSIISExeLauncher.exe

Execute (EXE)

OtherMSBinaries

T1218

Visio.exe

Download (INetCache)

OtherMSBinaries

T1105

VisualUiaVerifyNative.exe

AWL bypass (.NetObjects)

OtherMSBinaries

T1218

VSLaunchBrowser.exe

Download (INetCache)

Execute (EXE, Remote)

OtherMSBinaries

T1105

T1127

Vshadow.exe

Execute (EXE)

OtherMSBinaries

T1202

vsjitdebugger.exe

Execute (EXE)

OtherMSBinaries

T1127

WFMFormat.exe

Execute (EXE, .NET Framework 3.5)

OtherMSBinaries

T1127

Wfc.exe

AWL bypass (XOML)

OtherMSBinaries

T1127

WinDbg.exe

Execute (CMD)

OtherMSBinaries

T1127

WinProj.exe

Download (INetCache)

OtherMSBinaries

T1105

Winword.exe

Download (INetCache)

OtherMSBinaries

T1105

Wsl.exe

Execute (EXE, CMD)

Download

OtherMSBinaries

T1202

T1105

T1218

XBootMgr.exe

Execute (EXE)

OtherMSBinaries

T1202

XBootMgrSleep.exe

Execute (EXE)

OtherMSBinaries

T1202

devtunnel.exe

Download

OtherMSBinaries

T1105

vsls-agent.exe

Execute (DLL)

OtherMSBinaries

T1218

vstest.console.exe

AWL bypass (DLL)

OtherMSBinaries

T1127

winfile.exe

Execute (EXE)

OtherMSBinaries

T1202

xsd.exe

Download (INetCache)

OtherMSBinaries

T1105

CL_LoadAssembly.ps1

Execute (DLL (.NET))

Scripts

T1216

CL_Mutexverifiers.ps1

Execute (PowerShell)

Scripts

T1216

CL_Invocation.ps1

Execute (CMD)

Scripts

T1216

Launch-VsDevShell.ps1

Execute (EXE)

Scripts

T1216

Manage-bde.wsf

Execute (EXE)

Scripts

T1216

Pubprn.vbs

Execute (SCT)

Scripts

T1216.001

Syncappvpublishingserver.vbs

Execute (PowerShell)

Scripts

T1216.002

UtilityFunctions.ps1

Execute (DLL (.NET))

Scripts

T1216

winrm.vbs

Execute (CMD, Remote)

AWL bypass (XSL)

Scripts

T1216

T1220

Pester.bat

Execute (EXE)

Scripts

T1216