Windows

winrm.vbswinrm.vbs

Platform
Windows
Abuse functions
3
Mapped techniques
2

Description

winrm.vbs is a Windows living-off-the-land binary catalogued by the LOLBAS Project. Documented abuse functions: Execute, AWL Bypass. Mapped ATT&CK techniques (per LOLBAS / GTFOBins → MITRE crosswalk): T1218. Defenders should monitor execution of winrm.vbs under non-administrative or sudo contexts and alert when its arguments match the abuse-function signatures.

Abuse functions· 3

ExecuteT1216

Proxy execution

ExecuteT1216

Proxy execution

AWL BypassT1220

Execute arbitrary, unsigned code via XSL script

MITRE ATT&CK techniques· 2

T1216T1220

Uses2

TypeTargetConfidenceTier
TechniqueSystem Script Proxy Executiont1216100%live
TechniqueXSL Script Processingt1220100%live

Abuses1

TypeTargetConfidenceTier
TechniqueSystem Binary Proxy Executiont121885%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

LOLbin
winfile.exe
LOLbin
Wlrmdr.exe
LOLbin
Regsvr32.exe
LOLbin
wbadmin.exe
LOLbin
Regasm.exe
LOLbin
Pubprn.vbs
Sourced from LOLBAS Project. Curated by Adam Lundqvist, SQUR.