.. /adplus.exe
Star

Dump
Execute (CMD, EXE)

Debugging tool included with Windows Debugging Tools

Paths:

Resources:

Acknowledgements:

Detections:

Dump

  1. Creates a memory dump of the lsass process

    adplus.exe -hang -pn lsass.exe -o C:\Windows\Temp\folder -quiet
    Use case
    Create memory dump and parse it offline
    Privileges required
    SYSTEM
    Operating systems
    All Windows
    ATT&CK® technique
    T1003.001: LSASS Memory
  2. Dump process memory using adplus config file (see Resources section for a sample file).

    adplus.exe -c file.xml
    Use case
    Run commands under a trusted Microsoft signed binary
    Privileges required
    SYSTEM
    Operating systems
    All Windows
    ATT&CK® technique
    T1003.001: LSASS Memory

Execute

  1. Execute arbitrary commands using adplus config file (see Resources section for a sample file).

    adplus.exe -c file.xml
    Use case
    Run commands under a trusted Microsoft signed binary
    Privileges required
    User
    Operating systems
    All Windows
    ATT&CK® technique
    T1127: Trusted Developer Utilities Proxy Execution
    Tags
    Execute: CMD
  2. Execute arbitrary commands and binaries from the context of adplus. Note that providing an output directory via '-o' is required.

    adplus.exe -crash -o "C:\Windows\Temp\folder" -sc file.exe
    Use case
    Run commands under a trusted Microsoft signed binary
    Privileges required
    User
    Operating systems
    All windows
    ATT&CK® technique
    T1127: Trusted Developer Utilities Proxy Execution
    Tags
    Execute: CMD
    Execute: EXE