Living off the Land

Attackers abuse the signed esentutl.exe to copy locked files via VSS or pull payloads from remote shares under a trusted Windows binary.

Attackers pass base64-encoded scripts to powershell.exe via -EncodedCommand to obfuscate intent and evade command-line inspection under a trusted shell.

Attackers abuse the signed wmic.exe to spawn processes, run remote XSL scriptlets, and execute commands on remote hosts under a trusted binary.

Attackers abuse the signed forfiles.exe to spawn child processes and proxy command execution under a trusted Windows binary.

Attackers abuse the signed certutil.exe to download remote payloads and to base64/hex decode staged files, proxying ingress under a trusted binary.

Attackers abuse the signed Windows binary rundll32.exe to load malicious DLLs and execute exported functions, proxying code under a trusted process.

Attackers abuse the signed InstallUtil.exe to run attacker code in installer hooks of a .NET assembly, proxying execution under a trusted binary.

Attackers abuse the signed cmstp.exe and a crafted INF to proxy code execution and bypass UAC under a trusted Windows binary.

Attackers abuse the signed MSBuild.exe to compile and run inline C# tasks from a project file, executing code under a trusted developer binary.

Attackers abuse regsvr32.exe to fetch and run a remote COM scriptlet, executing code under a signed binary while bypassing application allow-listing.

Attackers abuse the signed odbcconf.exe REGSVR action to load and execute a malicious DLL under a trusted Windows binary.

Attackers abuse the signed mshta.exe to run HTML Applications and inline VBScript/JScript, proxying code execution under a trusted Windows binary.

Attackers abuse the signed bitsadmin.exe to queue background BITS jobs that download payloads under a trusted service, blending into normal updates.

Attackers abuse the signed wscript.exe and cscript.exe script hosts to run malicious JScript and VBScript under trusted Windows binaries.