LOLBASWindows">WindowsBinaryLibraryOtherMSBinaryScriptLinux">Linux LOLBAS Windows Binary FileName Functions ATT&CK® Techniques AppInstaller.exe - Download - T1105:Ingress Tool Transfer Aspnet_Compiler.exe - AWL bypass - T1127:Trusted Developer Utilities Proxy Execution At.exe - Execute - T1053.002:At Atbroker.exe - Execute - T1218:System Binary Proxy Execution Bash.exe - Execute- AWL bypass - T1202:Indirect Command Execution Bitsadmin.exe - Alternate data streams- Download- Copy- Execute - T1564.004:NTFS File Attributes- T1105:Ingress Tool Transfer- T1218:System Binary Proxy Execution CertOC.exe - Execute- Download - T1218:System Binary Proxy Execution- T1105:Ingress Tool Transfer CertReq.exe - Download- Upload - T1105:Ingress Tool Transfer Certutil.exe - Download- Alternate data streams- Encode- Decode - T1105:Ingress Tool Transfer- T1564.004:NTFS File Attributes- T1027:Obfuscated Files or Information- T1140:Deobfuscate/Decode Files or Information Cmd.exe - Alternate data streams - T1059.003:Windows Command Shell Cmdkey.exe - Credentials - T1078:Valid Accounts cmdl32.exe - Download - T1105:Ingress Tool Transfer Cmstp.exe - Execute- AWL bypass - T1218.003:CMSTP ConfigSecurityPolicy.exe - Upload - T1567:Exfiltration Over Web Service Conhost.exe - Execute - T1202:Indirect Command Execution Control.exe - Alternate data streams - T1218.002:Control Panel Csc.exe - Compile - T1127:Trusted Developer Utilities Proxy Execution Cscript.exe - Alternate data streams - T1564.004:NTFS File Attributes CustomShellHost.exe - Execute - T1218:System Binary Proxy Execution DataSvcUtil.exe - Upload - T1567:Exfiltration Over Web Service Desktopimgdownldr.exe - Download - T1105:Ingress Tool Transfer DeviceCredentialDeployment.exe - T1564:Hide Artifacts Dfsvc.exe - AWL bypass - T1127:Trusted Developer Utilities Proxy Execution Diantz.exe - Alternate data streams- Download T1564.004:NTFS File Attributes- T1105:Ingress Tool Transfer Diskshadow.exe - Dump- Execute T1003.003:NTDS- T1202:Indirect Command Execution Dnscmd.exe - Execute - T1543.003:Windows Service Esentutl.exe - Copy- Alternate data streams- Download T1105:Ingress Tool Transfer- T1564.004:NTFS File Attributes- T1003.003:NTDS Eventvwr.exe - UAC bypass - T1548.002:Bypass User Account Control Expand.exe - Download- Copy- Alternate data streams T1105:Ingress Tool Transfer- T1564.004:NTFS File Attributes Explorer.exe - Execute - T1202:Indirect Command Execution Extexport.exe - Execute - T1218:System Binary Proxy Execution Extrac32.exe - Alternate data streams- Download- Copy T1564.004:NTFS File Attributes- T1105:Ingress Tool Transfer Findstr.exe - Alternate data streams- Credentials- Download T1564.004:NTFS File Attributes- T1552.001:Credentials In Files- T1105:Ingress Tool Transfer Finger.exe - Download - T1105:Ingress Tool Transfer fltMC.exe - Alternate data streams - T1562.001:Disable or Modify Tools Forfiles.exe - Execute- Alternate data streams T1202:Indirect Command Execution- T1564.004:NTFS File Attributes Ftp.exe - Execute- Download T1202:Indirect Command Execution- T1105:Ingress Tool Transfer GfxDownloadWrapper.exe - Download - T1105:Ingress Tool Transfer Gpscript.exe - Execute - T1218:System Binary Proxy Execution Hh.exe - Download- Execute T1105:Ingress Tool Transfer- T1218.001:Compiled HTML File IMEWDBLD.exe - Download - T1105:Ingress Tool Transfer Ie4uinit.exe - Execute - T1218:System Binary Proxy Execution Ieexec.exe - Download- Execute T1105:Ingress Tool Transfer- T1218:System Binary Proxy Execution Ilasm.exe - Compile - T1127:Trusted Developer Utilities Proxy Execution Infdefaultinstall.exe - Execute - T1218:System Binary Proxy Execution Installutil.exe - AWL bypass- Execute - T1218.004:InstallUtil Jsc.exe - Compile - T1127:Trusted Developer Utilities Proxy Execution Ldifde.exe - Download - T1105:Ingress Tool Transfer Makecab.exe - Alternate data streams- Download T1564.004:NTFS File Attributes- T1105:Ingress Tool Transfer Mavinject.exe - Execute- Alternate data streams T1218.013:Mavinject- T1564.004:NTFS File Attributes Microsoft.Workflow.Compiler.exe - Execute- AWL bypass - T1127:Trusted Developer Utilities Proxy Execution Mmc.exe - Execute- UAC bypass - T1218.014:MMC MpCmdRun.exe - Download- Alternate data streams T1105:Ingress Tool Transfer- T1564.004:NTFS File Attributes Msbuild.exe - AWL bypass- Execute - T1127.001:MSBuild Msconfig.exe - Execute - T1218:System Binary Proxy Execution Msdt.exe - Execute- AWL bypass - T1218:System Binary Proxy Execution Mshta.exe - Execute- Alternate data streams - T1218.005:Mshta Msiexec.exe - Execute - T1218.007:Msiexec Netsh.exe - Execute - T1546.007:Netsh Helper DLL Odbcconf.exe - Execute - T1218.008:Odbcconf OfflineScannerShell.exe - Execute - T1218:System Binary Proxy Execution OneDriveStandaloneUpdater.exe - Download - T1105:Ingress Tool Transfer Pcalua.exe - Execute - T1202:Indirect Command Execution Pcwrun.exe - Execute - T1218:System Binary Proxy Execution Pktmon.exe - Reconnaissance - T1040:Network Sniffing Pnputil.exe - Execute - T1547:Boot or Logon Autostart Execution Presentationhost.exe - Execute - T1218:System Binary Proxy Execution Print.exe - Alternate data streams- Copy T1564.004:NTFS File Attributes- T1105:Ingress Tool Transfer PrintBrm.exe - Download- Alternate data streams T1105:Ingress Tool Transfer- T1564.004:NTFS File Attributes Psr.exe - Reconnaissance - T1113:Screen Capture Rasautou.exe - Execute - T1218:System Binary Proxy Execution rdrleakdiag.exe - Dump T1003:OS Credential Dumping- T1003.001:LSASS Memory Reg.exe - Alternate data streams- Credentials T1564.004:NTFS File Attributes- T1003.002:Security Account Manager Regasm.exe - AWL bypass- Execute - T1218.009:Regsvcs/Regasm Regedit.exe - Alternate data streams - T1564.004:NTFS File Attributes Regini.exe - Alternate data streams - T1564.004:NTFS File Attributes Register-cimprovider.exe - Execute - T1218:System Binary Proxy Execution Regsvcs.exe - Execute- AWL bypass - T1218.009:Regsvcs/Regasm Regsvr32.exe - AWL bypass- Execute - T1218.010:Regsvr32 Replace.exe - Copy- Download - T1105:Ingress Tool Transfer Rpcping.exe - Credentials T1003:OS Credential Dumping- T1187:Forced Authentication Rundll32.exe - Execute- Alternate data streams - T1218.011:Rundll32- T1564.004:NTFS File Attributes Runonce.exe - Execute - T1218:System Binary Proxy Execution Runscripthelper.exe - Execute - T1218:System Binary Proxy Execution Sc.exe - Alternate data streams - T1564.004:NTFS File Attributes Schtasks.exe - Execute - T1053.005:Scheduled Task Scriptrunner.exe - Execute T1202:Indirect Command Execution- T1218:System Binary Proxy Execution SettingSyncHost.exe - Execute - T1218:System Binary Proxy Execution ssh.exe - Execute- AWL bypass T1202:Indirect Command Execution- T1218:System Binary Proxy Execution Stordiag.exe - Execute - T1218:System Binary Proxy Execution SyncAppvPublishingServer.exe - Execute - T1218:System Binary Proxy Execution Ttdinject.exe - Execute - T1127:Trusted Developer Utilities Proxy Execution Tttracer.exe - Execute- Dump T1127:Trusted Developer Utilities Proxy Execution- T1003:OS Credential Dumping Unregmp2.exe - Execute - T1202:Indirect Command Execution vbc.exe - Compile - T1127:Trusted Developer Utilities Proxy Execution Verclsid.exe - Execute - T1218.012:Verclsid Wab.exe - Execute - T1218:System Binary Proxy Execution Wlrmdr.exe - Execute - T1202:Indirect Command Execution Wmic.exe - Alternate data streams- Execute - T1564.004:NTFS File Attributes- T1218:System Binary Proxy Execution WorkFolders.exe - Execute - T1218:System Binary Proxy Execution Wscript.exe - Alternate data streams - T1564.004:NTFS File Attributes Wsreset.exe - UAC bypass - T1548.002:Bypass User Account Control wuauclt.exe - Execute - T1218:System Binary Proxy Execution Xwizard.exe - Execute- Download - T1218:System Binary Proxy Execution- T1105:Ingress Tool Transfer fsutil.exe - T1485:Data Destruction Library FileName Functions ATT&CK® Techniques Advpack.dll - AWL bypass- Execute - T1218.011:Rundll32 Desk.cpl - Execute - T1218.011:Rundll32 Dfshim.dll - AWL bypass - T1127:Trusted Developer Utilities Proxy Execution Ieadvpack.dll - AWL bypass- Execute - T1218.011:Rundll32 Ieframe.dll - Execute - T1218.011:Rundll32 Mshtml.dll - Execute - T1218.011:Rundll32 Pcwutl.dll - Execute - T1218.011:Rundll32 Setupapi.dll - AWL bypass- Execute - T1218.011:Rundll32 Shdocvw.dll - Execute - T1218.011:Rundll32 Shell32.dll - Execute - T1218.011:Rundll32 Syssetup.dll - AWL bypass- Execute - T1218.011:Rundll32 Url.dll - Execute - T1218.011:Rundll32 Zipfldr.dll - Execute - T1218.011:Rundll32 Comsvcs.dll - Dump - T1003.001:LSASS Memory OtherMSBinary FileName Functions ATT&CK® Techniques AccCheckConsole.exe - Execute- AWL bypass - T1218:System Binary Proxy Execution adplus.exe - Dump - T1003.001:LSASS Memory AgentExecutor.exe - Execute - T1218:System Binary Proxy Execution Appvlp.exe - Execute - T1218:System Binary Proxy Execution Bginfo.exe - Execute- AWL bypass - T1218:System Binary Proxy Execution Cdb.exe - Execute - T1127:Trusted Developer Utilities Proxy Execution coregen.exe - Execute- AWL bypass - T1055:Process Injection- T1218:System Binary Proxy Execution csi.exe - Execute - T1127:Trusted Developer Utilities Proxy Execution DefaultPack.EXE - Execute - T1218:System Binary Proxy Execution Devtoolslauncher.exe - Execute - T1127:Trusted Developer Utilities Proxy Execution dnx.exe - Execute - T1127:Trusted Developer Utilities Proxy Execution Dotnet.exe - AWL bypass- Execute - T1218:System Binary Proxy Execution Dump64.exe - Dump - T1003.001:LSASS Memory Dxcap.exe - Execute - T1127:Trusted Developer Utilities Proxy Execution Excel.exe - Download - T1105:Ingress Tool Transfer Fsi.exe - AWL bypass - T1059:Command and Scripting Interpreter FsiAnyCpu.exe - AWL bypass - T1059:Command and Scripting Interpreter Mftrace.exe - Execute - T1127:Trusted Developer Utilities Proxy Execution Msdeploy.exe - Execute- AWL bypass - T1218:System Binary Proxy Execution msxsl.exe - Execute- AWL bypass - T1218:System Binary Proxy Execution ntdsutil.exe - Dump - T1003.003:NTDS Powerpnt.exe - Download - T1105:Ingress Tool Transfer Procdump.exe - Execute - T1202:Indirect Command Execution rcsi.exe - Execute- AWL bypass - T1127:Trusted Developer Utilities Proxy Execution Remote.exe - AWL bypass- Execute - T1127:Trusted Developer Utilities Proxy Execution Sqldumper.exe - Dump - T1003:OS Credential Dumping- T1003.001:LSASS Memory Sqlps.exe - Execute - T1218:System Binary Proxy Execution SQLToolsPS.exe - Execute - T1218:System Binary Proxy Execution Squirrel.exe - Download- AWL bypass- Execute - T1218:System Binary Proxy Execution te.exe - Execute - T1127:Trusted Developer Utilities Proxy Execution Tracker.exe - Execute- AWL bypass - T1127:Trusted Developer Utilities Proxy Execution Update.exe - Download- AWL bypass- Execute - T1218:System Binary Proxy Execution- T1547:Boot or Logon Autostart Execution- T1070:Indicator Removal on Host VSIISExeLauncher.exe - Execute - T1218:System Binary Proxy Execution VisualUiaVerifyNative.exe - AWL bypass - T1218:System Binary Proxy Execution vsjitdebugger.exe - Execute - T1127:Trusted Developer Utilities Proxy Execution Wfc.exe - AWL bypass - T1127:Trusted Developer Utilities Proxy Execution Winword.exe - Download - T1105:Ingress Tool Transfer Wsl.exe - Execute- Download - T1202:Indirect Command Execution Script FileName Functions ATT&CK® Techniques CL_LoadAssembly.ps1 - Execute - T1216:System Script Proxy Execution CL_Mutexverifiers.ps1 - Execute - T1216:System Script Proxy Execution CL_Invocation.ps1 - Execute - T1216:System Script Proxy Execution Manage-bde.wsf - Execute - T1216:System Script Proxy Execution Pubprn.vbs - Execute - T1216.001:PubPrn Syncappvpublishingserver.vbs - Execute - T1216:System Script Proxy Execution UtilityFunctions.ps1 - Execute - T1216:System Script Proxy Execution winrm.vbs - Execute- AWL bypass - T1216:System Script Proxy Execution Pester.bat - Execute - T1216:System Script Proxy Execution Linux