LOLBAS
- Windows">Windows
- Linux">Linux

LOLBAS

Windows

Binary

FileName	Functions	ATT&CK® Techniques
AppInstaller.exe	- Download	- T1105:Ingress Tool Transfer
Aspnet_Compiler.exe	- AWL bypass	- T1127:Trusted Developer Utilities Proxy Execution
At.exe	- Execute	- T1053.002:At
Atbroker.exe	- Execute	- T1218:System Binary Proxy Execution
Bash.exe	- Execute - AWL bypass	- T1202:Indirect Command Execution
Bitsadmin.exe	- Alternate data streams - Download - Copy - Execute	- T1564.004:NTFS File Attributes - T1105:Ingress Tool Transfer - T1218:System Binary Proxy Execution
CertOC.exe	- Execute - Download	- T1218:System Binary Proxy Execution - T1105:Ingress Tool Transfer
CertReq.exe	- Download - Upload	- T1105:Ingress Tool Transfer
Certutil.exe	- Download - Alternate data streams - Encode - Decode	- T1105:Ingress Tool Transfer - T1564.004:NTFS File Attributes - T1027:Obfuscated Files or Information - T1140:Deobfuscate/Decode Files or Information
Cmd.exe	- Alternate data streams	- T1059.003:Windows Command Shell
Cmdkey.exe	- Credentials	- T1078:Valid Accounts
cmdl32.exe	- Download	- T1105:Ingress Tool Transfer
Cmstp.exe	- Execute - AWL bypass	- T1218.003:CMSTP
ConfigSecurityPolicy.exe	- Upload	- T1567:Exfiltration Over Web Service
Conhost.exe	- Execute	- T1202:Indirect Command Execution
Control.exe	- Alternate data streams	- T1218.002:Control Panel
Csc.exe	- Compile	- T1127:Trusted Developer Utilities Proxy Execution
Cscript.exe	- Alternate data streams	- T1564.004:NTFS File Attributes
CustomShellHost.exe	- Execute	- T1218:System Binary Proxy Execution
DataSvcUtil.exe	- Upload	- T1567:Exfiltration Over Web Service
Desktopimgdownldr.exe	- Download	- T1105:Ingress Tool Transfer
DeviceCredentialDeployment.exe		- T1564:Hide Artifacts
Dfsvc.exe	- AWL bypass	- T1127:Trusted Developer Utilities Proxy Execution
Diantz.exe	- Alternate data streams - Download	T1564.004:NTFS File Attributes - T1105:Ingress Tool Transfer
Diskshadow.exe	- Dump - Execute	T1003.003:NTDS - T1202:Indirect Command Execution
Dnscmd.exe	- Execute	- T1543.003:Windows Service
Esentutl.exe	- Copy - Alternate data streams - Download	T1105:Ingress Tool Transfer - T1564.004:NTFS File Attributes - T1003.003:NTDS
Eventvwr.exe	- UAC bypass	- T1548.002:Bypass User Account Control
Expand.exe	- Download - Copy - Alternate data streams	T1105:Ingress Tool Transfer - T1564.004:NTFS File Attributes
Explorer.exe	- Execute	- T1202:Indirect Command Execution
Extexport.exe	- Execute	- T1218:System Binary Proxy Execution
Extrac32.exe	- Alternate data streams - Download - Copy	T1564.004:NTFS File Attributes - T1105:Ingress Tool Transfer
Findstr.exe	- Alternate data streams - Credentials - Download	T1564.004:NTFS File Attributes - T1552.001:Credentials In Files - T1105:Ingress Tool Transfer
Finger.exe	- Download	- T1105:Ingress Tool Transfer
fltMC.exe	- Alternate data streams	- T1562.001:Disable or Modify Tools
Forfiles.exe	- Execute - Alternate data streams	T1202:Indirect Command Execution - T1564.004:NTFS File Attributes
Ftp.exe	- Execute - Download	T1202:Indirect Command Execution - T1105:Ingress Tool Transfer
GfxDownloadWrapper.exe	- Download	- T1105:Ingress Tool Transfer
Gpscript.exe	- Execute	- T1218:System Binary Proxy Execution
Hh.exe	- Download - Execute	T1105:Ingress Tool Transfer - T1218.001:Compiled HTML File
IMEWDBLD.exe	- Download	- T1105:Ingress Tool Transfer
Ie4uinit.exe	- Execute	- T1218:System Binary Proxy Execution
Ieexec.exe	- Download - Execute	T1105:Ingress Tool Transfer - T1218:System Binary Proxy Execution
Ilasm.exe	- Compile	- T1127:Trusted Developer Utilities Proxy Execution
Infdefaultinstall.exe	- Execute	- T1218:System Binary Proxy Execution
Installutil.exe	- AWL bypass - Execute	- T1218.004:InstallUtil
Jsc.exe	- Compile	- T1127:Trusted Developer Utilities Proxy Execution
Ldifde.exe	- Download	- T1105:Ingress Tool Transfer
Makecab.exe	- Alternate data streams - Download	T1564.004:NTFS File Attributes - T1105:Ingress Tool Transfer
Mavinject.exe	- Execute - Alternate data streams	T1218.013:Mavinject - T1564.004:NTFS File Attributes
Microsoft.Workflow.Compiler.exe	- Execute - AWL bypass	- T1127:Trusted Developer Utilities Proxy Execution
Mmc.exe	- Execute - UAC bypass	- T1218.014:MMC
MpCmdRun.exe	- Download - Alternate data streams	T1105:Ingress Tool Transfer - T1564.004:NTFS File Attributes
Msbuild.exe	- AWL bypass - Execute	- T1127.001:MSBuild
Msconfig.exe	- Execute	- T1218:System Binary Proxy Execution
Msdt.exe	- Execute - AWL bypass	- T1218:System Binary Proxy Execution
Mshta.exe	- Execute - Alternate data streams	- T1218.005:Mshta
Msiexec.exe	- Execute	- T1218.007:Msiexec
Netsh.exe	- Execute	- T1546.007:Netsh Helper DLL
Odbcconf.exe	- Execute	- T1218.008:Odbcconf
OfflineScannerShell.exe	- Execute	- T1218:System Binary Proxy Execution
OneDriveStandaloneUpdater.exe	- Download	- T1105:Ingress Tool Transfer
Pcalua.exe	- Execute	- T1202:Indirect Command Execution
Pcwrun.exe	- Execute	- T1218:System Binary Proxy Execution
Pktmon.exe	- Reconnaissance	- T1040:Network Sniffing
Pnputil.exe	- Execute	- T1547:Boot or Logon Autostart Execution
Presentationhost.exe	- Execute	- T1218:System Binary Proxy Execution
Print.exe	- Alternate data streams - Copy	T1564.004:NTFS File Attributes - T1105:Ingress Tool Transfer
PrintBrm.exe	- Download - Alternate data streams	T1105:Ingress Tool Transfer - T1564.004:NTFS File Attributes
Psr.exe	- Reconnaissance	- T1113:Screen Capture
Rasautou.exe	- Execute	- T1218:System Binary Proxy Execution
rdrleakdiag.exe	- Dump	T1003:OS Credential Dumping - T1003.001:LSASS Memory
Reg.exe	- Alternate data streams - Credentials	T1564.004:NTFS File Attributes - T1003.002:Security Account Manager
Regasm.exe	- AWL bypass - Execute	- T1218.009:Regsvcs/Regasm
Regedit.exe	- Alternate data streams	- T1564.004:NTFS File Attributes
Regini.exe	- Alternate data streams	- T1564.004:NTFS File Attributes
Register-cimprovider.exe	- Execute	- T1218:System Binary Proxy Execution
Regsvcs.exe	- Execute - AWL bypass	- T1218.009:Regsvcs/Regasm
Regsvr32.exe	- AWL bypass - Execute	- T1218.010:Regsvr32
Replace.exe	- Copy - Download	- T1105:Ingress Tool Transfer
Rpcping.exe	- Credentials	T1003:OS Credential Dumping - T1187:Forced Authentication
Rundll32.exe	- Execute - Alternate data streams	- T1218.011:Rundll32 - T1564.004:NTFS File Attributes
Runonce.exe	- Execute	- T1218:System Binary Proxy Execution
Runscripthelper.exe	- Execute	- T1218:System Binary Proxy Execution
Sc.exe	- Alternate data streams	- T1564.004:NTFS File Attributes
Schtasks.exe	- Execute	- T1053.005:Scheduled Task
Scriptrunner.exe	- Execute	T1202:Indirect Command Execution - T1218:System Binary Proxy Execution
SettingSyncHost.exe	- Execute	- T1218:System Binary Proxy Execution
ssh.exe	- Execute - AWL bypass	T1202:Indirect Command Execution - T1218:System Binary Proxy Execution
Stordiag.exe	- Execute	- T1218:System Binary Proxy Execution
SyncAppvPublishingServer.exe	- Execute	- T1218:System Binary Proxy Execution
Ttdinject.exe	- Execute	- T1127:Trusted Developer Utilities Proxy Execution
Tttracer.exe	- Execute - Dump	T1127:Trusted Developer Utilities Proxy Execution - T1003:OS Credential Dumping
Unregmp2.exe	- Execute	- T1202:Indirect Command Execution
vbc.exe	- Compile	- T1127:Trusted Developer Utilities Proxy Execution
Verclsid.exe	- Execute	- T1218.012:Verclsid
Wab.exe	- Execute	- T1218:System Binary Proxy Execution
Wlrmdr.exe	- Execute	- T1202:Indirect Command Execution
Wmic.exe	- Alternate data streams - Execute	- T1564.004:NTFS File Attributes - T1218:System Binary Proxy Execution
WorkFolders.exe	- Execute	- T1218:System Binary Proxy Execution
Wscript.exe	- Alternate data streams	- T1564.004:NTFS File Attributes
Wsreset.exe	- UAC bypass	- T1548.002:Bypass User Account Control
wuauclt.exe	- Execute	- T1218:System Binary Proxy Execution
Xwizard.exe	- Execute - Download	- T1218:System Binary Proxy Execution - T1105:Ingress Tool Transfer
fsutil.exe		- T1485:Data Destruction

Library

FileName	Functions	ATT&CK® Techniques
Advpack.dll	- AWL bypass - Execute	- T1218.011:Rundll32
Desk.cpl	- Execute	- T1218.011:Rundll32
Dfshim.dll	- AWL bypass	- T1127:Trusted Developer Utilities Proxy Execution
Ieadvpack.dll	- AWL bypass - Execute	- T1218.011:Rundll32
Ieframe.dll	- Execute	- T1218.011:Rundll32
Mshtml.dll	- Execute	- T1218.011:Rundll32
Pcwutl.dll	- Execute	- T1218.011:Rundll32
Setupapi.dll	- AWL bypass - Execute	- T1218.011:Rundll32
Shdocvw.dll	- Execute	- T1218.011:Rundll32
Shell32.dll	- Execute	- T1218.011:Rundll32
Syssetup.dll	- AWL bypass - Execute	- T1218.011:Rundll32
Url.dll	- Execute	- T1218.011:Rundll32
Zipfldr.dll	- Execute	- T1218.011:Rundll32
Comsvcs.dll	- Dump	- T1003.001:LSASS Memory

OtherMSBinary

FileName	Functions	ATT&CK® Techniques
AccCheckConsole.exe	- Execute - AWL bypass	- T1218:System Binary Proxy Execution
adplus.exe	- Dump	- T1003.001:LSASS Memory
AgentExecutor.exe	- Execute	- T1218:System Binary Proxy Execution
Appvlp.exe	- Execute	- T1218:System Binary Proxy Execution
Bginfo.exe	- Execute - AWL bypass	- T1218:System Binary Proxy Execution
Cdb.exe	- Execute	- T1127:Trusted Developer Utilities Proxy Execution
coregen.exe	- Execute - AWL bypass	- T1055:Process Injection - T1218:System Binary Proxy Execution
csi.exe	- Execute	- T1127:Trusted Developer Utilities Proxy Execution
DefaultPack.EXE	- Execute	- T1218:System Binary Proxy Execution
Devtoolslauncher.exe	- Execute	- T1127:Trusted Developer Utilities Proxy Execution
dnx.exe	- Execute	- T1127:Trusted Developer Utilities Proxy Execution
Dotnet.exe	- AWL bypass - Execute	- T1218:System Binary Proxy Execution
Dump64.exe	- Dump	- T1003.001:LSASS Memory
Dxcap.exe	- Execute	- T1127:Trusted Developer Utilities Proxy Execution
Excel.exe	- Download	- T1105:Ingress Tool Transfer
Fsi.exe	- AWL bypass	- T1059:Command and Scripting Interpreter
FsiAnyCpu.exe	- AWL bypass	- T1059:Command and Scripting Interpreter
Mftrace.exe	- Execute	- T1127:Trusted Developer Utilities Proxy Execution
Msdeploy.exe	- Execute - AWL bypass	- T1218:System Binary Proxy Execution
msxsl.exe	- Execute - AWL bypass	- T1218:System Binary Proxy Execution
ntdsutil.exe	- Dump	- T1003.003:NTDS
Powerpnt.exe	- Download	- T1105:Ingress Tool Transfer
Procdump.exe	- Execute	- T1202:Indirect Command Execution
rcsi.exe	- Execute - AWL bypass	- T1127:Trusted Developer Utilities Proxy Execution
Remote.exe	- AWL bypass - Execute	- T1127:Trusted Developer Utilities Proxy Execution
Sqldumper.exe	- Dump	- T1003:OS Credential Dumping - T1003.001:LSASS Memory
Sqlps.exe	- Execute	- T1218:System Binary Proxy Execution
SQLToolsPS.exe	- Execute	- T1218:System Binary Proxy Execution
Squirrel.exe	- Download - AWL bypass - Execute	- T1218:System Binary Proxy Execution
te.exe	- Execute	- T1127:Trusted Developer Utilities Proxy Execution
Tracker.exe	- Execute - AWL bypass	- T1127:Trusted Developer Utilities Proxy Execution
Update.exe	- Download - AWL bypass - Execute	- T1218:System Binary Proxy Execution - T1547:Boot or Logon Autostart Execution - T1070:Indicator Removal on Host
VSIISExeLauncher.exe	- Execute	- T1218:System Binary Proxy Execution
VisualUiaVerifyNative.exe	- AWL bypass	- T1218:System Binary Proxy Execution
vsjitdebugger.exe	- Execute	- T1127:Trusted Developer Utilities Proxy Execution
Wfc.exe	- AWL bypass	- T1127:Trusted Developer Utilities Proxy Execution
Winword.exe	- Download	- T1105:Ingress Tool Transfer
Wsl.exe	- Execute - Download	- T1202:Indirect Command Execution

Script

FileName	Functions	ATT&CK® Techniques
CL_LoadAssembly.ps1	- Execute	- T1216:System Script Proxy Execution
CL_Mutexverifiers.ps1	- Execute	- T1216:System Script Proxy Execution
CL_Invocation.ps1	- Execute	- T1216:System Script Proxy Execution
Manage-bde.wsf	- Execute	- T1216:System Script Proxy Execution
Pubprn.vbs	- Execute	- T1216.001:PubPrn
Syncappvpublishingserver.vbs	- Execute	- T1216:System Script Proxy Execution
UtilityFunctions.ps1	- Execute	- T1216:System Script Proxy Execution
winrm.vbs	- Execute - AWL bypass	- T1216:System Script Proxy Execution
Pester.bat	- Execute	- T1216:System Script Proxy Execution

LOLBAS

LOLBAS

Windows

Binary

Library

OtherMSBinary

Script

Linux