LOLBAS

Windows

Binary

FileName Functions ATT&CK® Techniques
AppInstaller.exe
- Download

- T1105:Ingress Tool Transfer
Aspnet_Compiler.exe
- AWL bypass

- T1127:Trusted Developer Utilities Proxy Execution
At.exe
- Execute

- T1053.002:At
Atbroker.exe
- Execute

- T1218:System Binary Proxy Execution
Bash.exe
- Execute
- AWL bypass

- T1202:Indirect Command Execution
Bitsadmin.exe
- Alternate data streams
- Download
- Copy
- Execute

- T1564.004:NTFS File Attributes
- T1105:Ingress Tool Transfer
- T1218:System Binary Proxy Execution
CertOC.exe
- Execute
- Download

- T1218:System Binary Proxy Execution
- T1105:Ingress Tool Transfer
CertReq.exe
- Download
- Upload

- T1105:Ingress Tool Transfer
Certutil.exe
- Download
- Alternate data streams
- Encode
- Decode

- T1105:Ingress Tool Transfer
- T1564.004:NTFS File Attributes
- T1027:Obfuscated Files or Information
- T1140:Deobfuscate/Decode Files or Information
Cmd.exe
- Alternate data streams

- T1059.003:Windows Command Shell
Cmdkey.exe
- Credentials

- T1078:Valid Accounts
cmdl32.exe
- Download

- T1105:Ingress Tool Transfer
Cmstp.exe
- Execute
- AWL bypass

- T1218.003:CMSTP
ConfigSecurityPolicy.exe
- Upload

- T1567:Exfiltration Over Web Service
Conhost.exe
- Execute

- T1202:Indirect Command Execution
Control.exe
- Alternate data streams

- T1218.002:Control Panel
Csc.exe
- Compile

- T1127:Trusted Developer Utilities Proxy Execution
Cscript.exe
- Alternate data streams

- T1564.004:NTFS File Attributes
CustomShellHost.exe
- Execute

- T1218:System Binary Proxy Execution
DataSvcUtil.exe
- Upload

- T1567:Exfiltration Over Web Service
Desktopimgdownldr.exe
- Download

- T1105:Ingress Tool Transfer
DeviceCredentialDeployment.exe
- T1564:Hide Artifacts
Dfsvc.exe
- AWL bypass

- T1127:Trusted Developer Utilities Proxy Execution
Diantz.exe
- Alternate data streams
- Download
T1564.004:NTFS File Attributes
- T1105:Ingress Tool Transfer
Diskshadow.exe
- Dump
- Execute
T1003.003:NTDS
- T1202:Indirect Command Execution
Dnscmd.exe
- Execute

- T1543.003:Windows Service
Esentutl.exe
- Copy
- Alternate data streams
- Download
T1105:Ingress Tool Transfer
- T1564.004:NTFS File Attributes
- T1003.003:NTDS
Eventvwr.exe
- UAC bypass

- T1548.002:Bypass User Account Control
Expand.exe
- Download
- Copy
- Alternate data streams
T1105:Ingress Tool Transfer
- T1564.004:NTFS File Attributes
Explorer.exe
- Execute

- T1202:Indirect Command Execution
Extexport.exe
- Execute

- T1218:System Binary Proxy Execution
Extrac32.exe
- Alternate data streams
- Download
- Copy
T1564.004:NTFS File Attributes
- T1105:Ingress Tool Transfer
Findstr.exe
- Alternate data streams
- Credentials
- Download
T1564.004:NTFS File Attributes
- T1552.001:Credentials In Files
- T1105:Ingress Tool Transfer
Finger.exe
- Download

- T1105:Ingress Tool Transfer
fltMC.exe
- Alternate data streams

- T1562.001:Disable or Modify Tools
Forfiles.exe
- Execute
- Alternate data streams
T1202:Indirect Command Execution
- T1564.004:NTFS File Attributes
Ftp.exe
- Execute
- Download
T1202:Indirect Command Execution
- T1105:Ingress Tool Transfer
GfxDownloadWrapper.exe
- Download

- T1105:Ingress Tool Transfer
Gpscript.exe
- Execute

- T1218:System Binary Proxy Execution
Hh.exe
- Download
- Execute
T1105:Ingress Tool Transfer
- T1218.001:Compiled HTML File
IMEWDBLD.exe
- Download

- T1105:Ingress Tool Transfer
Ie4uinit.exe
- Execute

- T1218:System Binary Proxy Execution
Ieexec.exe
- Download
- Execute
T1105:Ingress Tool Transfer
- T1218:System Binary Proxy Execution
Ilasm.exe
- Compile

- T1127:Trusted Developer Utilities Proxy Execution
Infdefaultinstall.exe
- Execute

- T1218:System Binary Proxy Execution
Installutil.exe
- AWL bypass
- Execute

- T1218.004:InstallUtil
Jsc.exe
- Compile

- T1127:Trusted Developer Utilities Proxy Execution
Ldifde.exe
- Download

- T1105:Ingress Tool Transfer
Makecab.exe
- Alternate data streams
- Download
T1564.004:NTFS File Attributes
- T1105:Ingress Tool Transfer
Mavinject.exe
- Execute
- Alternate data streams
T1218.013:Mavinject
- T1564.004:NTFS File Attributes
Microsoft.Workflow.Compiler.exe
- Execute
- AWL bypass

- T1127:Trusted Developer Utilities Proxy Execution
Mmc.exe
- Execute
- UAC bypass

- T1218.014:MMC
MpCmdRun.exe
- Download
- Alternate data streams
T1105:Ingress Tool Transfer
- T1564.004:NTFS File Attributes
Msbuild.exe
- AWL bypass
- Execute

- T1127.001:MSBuild
Msconfig.exe
- Execute

- T1218:System Binary Proxy Execution
Msdt.exe
- Execute
- AWL bypass

- T1218:System Binary Proxy Execution
Mshta.exe
- Execute
- Alternate data streams

- T1218.005:Mshta
Msiexec.exe
- Execute

- T1218.007:Msiexec
Netsh.exe
- Execute

- T1546.007:Netsh Helper DLL
Odbcconf.exe
- Execute

- T1218.008:Odbcconf
OfflineScannerShell.exe
- Execute

- T1218:System Binary Proxy Execution
OneDriveStandaloneUpdater.exe
- Download

- T1105:Ingress Tool Transfer
Pcalua.exe
- Execute

- T1202:Indirect Command Execution
Pcwrun.exe
- Execute

- T1218:System Binary Proxy Execution
Pktmon.exe
- Reconnaissance

- T1040:Network Sniffing
Pnputil.exe
- Execute

- T1547:Boot or Logon Autostart Execution
Presentationhost.exe
- Execute

- T1218:System Binary Proxy Execution
Print.exe
- Alternate data streams
- Copy
T1564.004:NTFS File Attributes
- T1105:Ingress Tool Transfer
PrintBrm.exe
- Download
- Alternate data streams
T1105:Ingress Tool Transfer
- T1564.004:NTFS File Attributes
Psr.exe
- Reconnaissance

- T1113:Screen Capture
Rasautou.exe
- Execute

- T1218:System Binary Proxy Execution
rdrleakdiag.exe
- Dump
T1003:OS Credential Dumping
- T1003.001:LSASS Memory
Reg.exe
- Alternate data streams
- Credentials
T1564.004:NTFS File Attributes
- T1003.002:Security Account Manager
Regasm.exe
- AWL bypass
- Execute

- T1218.009:Regsvcs/Regasm
Regedit.exe
- Alternate data streams

- T1564.004:NTFS File Attributes
Regini.exe
- Alternate data streams

- T1564.004:NTFS File Attributes
Register-cimprovider.exe
- Execute

- T1218:System Binary Proxy Execution
Regsvcs.exe
- Execute
- AWL bypass

- T1218.009:Regsvcs/Regasm
Regsvr32.exe
- AWL bypass
- Execute

- T1218.010:Regsvr32
Replace.exe
- Copy
- Download

- T1105:Ingress Tool Transfer
Rpcping.exe
- Credentials
T1003:OS Credential Dumping
- T1187:Forced Authentication
Rundll32.exe
- Execute
- Alternate data streams

- T1218.011:Rundll32
- T1564.004:NTFS File Attributes
Runonce.exe
- Execute

- T1218:System Binary Proxy Execution
Runscripthelper.exe
- Execute

- T1218:System Binary Proxy Execution
Sc.exe
- Alternate data streams

- T1564.004:NTFS File Attributes
Schtasks.exe
- Execute

- T1053.005:Scheduled Task
Scriptrunner.exe
- Execute
T1202:Indirect Command Execution
- T1218:System Binary Proxy Execution
SettingSyncHost.exe
- Execute

- T1218:System Binary Proxy Execution
ssh.exe
- Execute
- AWL bypass
T1202:Indirect Command Execution
- T1218:System Binary Proxy Execution
Stordiag.exe
- Execute

- T1218:System Binary Proxy Execution
SyncAppvPublishingServer.exe
- Execute

- T1218:System Binary Proxy Execution
Ttdinject.exe
- Execute

- T1127:Trusted Developer Utilities Proxy Execution
Tttracer.exe
- Execute
- Dump
T1127:Trusted Developer Utilities Proxy Execution
- T1003:OS Credential Dumping
Unregmp2.exe
- Execute

- T1202:Indirect Command Execution
vbc.exe
- Compile

- T1127:Trusted Developer Utilities Proxy Execution
Verclsid.exe
- Execute

- T1218.012:Verclsid
Wab.exe
- Execute

- T1218:System Binary Proxy Execution
Wlrmdr.exe
- Execute

- T1202:Indirect Command Execution
Wmic.exe
- Alternate data streams
- Execute

- T1564.004:NTFS File Attributes
- T1218:System Binary Proxy Execution
WorkFolders.exe
- Execute

- T1218:System Binary Proxy Execution
Wscript.exe
- Alternate data streams

- T1564.004:NTFS File Attributes
Wsreset.exe
- UAC bypass

- T1548.002:Bypass User Account Control
wuauclt.exe
- Execute

- T1218:System Binary Proxy Execution
Xwizard.exe
- Execute
- Download

- T1218:System Binary Proxy Execution
- T1105:Ingress Tool Transfer
fsutil.exe
- T1485:Data Destruction

Library

FileName Functions ATT&CK® Techniques
Advpack.dll
- AWL bypass
- Execute

- T1218.011:Rundll32
Desk.cpl
- Execute

- T1218.011:Rundll32
Dfshim.dll
- AWL bypass

- T1127:Trusted Developer Utilities Proxy Execution
Ieadvpack.dll
- AWL bypass
- Execute

- T1218.011:Rundll32
Ieframe.dll
- Execute

- T1218.011:Rundll32
Mshtml.dll
- Execute

- T1218.011:Rundll32
Pcwutl.dll
- Execute

- T1218.011:Rundll32
Setupapi.dll
- AWL bypass
- Execute

- T1218.011:Rundll32
Shdocvw.dll
- Execute

- T1218.011:Rundll32
Shell32.dll
- Execute

- T1218.011:Rundll32
Syssetup.dll
- AWL bypass
- Execute

- T1218.011:Rundll32
Url.dll
- Execute

- T1218.011:Rundll32
Zipfldr.dll
- Execute

- T1218.011:Rundll32
Comsvcs.dll
- Dump

- T1003.001:LSASS Memory

OtherMSBinary

FileName Functions ATT&CK® Techniques
AccCheckConsole.exe
- Execute
- AWL bypass

- T1218:System Binary Proxy Execution
adplus.exe
- Dump

- T1003.001:LSASS Memory
AgentExecutor.exe
- Execute

- T1218:System Binary Proxy Execution
Appvlp.exe
- Execute

- T1218:System Binary Proxy Execution
Bginfo.exe
- Execute
- AWL bypass

- T1218:System Binary Proxy Execution
Cdb.exe
- Execute

- T1127:Trusted Developer Utilities Proxy Execution
coregen.exe
- Execute
- AWL bypass

- T1055:Process Injection
- T1218:System Binary Proxy Execution
csi.exe
- Execute

- T1127:Trusted Developer Utilities Proxy Execution
DefaultPack.EXE
- Execute

- T1218:System Binary Proxy Execution
Devtoolslauncher.exe
- Execute

- T1127:Trusted Developer Utilities Proxy Execution
dnx.exe
- Execute

- T1127:Trusted Developer Utilities Proxy Execution
Dotnet.exe
- AWL bypass
- Execute

- T1218:System Binary Proxy Execution
Dump64.exe
- Dump

- T1003.001:LSASS Memory
Dxcap.exe
- Execute

- T1127:Trusted Developer Utilities Proxy Execution
Excel.exe
- Download

- T1105:Ingress Tool Transfer
Fsi.exe
- AWL bypass

- T1059:Command and Scripting Interpreter
FsiAnyCpu.exe
- AWL bypass

- T1059:Command and Scripting Interpreter
Mftrace.exe
- Execute

- T1127:Trusted Developer Utilities Proxy Execution
Msdeploy.exe
- Execute
- AWL bypass

- T1218:System Binary Proxy Execution
msxsl.exe
- Execute
- AWL bypass

- T1218:System Binary Proxy Execution
ntdsutil.exe
- Dump

- T1003.003:NTDS
Powerpnt.exe
- Download

- T1105:Ingress Tool Transfer
Procdump.exe
- Execute

- T1202:Indirect Command Execution
rcsi.exe
- Execute
- AWL bypass

- T1127:Trusted Developer Utilities Proxy Execution
Remote.exe
- AWL bypass
- Execute

- T1127:Trusted Developer Utilities Proxy Execution
Sqldumper.exe
- Dump

- T1003:OS Credential Dumping
- T1003.001:LSASS Memory
Sqlps.exe
- Execute

- T1218:System Binary Proxy Execution
SQLToolsPS.exe
- Execute

- T1218:System Binary Proxy Execution
Squirrel.exe
- Download
- AWL bypass
- Execute

- T1218:System Binary Proxy Execution
te.exe
- Execute

- T1127:Trusted Developer Utilities Proxy Execution
Tracker.exe
- Execute
- AWL bypass

- T1127:Trusted Developer Utilities Proxy Execution
Update.exe
- Download
- AWL bypass
- Execute

- T1218:System Binary Proxy Execution
- T1547:Boot or Logon Autostart Execution
- T1070:Indicator Removal on Host
VSIISExeLauncher.exe
- Execute

- T1218:System Binary Proxy Execution
VisualUiaVerifyNative.exe
- AWL bypass

- T1218:System Binary Proxy Execution
vsjitdebugger.exe
- Execute

- T1127:Trusted Developer Utilities Proxy Execution
Wfc.exe
- AWL bypass

- T1127:Trusted Developer Utilities Proxy Execution
Winword.exe
- Download

- T1105:Ingress Tool Transfer
Wsl.exe
- Execute
- Download

- T1202:Indirect Command Execution

Script

FileName Functions ATT&CK® Techniques
CL_LoadAssembly.ps1
- Execute

- T1216:System Script Proxy Execution
CL_Mutexverifiers.ps1
- Execute

- T1216:System Script Proxy Execution
CL_Invocation.ps1
- Execute

- T1216:System Script Proxy Execution
Manage-bde.wsf
- Execute

- T1216:System Script Proxy Execution
Pubprn.vbs
- Execute

- T1216.001:PubPrn
Syncappvpublishingserver.vbs
- Execute

- T1216:System Script Proxy Execution
UtilityFunctions.ps1
- Execute

- T1216:System Script Proxy Execution
winrm.vbs
- Execute
- AWL bypass

- T1216:System Script Proxy Execution
Pester.bat
- Execute

- T1216:System Script Proxy Execution

Linux