LOLBAS (Living off the Land Binaries and Scripts) are native OS components that can be used for execution, privilege elevation, credential theft, and exfiltration. For more information, see the official project site at: https://lolbas-project.github.io/
| Event Type | LOLbin category | Search term |
|---|---|---|
| Process Create | Executable | Atbroker.exe |
| Process Create | Executable | Bash.exe |
| Process Create | Executable | Bitsadmin.exe |
| Process Create | Executable | Certutil.exe |
| Process Create | Executable | Cmdkey.exe |
| Process Create | Executable | Cmstp.exe |
| Process Create | Executable | Control.exe |
| Process Create | Executable | Credentials |
| Process Create | Executable | Credentials |
| Process Create | Executable | Csc.exe |
| Process Create | Executable | Cscript.exe |
| Process Create | Executable | Dfsvc.exe |
| Process Create | Executable | Diskshadow.exe |
| Process Create | Executable | Dnscmd.exe |
| Process Create | Executable | Dump Execute |
| Process Create | Executable | Esentutl.exe |
| Process Create | Executable | Eventvwr.exe |
| Process Create | Executable | Expand.exe |
| Process Create | Executable | Extexport.exe |
| Process Create | Executable | Extrac32.exe |
| Process Create | Executable | Findstr.exe |
| Process Create | Executable | Forfiles.exe |
| Process Create | Executable | Ftp.exe |
| Process Create | Executable | Gpscript.exe |
| Process Create | Executable | Hh.exe |
| Process Create | Executable | Ie4uinit.exe |
| Process Create | Executable | Ieexec.exe |
| Process Create | Executable | Infdefaultinstall.exe |
| Process Create | Executable | Installutil.exe |
| Process Create | Executable | Makecab.exe |
| Process Create | Executable | Mavinject.exe |
| Process Create | Executable | Microsoft.Workflow.Compiler.exe |
| Process Create | Executable | Mmc.exe |
| Process Create | Executable | Msbuild.exe |
| Process Create | Executable | Msconfig.exe |
| Process Create | Executable | Msdt.exe |
| Process Create | Executable | Mshta.exe |
| Process Create | Executable | Msiexec.exe |
| Process Create | Executable | Odbcconf.exe |
| Process Create | Executable | Pcalua.exe |
| Process Create | Executable | Pcwrun.exe |
| Process Create | Executable | Presentationhost.exe |
| Process Create | Executable | Print.exe |
| Process Create | Executable | Reg.exe |
| Process Create | Executable | Regasm.exe |
| Process Create | Executable | Regedit.exe |
| Process Create | Executable | Register-cimprovider.exe |
| Process Create | Executable | Regsvcs.exe |
| Process Create | Executable | Regsvr32.exe |
| Process Create | Executable | Replace.exe |
| Process Create | Executable | Rpcping.exe |
| Process Create | Executable | Rundll32.exe |
| Process Create | Executable | Runonce.exe |
| Process Create | Executable | Runscripthelper.exe |
| Process Create | Executable | Sc.exe |
| Process Create | Executable | Schtasks.exe |
| Process Create | Executable | Scriptrunner.exe |
| Process Create | Executable | SyncAppvPublishingServer.exe |
| Process Create | Executable | UAC bypass |
| Process Create | Executable | UAC bypass |
| Process Create | Executable | Verclsid.exe |
| Process Create | Executable | Wab.exe |
| Process Create | Executable | Wmic.exe |
| Process Create | Executable | Wscript.exe |
| Process Create | Executable | Wsreset.exe |
| Process Create | Dynamically Linked Library | Xwizard.exe |
| Process Create | Dynamically Linked Library | Advpack.dll |
| Process Create | Dynamically Linked Library | Ieadvpack.dll |
| Process Create | Dynamically Linked Library | Ieaframe.dll |
| Process Create | Dynamically Linked Library | Mshtml.dll |
| Process Create | Dynamically Linked Library | Pcwutl.dll |
| Process Create | Dynamically Linked Library | Setupapi.dll |
| Process Create | Dynamically Linked Library | Shdocvw.dll |
| Process Create | Dynamically Linked Library | Shell32.dll |
| Process Create | Dynamically Linked Library | Syssetup.dll |
| Process Create | Dynamically Linked Library | Url.dll |
| Process Create | Executable | Zipfldr.dll |
| Process Create | Executable | Appvlp.exe |
| Process Create | Executable | Bginfo.exe |
| Process Create | Executable | Cdb.exe |
| Process Create | Executable | csi.exe |
| Process Create | Executable | dnx.exe |
| Process Create | Executable | Dump |
| Process Create | Executable | Dxcap.exe |
| Process Create | Executable | Mftrace.exe |
| Process Create | Executable | Msdeploy.exe |
| Process Create | Executable | msxsl.exe |
| Process Create | Executable | rcsi.exe |
| Process Create | Executable | Sqldumper.exe |
| Process Create | Executable | Sqlps.exe |
| Process Create | Executable | SQLToolsPS.exe |
| Process Create | Executable | te.exe |
| Process Create | Executable | Tracker.exe |
| Process Create | Script | vsjitdebugger.exe |
| Process Create | Script | CL_Invocation.ps1 |
| Process Create | Script | CL_Mutexverifiers.ps1 |
| Process Create | Script | Manage-bde.wsf |
| Process Create | Script | Pester.bat |
| Process Create | Script | Pubprn.vbs |
| Process Create | Script | Slmgr.vbs |
| Process Create | Script | Syncappvpublishingserver.vbs |
| Process Create | Script | winrm.vbs |