LOLGlobs

Process execution through wildcard pattern evasion

A catalog of glob-based command obfuscation for Linux · macOS · Windows CMD · PowerShell

/

@linux @macos @powershell @windows-cmd — filter by platform · /discovery /download /execution — filter by category · T1059 — search by MITRE ID

Command	Platform	Patterns	Category	MITRE
Copy-Item	PowerShell	9	exfiltration	T1048
Get-Content	PowerShell	8	discovery	T1005
Invoke-Command	PowerShell	7	lateral-movement	T1021.006
Invoke-Expression	PowerShell	9	execution	T1059.001
Invoke-RestMethod	PowerShell	9	download	T1105
Invoke-WebRequest	PowerShell	10	download	T1105
New-Object	PowerShell	10	download	T1105
Set-Content	PowerShell	6	execution	T1059.001
Start-Process	PowerShell	9	execution	T1059.001
Test-Connection	PowerShell	5	reconnaissance	T1018
awk	Linux	7	execution	T1059
bash	Linux	10	execution	T1059.004
bitsadmin	Windows CMD	4	download	T1197
cat	Linux	8	discovery	T1083
certutil	Windows CMD	5	download	T1105
chmod	Linux	8	execution	T1222.002
chown	Linux	7	persistence	T1222.002
cmd	Windows CMD	5	execution	T1059.003
curl	Linux	10	download	T1105
curl	macOS	7	download	T1105
find	Linux	8	discovery	T1083
id	Linux	6	discovery	T1033
mshta	Windows CMD	4	execution	T1218.005
nc	Linux	8	execution	T1059.004
nmap	Linux	7	reconnaissance	T1046
open	macOS	7	execution	T1218
osascript	macOS	8	execution	T1059.002
perl	Linux	7	execution	T1059
powershell.exe	Windows CMD	4	execution	T1059.001
python3	Linux	10	execution	T1059.006
python3	macOS	8	execution	T1059.006
regsvr32	Windows CMD	4	execution	T1218.010
rsync	Linux	7	exfiltration	T1048
ruby	Linux	7	execution	T1059
rundll32	Windows CMD	4	execution	T1218.011
scp	Linux	6	exfiltration	T1048.002
sed	Linux	6	execution	T1059
socat	Linux	8	execution	T1059
ssh	Linux	7	lateral-movement	T1021.004
tar	Linux	7	exfiltration	T1560.001
wget	Linux	10	download	T1105
whoami	Linux	10	discovery	T1033
wmic	Windows CMD	4	execution	T1047