LOLGlobs
Process execution through wildcard pattern evasion
4 platforms
·
11 categories
@linux @macos @powershell @windows-cmd — filter by platform
·
/discovery /download /execution — filter by category
·
T1059 — search by MITRE ID
| Command | Description | Platform | Wildcards | Category | MITRE |
|---|---|---|---|---|---|
| Add-Type | Compile and load C# or other .NET language code at runtime. Enables direct Wi... | PowerShell |
*?[c-e]
|
execution | T1059.001 |
| Copy-Item | Copy files and directories. Used for staging payloads, copying sensitive data... | PowerShell |
*?[n-p]-match
|
exfiltration | T1048 |
| Get-Content | Read file contents. Equivalent to cat on Linux. Used to read sensitive files,... | PowerShell |
*?[d-f]
|
discovery | T1005 |
| Import-Module | Load PowerShell modules from disk, UNC paths, or the module store. Used to lo... | PowerShell |
*?[l-n]
|
execution | T1059.001 |
| Invoke-Command | Run commands on local or remote computers. Enables lateral movement via Power... | PowerShell |
*[d-f]?
|
lateral-movement | T1021.006 |
| Invoke-Expression | Execute arbitrary strings as PowerShell commands. The most direct code execut... | PowerShell |
*?[d-f]-match
|
execution | T1059.001 |
| Invoke-RestMethod | Send HTTP/HTTPS requests and receive structured responses. Used for C2 commun... | PowerShell |
*[d-f]?-match
|
download | T1105 |
| Invoke-WebRequest | Download files or interact with web services. PowerShell's built-in HTTP clie... | PowerShell |
*?[d-f]-match
|
download | T1105 |
| New-Object | Creates .NET or COM objects. Used to instantiate WebClient for downloads, cre... | PowerShell |
*?[d-f]-clike
|
download | T1105 |
| Out-File | Send pipeline output to a file. Alternative to Set-Content with pipeline supp... | PowerShell |
*?[t-v]
|
execution | T1059.001 |
| Remove-Item | Delete files, directories, registry keys, or other PowerShell provider items.... | PowerShell |
*?[d-f]-match
|
execution | T1070.004 |
| Set-Content | Write content to a file. Used to drop payloads, modify system files, or write... | PowerShell |
*?[d-f]
|
execution | T1059.001 |
| Start-Process | Start one or more processes. Can launch executables with specific arguments, ... | PowerShell |
*?[s-u]-match
|
execution | T1059.001 |
| Test-Connection | Send ICMP echo requests (ping). Used for host discovery and network reconnais... | PowerShell |
*?[d-f]
|
reconnaissance | T1018 |
| awk | Text processing utility. Can be used to extract credential data, process file... | Linux |
?*[]
|
execution | T1059 |
| base64 | Encode or decode base64 data. Widely used to obfuscate payloads, bypass conte... | Linux |
*?[]
|
encode-decode | T1140 |
| bash | GNU Bourne Again Shell. Executing bash with -i or -c allows spawning interact... | Linux |
?*[]{}+()
|
execution | T1059.004 |
| bitsadmin | Background Intelligent Transfer Service admin tool. Can download or upload fi... | Windows CMD |
*?
|
download | T1197 |
| cat | Concatenate and display file contents. Used for reading sensitive files like ... | Linux |
?*[]
|
discovery | T1083 |
| certutil | Certificate management utility. Widely abused for base64 encoding/decoding an... | Windows CMD |
*?
|
download | T1105 |
| chmod | Change file permissions. Used post-exploitation to make dropped payloads exec... | Linux |
?*[]
|
execution | T1222.002 |
| chown | Change file owner and group. Used to reassign ownership of files, directories... | Linux |
?*[]
|
persistence | T1222.002 |
| cmd | Windows Command Processor. Spawning cmd.exe is a common technique for executi... | Windows CMD |
?*
|
execution | T1059.003 |
| cscript | Windows Script Host console runner for JScript and VBScript. Executes script ... | Windows CMD |
?*
|
execution | T1059.005 |
| curl | Transfer data to or from a server. Commonly used for downloading payloads, ex... | Linux |
?*[]{}
|
download | T1105 |
| curl | Transfer data from servers. macOS ships with curl by default. Used for C2, pa... | macOS |
?*[]
|
download | T1105 |
| dd | Convert and copy files or block devices. Used for disk imaging, raw data exfi... | Linux |
?
|
exfiltration | T1005 |
| esentutl | Extensible Storage Engine utility. Can copy locked or in-use files (e.g., NTD... | Windows CMD |
*?
|
download | T1105 |
| expand | Expands compressed CAB archive files. Can extract payloads from CAB container... | Windows CMD |
?*
|
execution | T1140 |
| extrac32 | CAB extraction utility bundled with Internet Explorer. Less monitored than ex... | Windows CMD |
*?
|
execution | T1218 |
| find | Search for files in directory hierarchy. Pivotal for discovery — finding SUID... | Linux |
?*[]
|
discovery | T1083 |
| finger | Legacy user info protocol client. Can retrieve arbitrary text from an attacke... | Windows CMD |
*?
|
download | T1105 |
| forfiles | Execute a command for each file matching a wildcard mask. The /m flag accepts... | Windows CMD |
*?
|
execution | T1059.003 |
| gdb | GNU debugger. Can execute arbitrary shell commands via the 'shell' command, c... | Linux |
?[]
|
execution | T1059 |
| id | Print user and group information. Confirms current user UID, GID, and group m... | Linux |
[]?*
|
discovery | T1033 |
| mshta | Microsoft HTML Application host. Executes HTA files or inline VBScript/JScrip... | Windows CMD |
*?
|
execution | T1218.005 |
| nc | Netcat — the TCP/IP Swiss army knife. Used for port scanning, reverse shells,... | Linux |
?[]*
|
execution | T1059.004 |
| nmap | Network mapper and port scanner. Used for network reconnaissance, host discov... | Linux |
?*[]
|
reconnaissance | T1046 |
| node | Node.js JavaScript runtime. Can execute arbitrary JavaScript, spawn reverse s... | Linux |
?*[]
|
execution | T1059 |
| open | Open files, URLs, or applications. Can launch applications, execute scripts v... | macOS |
?*[]
|
execution | T1218 |
| openssl | Cryptography toolkit and TLS client. Can encrypt/decrypt data, create reverse... | Linux |
*?
|
encode-decode | T1573 |
| osascript | Execute AppleScript or JavaScript for Automation (JXA). Can control applicati... | macOS |
*?[]
|
execution | T1059.002 |
| perl | Perl interpreter. Supports arbitrary code execution, file I/O, network operat... | Linux |
?*[]
|
execution | T1059 |
| php | PHP CLI interpreter. Can execute arbitrary PHP code, spawn reverse shells, re... | Linux |
?[]
|
execution | T1059 |
| pip | Python package installer. Installing packages with malicious setup.py execute... | Linux |
?[]
|
execution | T1059.006 |
| powershell.exe | PowerShell executable launched from CMD. Bypasses CMD-level restrictions by d... | Windows CMD |
*?
|
execution | T1059.001 |
| python3 | Python 3 interpreter. Enables arbitrary code execution, file operations, netw... | Linux |
?*[]
|
execution | T1059.006 |
| python3 | Python 3 interpreter on macOS. Available via Xcode CLI tools or Homebrew. Ena... | macOS |
?*[]
|
execution | T1059.006 |
| regsvr32 | Registers and unregisters OLE controls. Can execute remote scriptlets (scrobj... | Windows CMD |
?*
|
execution | T1218.010 |
| replace | Replaces (copies) files from a source to a destination directory. Can be used... | Windows CMD |
*?
|
execution | T1105 |
| rsync | Fast, versatile file copying tool. Supports remote file sync over SSH — usefu... | Linux |
?*[]
|
exfiltration | T1048 |
| ruby | Ruby interpreter. Can be used for arbitrary code execution, reverse shells, a... | Linux |
?*[]
|
execution | T1059 |
| rundll32 | Loads and runs DLLs. Used to execute malicious DLL exports directly, bypassin... | Windows CMD |
?*
|
execution | T1218.011 |
| scp | Secure Copy Protocol. Used for file transfer between hosts over SSH — exfiltr... | Linux |
?*[]
|
exfiltration | T1048.002 |
| screen | Terminal multiplexer. Can create persistent sessions that survive logout, run... | Linux |
?*[]
|
execution | T1059.004 |
| sed | Stream editor for filtering and transforming text. Can read arbitrary files, ... | Linux |
?*[]
|
execution | T1059 |
| socat | Multipurpose relay tool. More powerful than netcat — supports SSL, UDP, and c... | Linux |
?*[]
|
execution | T1059 |
| ssh | Secure Shell client. Used for lateral movement, remote command execution, tun... | Linux |
?*[]
|
lateral-movement | T1021.004 |
| strace | System call tracer. Can monitor running processes, extract secrets from memor... | Linux |
*?[]
|
discovery | T1057 |
| tar | Archive utility. Used to compress and exfiltrate data, or extract attacker-co... | Linux |
?*[]
|
exfiltration | T1560.001 |
| vim | Vi Improved text editor. Can execute shell commands via :!cmd, spawn interact... | Linux |
?[]
|
execution | T1059 |
| wget | Non-interactive network downloader. Used to fetch files from HTTP/FTP servers... | Linux |
?*[]{}
|
download | T1105 |
| whoami | Prints the current user's username. Useful for confirming privilege level aft... | Linux |
?*[]{}@()
|
discovery | T1033 |
| wmic | WMI command-line interface. Used for system information gathering, remote exe... | Windows CMD |
?*
|
execution | T1047 |
| wscript | Windows Script Host GUI runner for JScript and VBScript. Executes scripts wit... | Windows CMD |
?*
|
execution | T1059.005 |
| xxd | Hex dump and reverse hex dump utility. Can convert binaries to hex and recons... | Linux |
?[]*
|
encode-decode | T1140 |