LOLBAS/yml/OSLibraries/Shdocvw.yml

33 lines
1.3 KiB
YAML
Raw Normal View History

2018-09-24 04:23:04 +02:00
---
Name: Shdocvw.dll
Description: Shell Doc Object and Control Library.
Author:
2018-09-24 04:23:04 +02:00
Created: '2018-05-25'
Commands:
- Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
2018-09-24 20:08:10 +02:00
UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
Category: Execute
2018-09-24 04:23:04 +02:00
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
Full Path:
2018-09-24 20:08:10 +02:00
- Path: c:\windows\system32\shdocvw.dll
- Path: c:\windows\syswow64\shdocvw.dll
2018-09-24 04:23:04 +02:00
Code Sample:
2018-09-24 20:08:10 +02:00
- Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
Detection:
- IOC:
2018-09-24 04:23:04 +02:00
Resources:
2018-09-24 20:08:10 +02:00
- Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
- Link: https://twitter.com/bohops/status/997690405092290561
- Link: https://windows10dll.nirsoft.net/shdocvw_dll.html
2018-09-26 16:33:52 +02:00
Acknowledgement:
2018-09-24 04:23:04 +02:00
- Person: Adam
Handle: '@hexacorn'
- Person: Jimmy
Handle: '@bohops'
2018-09-24 20:31:32 +02:00
---