LOLGlobs
Process execution through wildcard pattern evasion
A catalog of glob-based command obfuscation for Linux · macOS · Windows CMD · PowerShell
@linux @macos @powershell @windows-cmd — filter by platform
·
/discovery /download /execution — filter by category
·
T1059 — search by MITRE ID
| Command | Platform | Patterns | Category | MITRE |
|---|---|---|---|---|
| Add-Type | PowerShell | 5 | execution | T1059.001 |
| Copy-Item | PowerShell | 9 | exfiltration | T1048 |
| Get-Content | PowerShell | 8 | discovery | T1005 |
| Import-Module | PowerShell | 5 | execution | T1059.001 |
| Invoke-Command | PowerShell | 7 | lateral-movement | T1021.006 |
| Invoke-Expression | PowerShell | 11 | execution | T1059.001 |
| Invoke-RestMethod | PowerShell | 9 | download | T1105 |
| Invoke-WebRequest | PowerShell | 10 | download | T1105 |
| New-Object | PowerShell | 10 | download | T1105 |
| Out-File | PowerShell | 5 | execution | T1059.001 |
| Remove-Item | PowerShell | 8 | execution | T1070.004 |
| Set-Content | PowerShell | 6 | execution | T1059.001 |
| Start-Process | PowerShell | 10 | execution | T1059.001 |
| Test-Connection | PowerShell | 5 | reconnaissance | T1018 |
| awk | Linux | 7 | execution | T1059 |
| base64 | Linux | 8 | encode-decode | T1140 |
| bash | Linux | 14 | execution | T1059.004 |
| bitsadmin | Windows CMD | 6 | download | T1197 |
| cat | Linux | 8 | discovery | T1083 |
| certutil | Windows CMD | 7 | download | T1105 |
| chmod | Linux | 8 | execution | T1222.002 |
| chown | Linux | 7 | persistence | T1222.002 |
| cmd | Windows CMD | 8 | execution | T1059.003 |
| cscript | Windows CMD | 6 | execution | T1059.005 |
| curl | Linux | 13 | download | T1105 |
| curl | macOS | 7 | download | T1105 |
| dd | Linux | 5 | exfiltration | T1005 |
| esentutl | Windows CMD | 5 | download | T1105 |
| expand | Windows CMD | 5 | execution | T1140 |
| extrac32 | Windows CMD | 6 | execution | T1218 |
| find | Linux | 8 | discovery | T1083 |
| finger | Windows CMD | 6 | download | T1105 |
| forfiles | Windows CMD | 5 | execution | T1059.003 |
| gdb | Linux | 6 | execution | T1059 |
| id | Linux | 6 | discovery | T1033 |
| mshta | Windows CMD | 4 | execution | T1218.005 |
| nc | Linux | 8 | execution | T1059.004 |
| nmap | Linux | 7 | reconnaissance | T1046 |
| node | Linux | 7 | execution | T1059 |
| open | macOS | 7 | execution | T1218 |
| openssl | Linux | 8 | encode-decode | T1573 |
| osascript | macOS | 8 | execution | T1059.002 |
| perl | Linux | 7 | execution | T1059 |
| php | Linux | 7 | execution | T1059 |
| pip | Linux | 7 | execution | T1059.006 |
| powershell.exe | Windows CMD | 6 | execution | T1059.001 |
| python3 | Linux | 10 | execution | T1059.006 |
| python3 | macOS | 8 | execution | T1059.006 |
| regsvr32 | Windows CMD | 4 | execution | T1218.010 |
| replace | Windows CMD | 6 | execution | T1105 |
| rsync | Linux | 7 | exfiltration | T1048 |
| ruby | Linux | 7 | execution | T1059 |
| rundll32 | Windows CMD | 4 | execution | T1218.011 |
| scp | Linux | 6 | exfiltration | T1048.002 |
| screen | Linux | 8 | execution | T1059.004 |
| sed | Linux | 6 | execution | T1059 |
| socat | Linux | 8 | execution | T1059 |
| ssh | Linux | 7 | lateral-movement | T1021.004 |
| strace | Linux | 8 | discovery | T1057 |
| tar | Linux | 7 | exfiltration | T1560.001 |
| vim | Linux | 7 | execution | T1059 |
| wget | Linux | 13 | download | T1105 |
| whoami | Linux | 15 | discovery | T1033 |
| wmic | Windows CMD | 4 | execution | T1047 |
| wscript | Windows CMD | 6 | execution | T1059.005 |
| xxd | Linux | 7 | encode-decode | T1140 |