Top 25 Windows LOLBAS Binaries

Question 1

Front (Question)

Answer 1

Back (Answer)

Question 2

What is the folder path for Command Line Interface?

Answer 2

C:\Windows\System32\cmd.exe

Question 3

What are the LOLBAS functions of C:\Windows\System32\cmd.exe?

Answer 3

Command Line Interface

Question 4

What is the expected use of C:\Windows\System32\cmd.exe?

Answer 4

Execute system commands, scripts, batch files

Question 5

What are the expected parent processes for C:\Windows\System32\cmd.exe?

Answer 5

explorer.exe, services.exe

Question 6

What are the expected conditions C:\Windows\System32\cmd.exe is created for?

Answer 6

User interaction, script execution

Question 7

What are common malicious uses of C:\Windows\System32\cmd.exe?

Answer 7

Command execution, script deployment, persistence mechanisms

Question 8

What is the folder path for Scripting Language, Automation?

Answer 8

C:\Windows\System32\powershell.exe

Question 9

What are the LOLBAS functions of C:\Windows\System32\powershell.exe?

Answer 9

Scripting Language, Automation

Question 10

What is the expected use of C:\Windows\System32\powershell.exe?

Answer 10

Automation, configuration management, task automation

Question 11

What are the expected parent processes for C:\Windows\System32\powershell.exe?

Answer 11

explorer.exe, taskeng.exe

Question 12

What are the expected conditions C:\Windows\System32\powershell.exe is created for?

Answer 12

Task scheduling, user scripts, administrative tasks

Question 13

What are common malicious uses of C:\Windows\System32\powershell.exe?

Answer 13

Download and execute payloads, bypassing security controls, lateral movement

Question 14

What is the folder path for Execute DLLs?

Answer 14

C:\Windows\System32\rundll32.exe

Question 15

What are the LOLBAS functions of C:\Windows\System32\rundll32.exe?

Answer 15

Execute DLLs

Question 16

What is the expected use of C:\Windows\System32\rundll32.exe?

Answer 16

Load and run DLLs

Question 17

What are the expected parent processes for C:\Windows\System32\rundll32.exe?

Answer 17

explorer.exe, taskeng.exe

Question 18

What are the expected conditions C:\Windows\System32\rundll32.exe is created for?

Answer 18

DLL execution, system configuration changes

Question 19

What are common malicious uses of C:\Windows\System32\rundll32.exe?

Answer 19

DLL injection, persistence, command execution

Question 20

What is the folder path for Execute HTML applications?

Answer 20

C:\Windows\System32\mshta.exe

Question 21

What are the LOLBAS functions of C:\Windows\System32\mshta.exe?

Answer 21

Execute HTML applications

Question 22

What is the expected use of C:\Windows\System32\mshta.exe?

Answer 22

Run HTML-based scripts and applications

Question 23

What are the expected parent processes for C:\Windows\System32\mshta.exe?

Answer 23

explorer.exe, wscript.exe

Question 24

What are the expected conditions C:\Windows\System32\mshta.exe is created for?

Answer 24

Script execution, user interaction

Question 25

What are common malicious uses of C:\Windows\System32\mshta.exe?

Answer 25

Download and execute payloads, phishing attacks, persistence

Question 26

What is the folder path for Task scheduling?

Answer 26

C:\Windows\System32\schtasks.exe

Question 27

What are the LOLBAS functions of C:\Windows\System32\schtasks.exe?

Answer 27

Task scheduling

Question 28

What is the expected use of C:\Windows\System32\schtasks.exe?

Answer 28

Create and manage scheduled tasks

Question 29

What are the expected parent processes for C:\Windows\System32\schtasks.exe?

Answer 29

explorer.exe, taskeng.exe

Question 30

What are the expected conditions C:\Windows\System32\schtasks.exe is created for?

Answer 30

Task automation, system maintenance

Question 31

What are common malicious uses of C:\Windows\System32\schtasks.exe?

Answer 31

Persistence, privilege escalation, lateral movement

Question 32

What is the folder path for WMI Command-line tool?

Answer 32

C:\Windows\System32\wmic.exe

Question 33

What are the LOLBAS functions of C:\Windows\System32\wmic.exe?

Answer 33

WMI Command-line tool

Question 34

What is the expected use of C:\Windows\System32\wmic.exe?

Answer 34

Management and configuration of local and remote systems

Question 35

What are the expected parent processes for C:\Windows\System32\wmic.exe?

Answer 35

explorer.exe, cmd.exe

Question 36

What are the expected conditions C:\Windows\System32\wmic.exe is created for?

Answer 36

System administration, automation scripts

Question 37

What are common malicious uses of C:\Windows\System32\wmic.exe?

Answer 37

Information gathering, lateral movement, persistence

Question 38

What is the folder path for Certificate Services?

Answer 38

C:\Windows\System32\certutil.exe

Question 39

What are the LOLBAS functions of C:\Windows\System32\certutil.exe?

Answer 39

Certificate Services

Question 40

What is the expected use of C:\Windows\System32\certutil.exe?

Answer 40

Manage and manipulate certificates

Question 41

What are the expected parent processes for C:\Windows\System32\certutil.exe?

Answer 41

explorer.exe, cmd.exe

Question 42

What are the expected conditions C:\Windows\System32\certutil.exe is created for?

Answer 42

Certificate management, network security

Question 43

What are common malicious uses of C:\Windows\System32\certutil.exe?

Answer 43

Download and decode payloads, bypass security controls

Question 44

What is the folder path for Register and unregister DLLs?

Answer 44

C:\Windows\System32\regsvr32.exe

Question 45

What are the LOLBAS functions of C:\Windows\System32\regsvr32.exe?

Answer 45

Register and unregister DLLs

Question 46

What is the expected use of C:\Windows\System32\regsvr32.exe?

Answer 46

Register or unregister DLL files

Question 47

What are the expected parent processes for C:\Windows\System32\regsvr32.exe?

Answer 47

explorer.exe, cmd.exe

Question 48

What are the expected conditions C:\Windows\System32\regsvr32.exe is created for?

Answer 48

DLL management, system configuration

Question 49

What are common malicious uses of C:\Windows\System32\regsvr32.exe?

Answer 49

Bypass application whitelisting, execute remote payloads

Question 50

What is the folder path for Manage BITS jobs?

Answer 50

C:\Windows\System32\bitsadmin.exe

Question 51

What are the LOLBAS functions of C:\Windows\System32\bitsadmin.exe?

Answer 51

Manage BITS jobs

Question 52

What is the expected use of C:\Windows\System32\bitsadmin.exe?

Answer 52

Create, monitor, and manage BITS jobs

Question 53

What are the expected parent processes for C:\Windows\System32\bitsadmin.exe?

Answer 53

explorer.exe, cmd.exe

Question 54

What are the expected conditions C:\Windows\System32\bitsadmin.exe is created for?

Answer 54

Background file transfers, software updates

Question 55

What are common malicious uses of C:\Windows\System32\bitsadmin.exe?

Answer 55

Download and execute malicious files, persistence

Question 56

What is the folder path for Registry manipulation?

Answer 56

C:\Windows\System32\reg.exe

Question 57

What are the LOLBAS functions of C:\Windows\System32\reg.exe?

Answer 57

Registry manipulation

Question 58

What is the expected use of C:\Windows\System32\reg.exe?

Answer 58

Query and modify the Windows registry

Question 59

What are the expected parent processes for C:\Windows\System32\reg.exe?

Answer 59

explorer.exe, cmd.exe

Question 60

What are the expected conditions C:\Windows\System32\reg.exe is created for?

Answer 60

Registry management, system configuration

Question 61

What are common malicious uses of C:\Windows\System32\reg.exe?

Answer 61

Persistence, privilege escalation, system manipulation