|
2 | 2 | Download: |
3 | 3 | INetCache: 'INetCache downloaders typically store files in a randomly-named folder under <code>%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE</code>, having added <code>[1]</code> or a higher number between the file''s name and its extension.<br>If you downloaded a file named <code>XYZ.exe</code>, the full path of the downloaded file can be obtained by executing the following command:<br><code>cmd.exe /c "where /r %LOCALAPPDATA%\Microsoft\Windows\INetCache XYZ*"</code>' |
4 | 4 | Execute: |
| 5 | + .NetObjects: This LOLBAS can execute .NET code via .NET Objects, which can e.g be configured to execute command lines. |
| 6 | + CHM: This LOLBAS can execute compiled HTML (CHM) files. |
| 7 | + ClickOnce: This LOLBAS can execute ClickOne manifests. |
| 8 | + CMD: This LOLBAS can execute command lines. |
| 9 | + COM: This LOLBAS can trigger COM objects for execution. |
| 10 | + CSharp: This LOLBAS compiles and executes CSharp code. |
| 11 | + DLL (.NET): This LOLBAS executes .NET Dynamic-Link Libraries (DLLs). |
5 | 12 | DLL: This LOLBAS executes Dynamic-Link Libraries (DLLs). |
| 13 | + EXE (.NET): This LOLBAS can start .NET executables (without a custom command line). |
| 14 | + EXE: This LOLBAS can start executables (without a custom command line). |
| 15 | + FSharp: This LOLBAS compiles and executes FSharp code. |
| 16 | + HTA: This LOLBAS can execute Microsoft's HTML Application (HTA) files; this implies WSH languages, such as VBScript and JScript. |
| 17 | + INF: This LOLBAS can trigger setup information (INF) files, which can be used for e.g. execution of command lines. |
| 18 | + JScript: This LOLBAS can execute JScript code, Microsoft's implementation of JavaScript. |
| 19 | + MSI: This LOLBAS can execute Microsoft Installer (MSI) files. |
| 20 | + MST: This LOLBAS can execute Microsoft Installer Transform (MST) files. |
| 21 | + Node.JS: This LOLBAS can execute JavaScript files via a Node.JS engine. |
| 22 | + Nuget: This LOLBAS can install NuGet packages (see nuget.org). |
| 23 | + PowerShell: This LOLBAS executes arbitrary PowerShell code. |
| 24 | + Remote: This LOLBAS can execute a payload hosted in a remote location. |
| 25 | + SCT: This LOLBAS can execute script component (SCT) files; this implies WSH languages, such as VBScript and JScript. |
| 26 | + Shellcode: This LOLBAS can execute raw shellcode. |
| 27 | + URL: This LOLBAS can open .URL files, which can e.g. be configured to download and run remotely-hosted executables. |
| 28 | + VB.NET: This LOLBAS can execute VB.NET code. |
| 29 | + VBScript: This LOLBAS can execute VBScript code. |
6 | 30 | WSH: This LOLBAS executes scripts in Windows Script Host (WSH) languages, such as VBScript and JScript. |
| 31 | + XBAP: This LOLBAS can execute XAML Browser Application (XBAP) files. |
| 32 | + XOML: This LOLBAS execute files in Extensible Object Markup Language (XOML) format, a serialization format for Windows Workflow Foundation's workflow objects. |
| 33 | + XSL: This LOLBAS can execute Extensible Stylesheet Language (XSL) files. |
7 | 34 | Type: |
8 | 35 | Compression: This LOLBAS involves (de)compression of one or more files. |
9 | 36 | Application: |
|
0 commit comments