{
	"id": "96961394-f951-4b69-8a0d-e01b00c1da64",
	"created_at": "2026-04-06T01:31:03.985875Z",
	"updated_at": "2026-04-10T03:20:24.667353Z",
	"deleted_at": null,
	"sha1_hash": "173d5cef23d4302dc2306c0c31b76dfe1775e9cc",
	"title": "LOLBAS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 450295,
	"plain_text": "LOLBAS\r\nArchived: 2026-04-06 00:47:26 UTC\r\nAddinUtil.exe\r\nExecute (.NetObjects)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nAppInstaller.exe\r\nDownload (INetCache)\r\nBinaries\r\nT1105: Ingress Tool Transfer\r\nAspnet_Compiler.exe\r\nAWL bypass\r\nBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nAt.exe\r\nExecute (CMD)\r\nBinaries\r\nT1053.002: At\r\nAtbroker.exe\r\nExecute (EXE)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nBash.exe\r\nExecute (CMD)\r\nAWL bypass (CMD)\r\nhttps://lolbas-project.github.io/\r\nPage 1 of 42\n\nBinaries\r\nT1202: Indirect Command Execution\r\nT1218: System Binary Proxy Execution\r\nBitsadmin.exe\r\nAlternate data streams\r\nDownload\r\nCopy\r\nExecute\r\nBinaries\r\nT1564.004: NTFS File Attributes\r\nT1105: Ingress Tool Transfer\r\nT1218: System Binary Proxy Execution\r\nCertOC.exe\r\nExecute (DLL)\r\nDownload\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nT1105: Ingress Tool Transfer\r\nCertReq.exe\r\nDownload\r\nUpload\r\nBinaries\r\nT1105: Ingress Tool Transfer\r\nCertutil.exe\r\nDownload (GUI)\r\nAlternate data streams\r\nhttps://lolbas-project.github.io/\r\nPage 2 of 42\n\nEncode\r\nDecode\r\nBinaries\r\nT1105: Ingress Tool Transfer\r\nT1564.004: NTFS File Attributes\r\nT1027.013: Encrypted/Encoded File\r\nT1140: Deobfuscate/Decode Files or Information\r\nChange.exe\r\nExecute (EXE, Rename)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nCipher.exe\r\nTamper\r\nBinaries\r\nT1485: Data Destruction\r\nT1562: Impair Defenses\r\nCmd.exe\r\nAlternate data streams\r\nDownload\r\nUpload\r\nBinaries\r\nT1564.004: NTFS File Attributes\r\nT1059.003: Windows Command Shell\r\nT1105: Ingress Tool Transfer\r\nT1048.003: Exfiltration Over Unencrypted Non-C2 Protocol\r\nCmdkey.exe\r\nhttps://lolbas-project.github.io/\r\nPage 3 of 42\n\nCredentials\r\nBinaries\r\nT1078: Valid Accounts\r\ncmdl32.exe\r\nDownload\r\nBinaries\r\nT1105: Ingress Tool Transfer\r\nCmstp.exe\r\nExecute (INF, DLL, Registry Change)\r\nAWL bypass (INF, Remote)\r\nBinaries\r\nT1218.003: CMSTP\r\nColorcpl.exe\r\nCopy\r\nBinaries\r\nT1036.005: Match Legitimate Resource Name or Location\r\nComputerDefaults.exe\r\nUAC bypass\r\nBinaries\r\nT1548.002: Bypass User Account Control\r\nConfigSecurityPolicy.exe\r\nUpload\r\nDownload (INetCache)\r\nBinaries\r\nT1567: Exfiltration Over Web Service\r\nT1105: Ingress Tool Transfer\r\nhttps://lolbas-project.github.io/\r\nPage 4 of 42\n\nConhost.exe\r\nExecute (CMD)\r\nBinaries\r\nT1202: Indirect Command Execution\r\nControl.exe\r\nAlternate data streams (DLL)\r\nExecute (DLL)\r\nBinaries\r\nT1218.002: Control Panel\r\nCsc.exe\r\nCompile\r\nBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nCscript.exe\r\nAlternate data streams (WSH)\r\nBinaries\r\nT1564.004: NTFS File Attributes\r\nCustomShellHost.exe\r\nExecute (EXE)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nDataSvcUtil.exe\r\nUpload\r\nBinaries\r\nT1567: Exfiltration Over Web Service\r\nDesktopimgdownldr.exe\r\nhttps://lolbas-project.github.io/\r\nPage 5 of 42\n\nDownload\r\nBinaries\r\nT1105: Ingress Tool Transfer\r\nDeviceCredentialDeployment.exe\r\nConceal\r\nBinaries\r\nT1564: Hide Artifacts\r\nDfsvc.exe\r\nAWL bypass (ClickOnce, Remote)\r\nBinaries\r\nT1127.002: ClickOnce\r\nDiantz.exe\r\nAlternate data streams (Compression)\r\nDownload (Compression)\r\nExecute (Compression)\r\nBinaries\r\nT1564.004: NTFS File Attributes\r\nT1105: Ingress Tool Transfer\r\nT1036: Masquerading\r\nDiskshadow.exe\r\nDump (CMD)\r\nExecute (CMD)\r\nBinaries\r\nT1003.003: NTDS\r\nT1202: Indirect Command Execution\r\nDnscmd.exe\r\nhttps://lolbas-project.github.io/\r\nPage 6 of 42\n\nExecute (DLL, Remote)\r\nBinaries\r\nT1543.003: Windows Service\r\nEsentutl.exe\r\nCopy\r\nAlternate data streams\r\nDownload\r\nBinaries\r\nT1105: Ingress Tool Transfer\r\nT1564.004: NTFS File Attributes\r\nT1003.003: NTDS\r\nEudcedit.exe\r\nUAC bypass (CMD, GUI)\r\nBinaries\r\nT1548.002: Bypass User Account Control\r\nEventvwr.exe\r\nUAC bypass (GUI, EXE, .NetObjects)\r\nBinaries\r\nT1548.002: Bypass User Account Control\r\nExpand.exe\r\nDownload\r\nCopy\r\nAlternate data streams\r\nBinaries\r\nT1105: Ingress Tool Transfer\r\nT1564.004: NTFS File Attributes\r\nhttps://lolbas-project.github.io/\r\nPage 7 of 42\n\nExplorer.exe\r\nExecute (EXE)\r\nBinaries\r\nT1202: Indirect Command Execution\r\nExtexport.exe\r\nExecute (DLL)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nExtrac32.exe\r\nAlternate data streams (Compression)\r\nDownload\r\nCopy\r\nBinaries\r\nT1564.004: NTFS File Attributes\r\nT1105: Ingress Tool Transfer\r\nFindstr.exe\r\nAlternate data streams\r\nCredentials\r\nDownload\r\nBinaries\r\nT1564.004: NTFS File Attributes\r\nT1552.001: Credentials In Files\r\nT1105: Ingress Tool Transfer\r\nFinger.exe\r\nDownload\r\nBinaries\r\nhttps://lolbas-project.github.io/\r\nPage 8 of 42\n\nT1105: Ingress Tool Transfer\r\nfltMC.exe\r\nTamper\r\nBinaries\r\nT1562.001: Disable or Modify Tools\r\nForfiles.exe\r\nExecute (EXE)\r\nAlternate data streams (EXE)\r\nBinaries\r\nT1202: Indirect Command Execution\r\nT1564.004: NTFS File Attributes\r\nFsutil.exe\r\nTamper\r\nExecute (EXE)\r\nBinaries\r\nT1485: Data Destruction\r\nT1218: System Binary Proxy Execution\r\nFtp.exe\r\nExecute (CMD)\r\nDownload\r\nBinaries\r\nT1202: Indirect Command Execution\r\nT1105: Ingress Tool Transfer\r\nGpscript.exe\r\nExecute (CMD)\r\nBinaries\r\nhttps://lolbas-project.github.io/\r\nPage 9 of 42\n\nT1218: System Binary Proxy Execution\r\nHh.exe\r\nDownload (EXE, GUI)\r\nExecute (EXE, GUI, CMD, CHM, Remote)\r\nBinaries\r\nT1105: Ingress Tool Transfer\r\nT1218.001: Compiled HTML File\r\nIMEWDBLD.exe\r\nDownload (INetCache)\r\nBinaries\r\nT1105: Ingress Tool Transfer\r\nIe4uinit.exe\r\nExecute (INF)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\niediagcmd.exe\r\nExecute (EXE)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nIeexec.exe\r\nDownload (Remote, EXE (.NET))\r\nExecute (Remote, EXE (.NET))\r\nBinaries\r\nT1105: Ingress Tool Transfer\r\nT1218: System Binary Proxy Execution\r\nIlasm.exe\r\nhttps://lolbas-project.github.io/\r\nPage 10 of 42\n\nCompile\r\nBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nInfdefaultinstall.exe\r\nExecute (INF)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nInstallutil.exe\r\nAWL bypass (DLL (.NET), EXE (.NET))\r\nExecute (DLL (.NET), EXE (.NET))\r\nDownload (INetCache)\r\nBinaries\r\nT1218.004: InstallUtil\r\nT1105: Ingress Tool Transfer\r\niscsicpl.exe\r\nUAC bypass (DLL, CMD, GUI)\r\nBinaries\r\nT1548.002: Bypass User Account Control\r\nJsc.exe\r\nCompile (JScript)\r\nBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nLdifde.exe\r\nDownload\r\nBinaries\r\nT1105: Ingress Tool Transfer\r\nhttps://lolbas-project.github.io/\r\nPage 11 of 42\n\nMakecab.exe\r\nAlternate data streams (Compression)\r\nDownload (Compression)\r\nExecute (Compression)\r\nBinaries\r\nT1564.004: NTFS File Attributes\r\nT1105: Ingress Tool Transfer\r\nT1036: Masquerading\r\nMavinject.exe\r\nExecute (DLL)\r\nAlternate data streams (DLL)\r\nBinaries\r\nT1218.013: Mavinject\r\nT1564.004: NTFS File Attributes\r\nMicrosoft.Workflow.Compiler.exe\r\nExecute (VB.Net, Csharp, XOML)\r\nAWL bypass (XOML)\r\nBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nMmc.exe\r\nExecute (COM)\r\nUAC bypass (DLL)\r\nDownload (GUI)\r\nBinaries\r\nT1218.014: MMC\r\nMpCmdRun.exe\r\nhttps://lolbas-project.github.io/\r\nPage 12 of 42\n\nDownload\r\nAlternate data streams\r\nBinaries\r\nT1105: Ingress Tool Transfer\r\nT1564.004: NTFS File Attributes\r\nMsbuild.exe\r\nAWL bypass (CSharp)\r\nExecute (CSharp, DLL, XSL, CMD)\r\nBinaries\r\nT1127.001: MSBuild\r\nT1036: Masquerading\r\nMsconfig.exe\r\nExecute (CMD)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nMsdt.exe\r\nExecute (GUI, MSI)\r\nAWL bypass (GUI, MSI, CMD)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nT1202: Indirect Command Execution\r\nMsedge.exe\r\nDownload\r\nExecute (CMD)\r\nBinaries\r\nT1105: Ingress Tool Transfer\r\nhttps://lolbas-project.github.io/\r\nPage 13 of 42\n\nT1218.015: Electron Applications\r\nMshta.exe\r\nExecute (HTA, Remote, VBScript, JScript)\r\nAlternate data streams (HTA)\r\nDownload (INetCache)\r\nBinaries\r\nT1218.005: Mshta\r\nT1105: Ingress Tool Transfer\r\nMsiexec.exe\r\nExecute (MSI, Remote, DLL, MST)\r\nBinaries\r\nT1218.007: Msiexec\r\nNetsh.exe\r\nExecute (DLL)\r\nBinaries\r\nT1546.007: Netsh Helper DLL\r\nNgen.exe\r\nDownload (INetCache)\r\nBinaries\r\nT1105: Ingress Tool Transfer\r\nOdbcconf.exe\r\nExecute (DLL)\r\nBinaries\r\nT1218.008: Odbcconf\r\nOfflineScannerShell.exe\r\nExecute (DLL)\r\nhttps://lolbas-project.github.io/\r\nPage 14 of 42\n\nBinaries\r\nT1218: System Binary Proxy Execution\r\nOneDriveStandaloneUpdater.exe\r\nDownload\r\nBinaries\r\nT1105: Ingress Tool Transfer\r\nPcalua.exe\r\nExecute (EXE, DLL, Remote)\r\nBinaries\r\nT1202: Indirect Command Execution\r\nPcwrun.exe\r\nExecute (EXE)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nT1202: Indirect Command Execution\r\nPktmon.exe\r\nReconnaissance\r\nBinaries\r\nT1040: Network Sniffing\r\nPnputil.exe\r\nExecute (INF)\r\nBinaries\r\nT1547: Boot or Logon Autostart Execution\r\nPresentationhost.exe\r\nExecute (XBAP)\r\nDownload (INetCache)\r\nhttps://lolbas-project.github.io/\r\nPage 15 of 42\n\nBinaries\r\nT1218: System Binary Proxy Execution\r\nT1105: Ingress Tool Transfer\r\nPrint.exe\r\nAlternate data streams\r\nCopy\r\nBinaries\r\nT1564.004: NTFS File Attributes\r\nT1105: Ingress Tool Transfer\r\nPrintBrm.exe\r\nDownload (Compression)\r\nAlternate data streams (Compression)\r\nBinaries\r\nT1105: Ingress Tool Transfer\r\nT1564.004: NTFS File Attributes\r\nProvlaunch.exe\r\nExecute (CMD)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nPsr.exe\r\nReconnaissance\r\nBinaries\r\nT1113: Screen Capture\r\nQuery.exe\r\nExecute (EXE, Rename)\r\nBinaries\r\nhttps://lolbas-project.github.io/\r\nPage 16 of 42\n\nT1218: System Binary Proxy Execution\r\nRasautou.exe\r\nExecute (DLL)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nrdrleakdiag.exe\r\nDump\r\nBinaries\r\nT1003: OS Credential Dumping\r\nT1003.001: LSASS Memory\r\nReg.exe\r\nAlternate data streams\r\nCredentials\r\nBinaries\r\nT1564.004: NTFS File Attributes\r\nT1003.002: Security Account Manager\r\nRegasm.exe\r\nAWL bypass (DLL (.NET))\r\nExecute (DLL (.NET))\r\nBinaries\r\nT1218.009: Regsvcs/Regasm\r\nRegedit.exe\r\nAlternate data streams\r\nBinaries\r\nT1564.004: NTFS File Attributes\r\nRegini.exe\r\nhttps://lolbas-project.github.io/\r\nPage 17 of 42\n\nAlternate data streams\r\nBinaries\r\nT1564.004: NTFS File Attributes\r\nRegister-cimprovider.exe\r\nExecute (DLL)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nRegsvcs.exe\r\nExecute (DLL (.NET))\r\nAWL bypass (DLL (.NET))\r\nBinaries\r\nT1218.009: Regsvcs/Regasm\r\nRegsvr32.exe\r\nAWL bypass (SCT, Remote)\r\nExecute (SCT, Remote, DLL)\r\nBinaries\r\nT1218.010: Regsvr32\r\nReplace.exe\r\nCopy\r\nDownload\r\nBinaries\r\nT1105: Ingress Tool Transfer\r\nReset.exe\r\nExecute (EXE, Rename)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nhttps://lolbas-project.github.io/\r\nPage 18 of 42\n\nRpcping.exe\r\nCredentials\r\nBinaries\r\nT1003: OS Credential Dumping\r\nT1187: Forced Authentication\r\nRundll32.exe\r\nExecute (DLL, Remote, JScript, COM)\r\nAlternate data streams (DLL)\r\nBinaries\r\nT1218.011: Rundll32\r\nT1564.004: NTFS File Attributes\r\nRunexehelper.exe\r\nExecute (EXE)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nRunonce.exe\r\nExecute (CMD)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nRunscripthelper.exe\r\nExecute (PowerShell)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nSc.exe\r\nAlternate data streams (EXE)\r\nBinaries\r\nhttps://lolbas-project.github.io/\r\nPage 19 of 42\n\nT1564.004: NTFS File Attributes\r\nSchtasks.exe\r\nExecute (CMD)\r\nBinaries\r\nT1053.005: Scheduled Task\r\nScriptrunner.exe\r\nExecute (EXE, Remote, CMD)\r\nBinaries\r\nT1202: Indirect Command Execution\r\nT1218: System Binary Proxy Execution\r\nSetres.exe\r\nExecute (EXE)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nSettingSyncHost.exe\r\nExecute (EXE, CMD)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nSftp.exe\r\nExecute (CMD)\r\nBinaries\r\nT1202: Indirect Command Execution\r\nSigverif.exe\r\nExecute (EXE, GUI)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nhttps://lolbas-project.github.io/\r\nPage 20 of 42\n\nssh.exe\r\nExecute (CMD)\r\nBinaries\r\nT1202: Indirect Command Execution\r\nStordiag.exe\r\nExecute (EXE)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nSyncAppvPublishingServer.exe\r\nExecute (PowerShell)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nTar.exe\r\nAlternate data streams (Compression)\r\nCopy (Compression)\r\nBinaries\r\nT1564.004: NTFS File Attributes\r\nT1105: Ingress Tool Transfer\r\nTtdinject.exe\r\nExecute (EXE)\r\nBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nTttracer.exe\r\nExecute (EXE)\r\nDump\r\nBinaries\r\nhttps://lolbas-project.github.io/\r\nPage 21 of 42\n\nT1127: Trusted Developer Utilities Proxy Execution\r\nT1003: OS Credential Dumping\r\nUnregmp2.exe\r\nExecute (EXE)\r\nBinaries\r\nT1202: Indirect Command Execution\r\nvbc.exe\r\nCompile\r\nBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nVerclsid.exe\r\nExecute (COM)\r\nBinaries\r\nT1218.012: Verclsid\r\nWab.exe\r\nExecute (DLL)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nwbadmin.exe\r\nDump\r\nBinaries\r\nT1003.003: NTDS\r\nwbemtest.exe\r\nExecute (GUI, CMD)\r\nBinaries\r\nT1047: Windows Management Instrumentation\r\nhttps://lolbas-project.github.io/\r\nPage 22 of 42\n\nwinget.exe\r\nExecute (Remote, EXE)\r\nDownload\r\nAWL bypass\r\nBinaries\r\nT1105: Ingress Tool Transfer\r\nWlrmdr.exe\r\nExecute (EXE)\r\nBinaries\r\nT1202: Indirect Command Execution\r\nWmic.exe\r\nAlternate data streams (EXE)\r\nExecute (CMD, Remote, XSL)\r\nCopy\r\nBinaries\r\nT1564.004: NTFS File Attributes\r\nT1218: System Binary Proxy Execution\r\nT1105: Ingress Tool Transfer\r\nWorkFolders.exe\r\nExecute (EXE, Rename, Registry change)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nWscript.exe\r\nAlternate data streams (WSH)\r\nBinaries\r\nT1564.004: NTFS File Attributes\r\nhttps://lolbas-project.github.io/\r\nPage 23 of 42\n\nWsreset.exe\r\nUAC bypass\r\nBinaries\r\nT1548.002: Bypass User Account Control\r\nwuauclt.exe\r\nExecute (DLL)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nXwizard.exe\r\nExecute (COM)\r\nDownload (INetCache)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nT1105: Ingress Tool Transfer\r\nmsedge_proxy.exe\r\nDownload\r\nExecute (CMD)\r\nBinaries\r\nT1105: Ingress Tool Transfer\r\nT1218.015: Electron Applications\r\nmsedgewebview2.exe\r\nExecute (EXE, CMD)\r\nBinaries\r\nT1218.015: Electron Applications\r\nodbcad32.exe\r\nUAC bypass (CMD, GUI)\r\nhttps://lolbas-project.github.io/\r\nPage 24 of 42\n\nBinaries\r\nT1548.002: Bypass User Account Control\r\nwrite.exe\r\nExecute (EXE, Registry Change)\r\nBinaries\r\nT1218: System Binary Proxy Execution\r\nwt.exe\r\nExecute (CMD)\r\nBinaries\r\nT1202: Indirect Command Execution\r\nAdvpack.dll\r\nAWL bypass (INF)\r\nExecute (DLL, EXE, CMD)\r\nLibraries\r\nT1218.011: Rundll32\r\nDesk.cpl\r\nExecute (EXE, Remote)\r\nLibraries\r\nT1218.011: Rundll32\r\nDfshim.dll\r\nAWL bypass (ClickOnce, Remote)\r\nLibraries\r\nT1127.002: ClickOnce\r\nIeadvpack.dll\r\nAWL bypass (INF)\r\nExecute (DLL, EXE, CMD)\r\nhttps://lolbas-project.github.io/\r\nPage 25 of 42\n\nLibraries\r\nT1218.011: Rundll32\r\nIeframe.dll\r\nExecute (URL)\r\nLibraries\r\nT1218.011: Rundll32\r\nMshtml.dll\r\nExecute (HTA)\r\nLibraries\r\nT1218.011: Rundll32\r\nPcwutl.dll\r\nExecute (EXE)\r\nLibraries\r\nT1218.011: Rundll32\r\nPhotoViewer.dll\r\nDownload (INetCache)\r\nLibraries\r\nT1105: Ingress Tool Transfer\r\nScrobj.dll\r\nDownload (INetCache)\r\nLibraries\r\nT1105: Ingress Tool Transfer\r\nSetupapi.dll\r\nAWL bypass (INF)\r\nExecute (INF)\r\nLibraries\r\nhttps://lolbas-project.github.io/\r\nPage 26 of 42\n\nT1218.011: Rundll32\r\nShdocvw.dll\r\nExecute (URL)\r\nLibraries\r\nT1218.011: Rundll32\r\nShell32.dll\r\nExecute (DLL, EXE, CMD)\r\nLibraries\r\nT1218.011: Rundll32\r\nShimgvw.dll\r\nDownload (INetCache)\r\nLibraries\r\nT1105: Ingress Tool Transfer\r\nSyssetup.dll\r\nAWL bypass (INF)\r\nExecute (INF)\r\nLibraries\r\nT1218.011: Rundll32\r\nUrl.dll\r\nExecute (HTA, URL, EXE)\r\nLibraries\r\nT1218.011: Rundll32\r\nZipfldr.dll\r\nExecute (EXE)\r\nLibraries\r\nT1218.011: Rundll32\r\nhttps://lolbas-project.github.io/\r\nPage 27 of 42\n\nComsvcs.dll\r\nDump\r\nLibraries\r\nT1003.001: LSASS Memory\r\nAccCheckConsole.exe\r\nExecute (DLL (.NET))\r\nAWL bypass (DLL (.NET))\r\nOtherMSBinaries\r\nT1218: System Binary Proxy Execution\r\nadplus.exe\r\nDump\r\nExecute (CMD, EXE)\r\nOtherMSBinaries\r\nT1003.001: LSASS Memory\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nAgentExecutor.exe\r\nExecute (PowerShell, EXE)\r\nOtherMSBinaries\r\nT1218: System Binary Proxy Execution\r\nAppLauncher.exe\r\nExecute (EXE)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nAppCert.exe\r\nExecute (EXE, MSI)\r\nOtherMSBinaries\r\nhttps://lolbas-project.github.io/\r\nPage 28 of 42\n\nT1127: Trusted Developer Utilities Proxy Execution\r\nT1218.007: Msiexec\r\nAppvlp.exe\r\nExecute (CMD, EXE)\r\nOtherMSBinaries\r\nT1218: System Binary Proxy Execution\r\nBcp.exe\r\nDownload\r\nOtherMSBinaries\r\nT1105: Ingress Tool Transfer\r\nBginfo.exe\r\nExecute (WSH, Remote)\r\nAWL bypass (WSH, Remote)\r\nOtherMSBinaries\r\nT1218: System Binary Proxy Execution\r\nCdb.exe\r\nExecute (Shellcode, CMD)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\ncoregen.exe\r\nExecute (DLL)\r\nAWL bypass (DLL)\r\nOtherMSBinaries\r\nT1055: Process Injection\r\nT1218: System Binary Proxy Execution\r\nCreatedump.exe\r\nhttps://lolbas-project.github.io/\r\nPage 29 of 42\n\nDump\r\nOtherMSBinaries\r\nT1003: OS Credential Dumping\r\ncsi.exe\r\nExecute (CSharp)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nDefaultPack.EXE\r\nExecute (CMD)\r\nOtherMSBinaries\r\nT1218: System Binary Proxy Execution\r\nDevinit.exe\r\nExecute (MSI, Remote)\r\nOtherMSBinaries\r\nT1218.007: Msiexec\r\nDevtoolslauncher.exe\r\nExecute (CMD)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\ndnx.exe\r\nExecute (CSharp)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nDotnet.exe\r\nAWL bypass (DLL (.NET), CSharp)\r\nExecute (DLL (.NET), FSharp)\r\nhttps://lolbas-project.github.io/\r\nPage 30 of 42\n\nOtherMSBinaries\r\nT1218: System Binary Proxy Execution\r\nT1059: Command and Scripting Interpreter\r\ndsdbutil.exe\r\nDump\r\nOtherMSBinaries\r\nT1003.003: NTDS\r\ndtutil.exe\r\nCopy\r\nOtherMSBinaries\r\nT1105: Ingress Tool Transfer\r\nDump64.exe\r\nDump\r\nOtherMSBinaries\r\nT1003.001: LSASS Memory\r\nDumpMinitool.exe\r\nDump\r\nOtherMSBinaries\r\nT1003.001: LSASS Memory\r\nDxcap.exe\r\nExecute (EXE, Rename)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nECMangen.exe\r\nDownload (INetCache)\r\nOtherMSBinaries\r\nhttps://lolbas-project.github.io/\r\nPage 31 of 42\n\nT1105: Ingress Tool Transfer\r\nExcel.exe\r\nDownload (INetCache)\r\nOtherMSBinaries\r\nT1105: Ingress Tool Transfer\r\nFsi.exe\r\nAWL bypass (FSharp)\r\nOtherMSBinaries\r\nT1059: Command and Scripting Interpreter\r\nFsiAnyCpu.exe\r\nAWL bypass (FSharp)\r\nOtherMSBinaries\r\nT1059: Command and Scripting Interpreter\r\nIntelliTrace.exe\r\nExecute (EXE)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nLogger.exe\r\nExecute (CMD)\r\nOtherMSBinaries\r\nT1202: Indirect Command Execution\r\nMftrace.exe\r\nExecute (EXE)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nMicrosoft.NodejsTools.PressAnyKey.exe\r\nhttps://lolbas-project.github.io/\r\nPage 32 of 42\n\nExecute (EXE)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nMpiexec.exe\r\nExecute (CMD)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nMSAccess.exe\r\nDownload (INetCache)\r\nOtherMSBinaries\r\nT1105: Ingress Tool Transfer\r\nMsdeploy.exe\r\nExecute (CMD)\r\nAWL bypass (CMD)\r\nCopy\r\nOtherMSBinaries\r\nT1218: System Binary Proxy Execution\r\nT1105: Ingress Tool Transfer\r\nMsoHtmEd.exe\r\nDownload (INetCache)\r\nOtherMSBinaries\r\nT1105: Ingress Tool Transfer\r\nMspub.exe\r\nDownload (INetCache)\r\nOtherMSBinaries\r\nT1105: Ingress Tool Transfer\r\nhttps://lolbas-project.github.io/\r\nPage 33 of 42\n\nmsxsl.exe\r\nExecute (XSL, Remote)\r\nAWL bypass (XSL, Remote)\r\nDownload\r\nAlternate data streams\r\nOtherMSBinaries\r\nT1220: XSL Script Processing\r\nT1105: Ingress Tool Transfer\r\nT1564: Hide Artifacts\r\nNmcap.exe\r\nReconnaissance\r\nOtherMSBinaries\r\nT1040: Network Sniffing\r\nntdsutil.exe\r\nDump\r\nOtherMSBinaries\r\nT1003.003: NTDS\r\nNtsd.exe\r\nExecute (CMD)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nOpenConsole.exe\r\nExecute (EXE)\r\nOtherMSBinaries\r\nT1202: Indirect Command Execution\r\nPixtool.exe\r\nhttps://lolbas-project.github.io/\r\nPage 34 of 42\n\nExecute (EXE)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nPowerpnt.exe\r\nDownload (INetCache)\r\nOtherMSBinaries\r\nT1105: Ingress Tool Transfer\r\nProcdump.exe\r\nExecute (DLL)\r\nOtherMSBinaries\r\nT1202: Indirect Command Execution\r\nProtocolHandler.exe\r\nDownload\r\nOtherMSBinaries\r\nT1105: Ingress Tool Transfer\r\nrcsi.exe\r\nExecute (CSharp)\r\nAWL bypass (CSharp)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nRemote.exe\r\nAWL bypass (EXE)\r\nExecute (EXE, Remote)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nSqldumper.exe\r\nhttps://lolbas-project.github.io/\r\nPage 35 of 42\n\nDump\r\nOtherMSBinaries\r\nT1003: OS Credential Dumping\r\nT1003.001: LSASS Memory\r\nSqlps.exe\r\nExecute (PowerShell)\r\nOtherMSBinaries\r\nT1218: System Binary Proxy Execution\r\nSQLToolsPS.exe\r\nExecute (PowerShell)\r\nOtherMSBinaries\r\nT1218: System Binary Proxy Execution\r\nSquirrel.exe\r\nDownload\r\nAWL bypass (Nuget, Remote)\r\nExecute (Nuget, Remote)\r\nOtherMSBinaries\r\nT1218: System Binary Proxy Execution\r\nte.exe\r\nExecute (WSH, DLL, Custom Format)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nTeams.exe\r\nExecute (Node.JS, CMD)\r\nOtherMSBinaries\r\nT1218.015: Electron Applications\r\nhttps://lolbas-project.github.io/\r\nPage 36 of 42\n\nTestWindowRemoteAgent.exe\r\nUpload\r\nOtherMSBinaries\r\nT1048: Exfiltration Over Alternative Protocol\r\nTracker.exe\r\nExecute (DLL)\r\nAWL bypass (DLL)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nUpdate.exe\r\nDownload\r\nAWL bypass (Nuget, Remote, CMD)\r\nExecute (Nuget, Remote, CMD, EXE)\r\nOtherMSBinaries\r\nT1218: System Binary Proxy Execution\r\nT1547: Boot or Logon Autostart Execution\r\nT1070: Indicator Removal\r\nVSDiagnostics.exe\r\nExecute (EXE, CMD)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nVSIISExeLauncher.exe\r\nExecute (EXE)\r\nOtherMSBinaries\r\nT1218: System Binary Proxy Execution\r\nVisio.exe\r\nhttps://lolbas-project.github.io/\r\nPage 37 of 42\n\nDownload (INetCache)\r\nOtherMSBinaries\r\nT1105: Ingress Tool Transfer\r\nVisualUiaVerifyNative.exe\r\nAWL bypass (.NetObjects)\r\nOtherMSBinaries\r\nT1218: System Binary Proxy Execution\r\nVSLaunchBrowser.exe\r\nDownload (INetCache)\r\nExecute (EXE, Remote)\r\nOtherMSBinaries\r\nT1105: Ingress Tool Transfer\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nVshadow.exe\r\nExecute (EXE)\r\nOtherMSBinaries\r\nT1202: Indirect Command Execution\r\nvsjitdebugger.exe\r\nExecute (EXE)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nWFMFormat.exe\r\nExecute (EXE, .NET Framework 3.5)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nWfc.exe\r\nhttps://lolbas-project.github.io/\r\nPage 38 of 42\n\nAWL bypass (XOML)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nWinDbg.exe\r\nExecute (CMD)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nWinProj.exe\r\nDownload (INetCache)\r\nOtherMSBinaries\r\nT1105: Ingress Tool Transfer\r\nWinword.exe\r\nDownload (INetCache)\r\nOtherMSBinaries\r\nT1105: Ingress Tool Transfer\r\nWsl.exe\r\nExecute (EXE, CMD)\r\nDownload\r\nOtherMSBinaries\r\nT1202: Indirect Command Execution\r\nT1105: Ingress Tool Transfer\r\nT1218: System Binary Proxy Execution\r\nXBootMgr.exe\r\nExecute (EXE)\r\nOtherMSBinaries\r\nT1202: Indirect Command Execution\r\nhttps://lolbas-project.github.io/\r\nPage 39 of 42\n\nXBootMgrSleep.exe\r\nExecute (EXE)\r\nOtherMSBinaries\r\nT1202: Indirect Command Execution\r\ndevtunnel.exe\r\nDownload\r\nOtherMSBinaries\r\nT1105: Ingress Tool Transfer\r\nvsls-agent.exe\r\nExecute (DLL)\r\nOtherMSBinaries\r\nT1218: System Binary Proxy Execution\r\nvstest.console.exe\r\nAWL bypass (DLL)\r\nOtherMSBinaries\r\nT1127: Trusted Developer Utilities Proxy Execution\r\nwinfile.exe\r\nExecute (EXE)\r\nOtherMSBinaries\r\nT1202: Indirect Command Execution\r\nxsd.exe\r\nDownload (INetCache)\r\nOtherMSBinaries\r\nT1105: Ingress Tool Transfer\r\nCL_LoadAssembly.ps1\r\nExecute (DLL (.NET))\r\nhttps://lolbas-project.github.io/\r\nPage 40 of 42\n\nScripts\r\nT1216: System Script Proxy Execution\r\nCL_Mutexverifiers.ps1\r\nExecute (PowerShell)\r\nScripts\r\nT1216: System Script Proxy Execution\r\nCL_Invocation.ps1\r\nExecute (CMD)\r\nScripts\r\nT1216: System Script Proxy Execution\r\nLaunch-VsDevShell.ps1\r\nExecute (EXE)\r\nScripts\r\nT1216: System Script Proxy Execution\r\nManage-bde.wsf\r\nExecute (EXE)\r\nScripts\r\nT1216: System Script Proxy Execution\r\nPubprn.vbs\r\nExecute (SCT)\r\nScripts\r\nT1216.001: PubPrn\r\nSyncappvpublishingserver.vbs\r\nExecute (PowerShell)\r\nScripts\r\nT1216.002: SyncAppvPublishingServer\r\nhttps://lolbas-project.github.io/\r\nPage 41 of 42\n\nUtilityFunctions.ps1\r\nExecute (DLL (.NET))\r\nScripts\r\nT1216: System Script Proxy Execution\r\nwinrm.vbs\r\nExecute (CMD, Remote)\r\nAWL bypass (XSL)\r\nScripts\r\nT1216: System Script Proxy Execution\r\nT1220: XSL Script Processing\r\nPester.bat\r\nExecute (EXE)\r\nScripts\r\nT1216: System Script Proxy Execution\r\nSource: https://lolbas-project.github.io/\r\nhttps://lolbas-project.github.io/\r\nPage 42 of 42",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://lolbas-project.github.io/"
	],
	"report_names": [
		"lolbas-project.github.io"
	],
	"threat_actors": [],
	"ts_created_at": 1775439063,
	"ts_updated_at": 1775791224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/173d5cef23d4302dc2306c0c31b76dfe1775e9cc.pdf",
		"text": "https://archive.orkl.eu/173d5cef23d4302dc2306c0c31b76dfe1775e9cc.txt",
		"img": "https://archive.orkl.eu/173d5cef23d4302dc2306c0c31b76dfe1775e9cc.jpg"
	}
}