Top 25 Windows LOLBAS Binaries Flashcards by Shawn Dooley

Front (Question)

Back (Answer)

How well did you know this?

Not at all

Perfectly

What is the folder path for Command Line Interface?

C:\Windows\System32\cmd.exe

How well did you know this?

Not at all

Perfectly

What are the LOLBAS functions of C:\Windows\System32\cmd.exe?

Command Line Interface

How well did you know this?

Not at all

Perfectly

What is the expected use of C:\Windows\System32\cmd.exe?

Execute system commands, scripts, batch files

How well did you know this?

Not at all

Perfectly

What are the expected parent processes for C:\Windows\System32\cmd.exe?

explorer.exe, services.exe

How well did you know this?

Not at all

Perfectly

What are the expected conditions C:\Windows\System32\cmd.exe is created for?

User interaction, script execution

How well did you know this?

Not at all

Perfectly

What are common malicious uses of C:\Windows\System32\cmd.exe?

Command execution, script deployment, persistence mechanisms

How well did you know this?

Not at all

Perfectly

What is the folder path for Scripting Language, Automation?

C:\Windows\System32\powershell.exe

How well did you know this?

Not at all

Perfectly

What are the LOLBAS functions of C:\Windows\System32\powershell.exe?

Scripting Language, Automation

How well did you know this?

Not at all

Perfectly

What is the expected use of C:\Windows\System32\powershell.exe?

Automation, configuration management, task automation

How well did you know this?

Not at all

Perfectly

What are the expected parent processes for C:\Windows\System32\powershell.exe?

explorer.exe, taskeng.exe

How well did you know this?

Not at all

Perfectly

What are the expected conditions C:\Windows\System32\powershell.exe is created for?

Task scheduling, user scripts, administrative tasks

How well did you know this?

Not at all

Perfectly

What are common malicious uses of C:\Windows\System32\powershell.exe?

Download and execute payloads, bypassing security controls, lateral movement

How well did you know this?

Not at all

Perfectly

What is the folder path for Execute DLLs?

C:\Windows\System32\rundll32.exe

How well did you know this?

Not at all

Perfectly

What are the LOLBAS functions of C:\Windows\System32\rundll32.exe?

Execute DLLs

How well did you know this?

Not at all

Perfectly

What is the expected use of C:\Windows\System32\rundll32.exe?

Load and run DLLs

How well did you know this?

Not at all

Perfectly

What are the expected parent processes for C:\Windows\System32\rundll32.exe?

explorer.exe, taskeng.exe

How well did you know this?

Not at all

Perfectly

What are the expected conditions C:\Windows\System32\rundll32.exe is created for?

DLL execution, system configuration changes

How well did you know this?

Not at all

Perfectly

What are common malicious uses of C:\Windows\System32\rundll32.exe?

DLL injection, persistence, command execution

How well did you know this?

Not at all

Perfectly

What is the folder path for Execute HTML applications?

C:\Windows\System32\mshta.exe

How well did you know this?

Not at all

Perfectly

What are the LOLBAS functions of C:\Windows\System32\mshta.exe?

Execute HTML applications

How well did you know this?

Not at all

Perfectly

What is the expected use of C:\Windows\System32\mshta.exe?

Run HTML-based scripts and applications

How well did you know this?

Not at all

Perfectly

What are the expected parent processes for C:\Windows\System32\mshta.exe?

explorer.exe, wscript.exe

How well did you know this?

Not at all

Perfectly

What are the expected conditions C:\Windows\System32\mshta.exe is created for?

Script execution, user interaction

How well did you know this?

Not at all

Perfectly

What are common malicious uses of C:\Windows\System32\mshta.exe?

Download and execute payloads, phishing attacks, persistence

What is the folder path for Task scheduling?

C:\Windows\System32\schtasks.exe

What are the LOLBAS functions of C:\Windows\System32\schtasks.exe?

Task scheduling

What is the expected use of C:\Windows\System32\schtasks.exe?

Create and manage scheduled tasks

What are the expected parent processes for C:\Windows\System32\schtasks.exe?

explorer.exe, taskeng.exe

What are the expected conditions C:\Windows\System32\schtasks.exe is created for?

Task automation, system maintenance

What are common malicious uses of C:\Windows\System32\schtasks.exe?

Persistence, privilege escalation, lateral movement

What is the folder path for WMI Command-line tool?

C:\Windows\System32\wmic.exe

What are the LOLBAS functions of C:\Windows\System32\wmic.exe?

WMI Command-line tool

What is the expected use of C:\Windows\System32\wmic.exe?

Management and configuration of local and remote systems

What are the expected parent processes for C:\Windows\System32\wmic.exe?

explorer.exe, cmd.exe

What are the expected conditions C:\Windows\System32\wmic.exe is created for?

System administration, automation scripts

What are common malicious uses of C:\Windows\System32\wmic.exe?

Information gathering, lateral movement, persistence

What is the folder path for Certificate Services?

C:\Windows\System32\certutil.exe

What are the LOLBAS functions of C:\Windows\System32\certutil.exe?

Certificate Services

What is the expected use of C:\Windows\System32\certutil.exe?

Manage and manipulate certificates

What are the expected parent processes for C:\Windows\System32\certutil.exe?

explorer.exe, cmd.exe

What are the expected conditions C:\Windows\System32\certutil.exe is created for?

Certificate management, network security

What are common malicious uses of C:\Windows\System32\certutil.exe?

Download and decode payloads, bypass security controls

What is the folder path for Register and unregister DLLs?

C:\Windows\System32\regsvr32.exe

What are the LOLBAS functions of C:\Windows\System32\regsvr32.exe?

What is the expected use of C:\Windows\System32\regsvr32.exe?

What are the expected parent processes for C:\Windows\System32\regsvr32.exe?

explorer.exe, cmd.exe

What are the expected conditions C:\Windows\System32\regsvr32.exe is created for?

DLL management, system configuration

What are common malicious uses of C:\Windows\System32\regsvr32.exe?

Bypass application whitelisting, execute remote payloads

What is the folder path for Manage BITS jobs?

C:\Windows\System32\bitsadmin.exe

What are the LOLBAS functions of C:\Windows\System32\bitsadmin.exe?

Manage BITS jobs

What is the expected use of C:\Windows\System32\bitsadmin.exe?

Create, monitor, and manage BITS jobs

What are the expected parent processes for C:\Windows\System32\bitsadmin.exe?

explorer.exe, cmd.exe

What are the expected conditions C:\Windows\System32\bitsadmin.exe is created for?

Background file transfers, software updates

What are common malicious uses of C:\Windows\System32\bitsadmin.exe?

Download and execute malicious files, persistence

What is the folder path for Registry manipulation?

C:\Windows\System32\reg.exe

What are the LOLBAS functions of C:\Windows\System32\reg.exe?

Registry manipulation

What is the expected use of C:\Windows\System32\reg.exe?

Query and modify the Windows registry

What are the expected parent processes for C:\Windows\System32\reg.exe?

explorer.exe, cmd.exe

What are the expected conditions C:\Windows\System32\reg.exe is created for?

Registry management, system configuration

What are common malicious uses of C:\Windows\System32\reg.exe?

Persistence, privilege escalation, system manipulation

Top 25 Windows LOLBAS Binaries Flashcards

Top 25 most abused LOLBIN per the lolbas-project and chatgpt analysis. (61 cards)