AddinUtil.exe
Execute (.NetObjects)
Binaries
T1218
AppInstaller.exe
Download (INetCache)
Binaries
T1105
Aspnet_Compiler.exe
AWL bypass
Binaries
T1127
At.exe
Execute (CMD)
Binaries
T1053.002
Atbroker.exe
Execute (EXE)
Binaries
T1218
Bash.exe
Execute (CMD)
AWL bypass (CMD)
Binaries
T1202
T1218
Bitsadmin.exe
Alternate data streams
Download
Copy
Execute
Binaries
T1564.004
T1105
T1218
CertOC.exe
Execute (DLL)
Download
Binaries
T1218
T1105
CertReq.exe
Download
Upload
Binaries
T1105
Certutil.exe
Download (GUI)
Alternate data streams
Encode
Decode
Binaries
T1105
T1564.004
T1027.013
T1140
Change.exe
Execute (EXE, Rename)
Binaries
T1218
Cipher.exe
Tamper
Binaries
T1485
T1562
Cmd.exe
Alternate data streams
Download
Upload
Binaries
T1564.004
T1059.003
T1105
T1048.003
Cmdkey.exe
Credentials
Binaries
T1078
cmdl32.exe
Download
Binaries
T1105
Cmstp.exe
Execute (INF, DLL, Registry Change)
AWL bypass (INF, Remote)
Binaries
T1218.003
Colorcpl.exe
Copy
Binaries
T1036.005
ComputerDefaults.exe
UAC bypass
Binaries
T1548.002
ConfigSecurityPolicy.exe
Upload
Download (INetCache)
Binaries
T1567
T1105
Conhost.exe
Execute (CMD)
Binaries
T1202
Control.exe
Alternate data streams (DLL)
Execute (DLL)
Binaries
T1218.002
Csc.exe
Compile
Binaries
T1127
Cscript.exe
Alternate data streams (WSH)
Binaries
T1564.004
CustomShellHost.exe
Execute (EXE)
Binaries
T1218
DataSvcUtil.exe
Upload
Binaries
T1567
Desktopimgdownldr.exe
Download
Binaries
T1105
DeviceCredentialDeployment.exe
Conceal
Binaries
T1564
Dfsvc.exe
AWL bypass (ClickOnce, Remote)
Binaries
T1127.002
Diantz.exe
Alternate data streams (Compression)
Download (Compression)
Execute (Compression)
Binaries
T1564.004
T1105
T1036
Diskshadow.exe
Dump (CMD)
Execute (CMD)
Binaries
T1003.003
T1202
Dnscmd.exe
Execute (DLL, Remote)
Binaries
T1543.003
Esentutl.exe
Copy
Alternate data streams
Download
Binaries
T1105
T1564.004
T1003.003
Eudcedit.exe
UAC bypass (CMD, GUI)
Binaries
T1548.002
Eventvwr.exe
UAC bypass (GUI, EXE, .NetObjects)
Binaries
T1548.002
Expand.exe
Download
Copy
Alternate data streams
Binaries
T1105
T1564.004
Explorer.exe
Execute (EXE)
Binaries
T1202
Extexport.exe
Execute (DLL)
Binaries
T1218
Extrac32.exe
Alternate data streams (Compression)
Download
Copy
Binaries
T1564.004
T1105
Findstr.exe
Alternate data streams
Credentials
Download
Binaries
T1564.004
T1552.001
T1105
Finger.exe
Download
Binaries
T1105
fltMC.exe
Tamper
Binaries
T1562.001
Forfiles.exe
Execute (EXE)
Alternate data streams (EXE)
Binaries
T1202
T1564.004
Fsutil.exe
Tamper
Execute (EXE)
Binaries
T1485
T1218
Ftp.exe
Execute (CMD)
Download
Binaries
T1202
T1105
Gpscript.exe
Execute (CMD)
Binaries
T1218
Hh.exe
Download (EXE, GUI)
Execute (EXE, GUI, CMD, CHM, Remote)
Binaries
T1105
T1218.001
IMEWDBLD.exe
Download (INetCache)
Binaries
T1105
Ie4uinit.exe
Execute (INF)
Binaries
T1218
iediagcmd.exe
Execute (EXE)
Binaries
T1218
Ieexec.exe
Download (Remote, EXE (.NET))
Execute (Remote, EXE (.NET))
Binaries
T1105
T1218
Ilasm.exe
Compile
Binaries
T1127
Infdefaultinstall.exe
Execute (INF)
Binaries
T1218
Installutil.exe
AWL bypass (DLL (.NET), EXE (.NET))
Execute (DLL (.NET), EXE (.NET))
Download (INetCache)
Binaries
T1218.004
T1105
iscsicpl.exe
UAC bypass (DLL, CMD, GUI)
Binaries
T1548.002
Jsc.exe
Compile (JScript)
Binaries
T1127
Ldifde.exe
Download
Binaries
T1105
Makecab.exe
Alternate data streams (Compression)
Download (Compression)
Execute (Compression)
Binaries
T1564.004
T1105
T1036
Mavinject.exe
Execute (DLL)
Alternate data streams (DLL)
Binaries
T1218.013
T1564.004
Microsoft.Workflow.Compiler.exe
Execute (VB.Net, Csharp, XOML)
AWL bypass (XOML)
Binaries
T1127
Mmc.exe
Execute (COM)
UAC bypass (DLL)
Download (GUI)
Binaries
T1218.014
MpCmdRun.exe
Download
Alternate data streams
Binaries
T1105
T1564.004
Msbuild.exe
AWL bypass (CSharp)
Execute (CSharp, DLL, XSL, CMD)
Binaries
T1127.001
T1036
Msconfig.exe
Execute (CMD)
Binaries
T1218
Msdt.exe
Execute (GUI, MSI)
AWL bypass (GUI, MSI, CMD)
Binaries
T1218
T1202
Msedge.exe
Download
Execute (CMD)
Binaries
T1105
T1218.015
Mshta.exe
Execute (HTA, Remote, VBScript, JScript)
Alternate data streams (HTA)
Download (INetCache)
Binaries
T1218.005
T1105
Msiexec.exe
Execute (MSI, Remote, DLL, MST)
Binaries
T1218.007
msoxmled.exe
Download (INetCache)
Binaries
T1105
Netsh.exe
Execute (DLL)
Binaries
T1546.007
Ngen.exe
Download (INetCache)
Binaries
T1105
Odbcconf.exe
Execute (DLL)
Binaries
T1218.008
OfflineScannerShell.exe
Execute (DLL)
Binaries
T1218
OneDriveStandaloneUpdater.exe
Download
Binaries
T1105
Pcalua.exe
Execute (EXE, DLL, Remote)
Binaries
T1202
Pcwrun.exe
Execute (EXE)
Binaries
T1218
T1202
Pktmon.exe
Reconnaissance
Binaries
T1040
Pnputil.exe
Execute (INF)
Binaries
T1547
Presentationhost.exe
Execute (XBAP)
Download (INetCache)
Binaries
T1218
T1105
Print.exe
Alternate data streams
Copy
Binaries
T1564.004
T1105
PrintBrm.exe
Download (Compression)
Alternate data streams (Compression)
Binaries
T1105
T1564.004
Provlaunch.exe
Execute (CMD)
Binaries
T1218
Psr.exe
Reconnaissance
Binaries
T1113
Query.exe
Execute (EXE, Rename)
Binaries
T1218
Rasautou.exe
Execute (DLL)
Binaries
T1218
rdrleakdiag.exe
Dump
Binaries
T1003
T1003.001
Reg.exe
Alternate data streams
Credentials
Binaries
T1564.004
T1003.002
Regasm.exe
AWL bypass (DLL (.NET))
Execute (DLL (.NET))
Binaries
T1218.009
Regedit.exe
Alternate data streams
Binaries
T1564.004
Regini.exe
Alternate data streams
Binaries
T1564.004
Register-cimprovider.exe
Execute (DLL)
Binaries
T1218
Regsvcs.exe
Execute (DLL (.NET))
AWL bypass (DLL (.NET))
Binaries
T1218.009
Regsvr32.exe
AWL bypass (SCT, Remote)
Execute (SCT, Remote, DLL)
Binaries
T1218.010
Replace.exe
Copy
Download
Binaries
T1105
Reset.exe
Execute (EXE, Rename)
Binaries
T1218
Rpcping.exe
Credentials
Binaries
T1003
T1187
Rundll32.exe
Execute (DLL, Remote, JScript, COM)
Alternate data streams (DLL)
Binaries
T1218.011
T1564.004
Runexehelper.exe
Execute (EXE)
Binaries
T1218
Runonce.exe
Execute (CMD)
Binaries
T1218
Runscripthelper.exe
Execute (PowerShell)
Binaries
T1218
Sc.exe
Alternate data streams (EXE)
Binaries
T1564.004
Schtasks.exe
Execute (CMD)
Binaries
T1053.005
scp.exe
Execute (CMD)
Binaries
T1202
Scriptrunner.exe
Execute (EXE, Remote, CMD)
Binaries
T1202
T1218
Setres.exe
Execute (EXE)
Binaries
T1218
SettingSyncHost.exe
Execute (EXE, CMD)
Binaries
T1218
Sftp.exe
Execute (CMD)
Binaries
T1202
Sigverif.exe
Execute (EXE, GUI)
Binaries
T1218
ssh.exe
Execute (CMD)
Binaries
T1202
Stordiag.exe
Execute (EXE)
Binaries
T1218
SyncAppvPublishingServer.exe
Execute (PowerShell)
Binaries
T1218
Tar.exe
Alternate data streams (Compression)
Copy (Compression)
Binaries
T1564.004
T1105
Ttdinject.exe
Execute (EXE)
Binaries
T1127
Tttracer.exe
Execute (EXE)
Dump
Binaries
T1127
T1003
Unregmp2.exe
Execute (EXE)
Binaries
T1202
vbc.exe
Compile
Binaries
T1127
Verclsid.exe
Execute (COM)
Binaries
T1218.012
Wab.exe
Execute (DLL)
Binaries
T1218
wbadmin.exe
Dump
Binaries
T1003.003
wbemtest.exe
Execute (GUI, CMD)
Binaries
T1047
winget.exe
Execute (Remote, EXE)
Download
AWL bypass
Binaries
T1105
Wlrmdr.exe
Execute (EXE)
Binaries
T1202
Wmic.exe
Alternate data streams (EXE)
Execute (CMD, Remote, XSL)
Copy
Binaries
T1564.004
T1218
T1105
WorkFolders.exe
Execute (EXE, Rename, Registry change)
Binaries
T1218
Wscript.exe
Alternate data streams (WSH)
Binaries
T1564.004
Wsreset.exe
UAC bypass
Binaries
T1548.002
wuauclt.exe
Execute (DLL)
Binaries
T1218
Xwizard.exe
Execute (COM)
Download (INetCache)
Binaries
T1218
T1105
msedge_proxy.exe
Download
Execute (CMD)
Binaries
T1105
T1218.015
msedgewebview2.exe
Execute (EXE, CMD)
Binaries
T1218.015
odbcad32.exe
UAC bypass (CMD, GUI)
Binaries
T1548.002
setupugc.exe
Execute (CMD, Registry Change)
Binaries
T1218
write.exe
Execute (EXE, Registry Change)
Binaries
T1218
wt.exe
Execute (CMD)
Binaries
T1202
Advpack.dll
AWL bypass (INF)
Execute (DLL, EXE, CMD)
Libraries
T1218.011
Desk.cpl
Execute (EXE, Remote)
Libraries
T1218.011
Dfshim.dll
AWL bypass (ClickOnce, Remote)
Libraries
T1127.002
Ieadvpack.dll
AWL bypass (INF)
Execute (DLL, EXE, CMD)
Libraries
T1218.011
Ieframe.dll
Execute (URL)
Libraries
T1218.011
Mshtml.dll
Execute (HTA)
Libraries
T1218.011
Pcwutl.dll
Execute (EXE)
Libraries
T1218.011
PhotoViewer.dll
Download (INetCache)
Libraries
T1105
Scrobj.dll
Download (INetCache)
Libraries
T1105
Setupapi.dll
AWL bypass (INF)
Execute (INF)
Libraries
T1218.011
Shdocvw.dll
Execute (URL)
Libraries
T1218.011
Shell32.dll
Execute (DLL, EXE, CMD)
Libraries
T1218.011
Shimgvw.dll
Download (INetCache)
Libraries
T1105
Syssetup.dll
AWL bypass (INF)
Execute (INF)
Libraries
T1218.011
Url.dll
Execute (HTA, URL, EXE)
Libraries
T1218.011
Zipfldr.dll
Execute (EXE)
Libraries
T1218.011
Comsvcs.dll
Dump
Libraries
T1003.001
AccCheckConsole.exe
Execute (DLL (.NET))
AWL bypass (DLL (.NET))
OtherMSBinaries
T1218
adplus.exe
Dump
Execute (CMD, EXE)
OtherMSBinaries
T1003.001
T1127
AgentExecutor.exe
Execute (PowerShell, EXE)
OtherMSBinaries
T1218
AppLauncher.exe
Execute (EXE)
OtherMSBinaries
T1127
AppCert.exe
Execute (EXE, MSI)
OtherMSBinaries
T1127
T1218.007
Appvlp.exe
Execute (CMD, EXE)
OtherMSBinaries
T1218
Bcp.exe
Download
OtherMSBinaries
T1105
Bginfo.exe
Execute (WSH, Remote)
AWL bypass (WSH, Remote)
OtherMSBinaries
T1218
Cdb.exe
Execute (Shellcode, CMD)
OtherMSBinaries
T1127
coregen.exe
Execute (DLL)
AWL bypass (DLL)
OtherMSBinaries
T1055
T1218
Createdump.exe
Dump
OtherMSBinaries
T1003
csi.exe
Execute (CSharp)
OtherMSBinaries
T1127
DefaultPack.EXE
Execute (CMD)
OtherMSBinaries
T1218
Devinit.exe
Execute (MSI, Remote)
OtherMSBinaries
T1218.007
Devtoolslauncher.exe
Execute (CMD)
OtherMSBinaries
T1127
dnx.exe
Execute (CSharp)
OtherMSBinaries
T1127
Dotnet.exe
AWL bypass (DLL (.NET), CSharp)
Execute (DLL (.NET), FSharp)
OtherMSBinaries
T1218
T1059
dsdbutil.exe
Dump
OtherMSBinaries
T1003.003
dtutil.exe
Copy
OtherMSBinaries
T1105
Dump64.exe
Dump
OtherMSBinaries
T1003.001
DumpMinitool.exe
Dump
OtherMSBinaries
T1003.001
Dxcap.exe
Execute (EXE, Rename)
OtherMSBinaries
T1127
ECMangen.exe
Download (INetCache)
OtherMSBinaries
T1105
Excel.exe
Download (INetCache)
OtherMSBinaries
T1105
Fsi.exe
AWL bypass (FSharp)
OtherMSBinaries
T1059
FsiAnyCpu.exe
AWL bypass (FSharp)
OtherMSBinaries
T1059
IntelliTrace.exe
Execute (EXE)
OtherMSBinaries
T1127
Logger.exe
Execute (CMD)
OtherMSBinaries
T1202
Mftrace.exe
Execute (EXE)
OtherMSBinaries
T1127
Microsoft.NodejsTools.PressAnyKey.exe
Execute (EXE)
OtherMSBinaries
T1127
Mpiexec.exe
Execute (CMD)
OtherMSBinaries
T1127
MSAccess.exe
Download (INetCache)
OtherMSBinaries
T1105
Mscopilot.exe
Execute (CMD)
OtherMSBinaries
T1218.015
Mscopilot_proxy.exe
Execute (CMD)
OtherMSBinaries
T1218.015
Msdeploy.exe
Execute (CMD)
AWL bypass (CMD)
Copy
OtherMSBinaries
T1218
T1105
MsoHtmEd.exe
Download (INetCache)
OtherMSBinaries
T1105
Mspub.exe
Download (INetCache)
OtherMSBinaries
T1105
msxsl.exe
Execute (XSL, Remote)
AWL bypass (XSL, Remote)
Download
Alternate data streams
OtherMSBinaries
T1220
T1105
T1564
Nmcap.exe
Reconnaissance
OtherMSBinaries
T1040
ntdsutil.exe
Dump
OtherMSBinaries
T1003.003
Ntsd.exe
Execute (CMD)
OtherMSBinaries
T1127
OpenConsole.exe
Execute (EXE)
OtherMSBinaries
T1202
Outlook.exe
Download (INetCache)
OtherMSBinaries
T1105
Pixtool.exe
Execute (EXE)
OtherMSBinaries
T1127
Powerpnt.exe
Download (INetCache)
OtherMSBinaries
T1105
Procdump.exe
Execute (DLL)
OtherMSBinaries
T1202
ProtocolHandler.exe
Download
OtherMSBinaries
T1105
rcsi.exe
Execute (CSharp)
AWL bypass (CSharp)
OtherMSBinaries
T1127
Remote.exe
AWL bypass (EXE)
Execute (EXE, Remote)
OtherMSBinaries
T1127
Sqldumper.exe
Dump
OtherMSBinaries
T1003
T1003.001
Sqlps.exe
Execute (PowerShell)
OtherMSBinaries
T1218
SQLToolsPS.exe
Execute (PowerShell)
OtherMSBinaries
T1218
Squirrel.exe
Download
AWL bypass (Nuget, Remote)
Execute (Nuget, Remote)
OtherMSBinaries
T1218
te.exe
Execute (WSH, DLL, Custom Format)
OtherMSBinaries
T1127
Teams.exe
Execute (Node.JS, CMD)
OtherMSBinaries
T1218.015
TestWindowRemoteAgent.exe
Upload
OtherMSBinaries
T1048
Tracker.exe
Execute (DLL)
AWL bypass (DLL)
OtherMSBinaries
T1127
Update.exe
Download
AWL bypass (Nuget, Remote, CMD)
Execute (Nuget, Remote, CMD, EXE)
OtherMSBinaries
T1218
T1547
T1070
VSDiagnostics.exe
Execute (EXE, CMD)
OtherMSBinaries
T1127
VSIISExeLauncher.exe
Execute (EXE)
OtherMSBinaries
T1218
Visio.exe
Download (INetCache)
OtherMSBinaries
T1105
VisualUiaVerifyNative.exe
AWL bypass (.NetObjects)
OtherMSBinaries
T1218
VSLaunchBrowser.exe
Download (INetCache)
Execute (EXE, Remote)
OtherMSBinaries
T1105
T1127
Vshadow.exe
Execute (EXE)
OtherMSBinaries
T1202
vsjitdebugger.exe
Execute (EXE)
OtherMSBinaries
T1127
WFMFormat.exe
Execute (EXE, .NET Framework 3.5)
OtherMSBinaries
T1127
Wfc.exe
AWL bypass (XOML)
OtherMSBinaries
T1127
WinDbg.exe
Execute (CMD)
OtherMSBinaries
T1127
WinProj.exe
Download (INetCache)
OtherMSBinaries
T1105
Winword.exe
Download (INetCache)
OtherMSBinaries
T1105
wsb.exe
Execute (CMD)
OtherMSBinaries
T1564.006
Wsl.exe
Execute (EXE, CMD)
Download
OtherMSBinaries
T1202
T1105
T1218
XBootMgr.exe
Execute (EXE)
OtherMSBinaries
T1202
XBootMgrSleep.exe
Execute (EXE)
OtherMSBinaries
T1202
devtunnel.exe
Download
OtherMSBinaries
T1105
vsls-agent.exe
Execute (DLL)
OtherMSBinaries
T1218
vstest.console.exe
AWL bypass (DLL)
OtherMSBinaries
T1127
winfile.exe
Execute (EXE)
OtherMSBinaries
T1202
xsd.exe
Download (INetCache)
OtherMSBinaries
T1105
CL_LoadAssembly.ps1
Execute (DLL (.NET))
Scripts
T1216
CL_Mutexverifiers.ps1
Execute (PowerShell)
Scripts
T1216
CL_Invocation.ps1
Execute (CMD)
Scripts
T1216
Launch-VsDevShell.ps1
Execute (EXE)
Scripts
T1216
Manage-bde.wsf
Execute (EXE)
Scripts
T1216
Pubprn.vbs
Execute (SCT)
Scripts
T1216.001
Syncappvpublishingserver.vbs
Execute (PowerShell)
Scripts
T1216.002
UtilityFunctions.ps1
Execute (DLL (.NET))
Scripts
T1216
winrm.vbs
Execute (CMD, Remote)
AWL bypass (XSL)
Scripts
T1216
T1220
Pester.bat
Execute (EXE)
Scripts
T1216