LOLBAS/yml/OSLibraries/Ieframe.yml

31 lines
1.4 KiB
YAML
Raw Normal View History

2021-01-10 16:26:27 +01:00
---
2022-05-15 22:06:33 +02:00
Name: Ieframe.dll
2021-01-10 16:26:27 +01:00
Description: Internet Browser DLL for translating HTML code.
2022-09-11 05:37:10 +02:00
Author: LOLBAS Team
Created: 2018-05-25
2021-01-10 16:26:27 +01:00
Commands:
- Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
2022-09-11 05:45:28 +02:00
Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
2021-01-10 16:26:27 +01:00
Category: Execute
Privileges: User
2021-11-05 19:58:26 +01:00
MitreID: T1218.011
2021-12-15 12:46:04 +01:00
OperatingSystem: Windows 10, Windows 11
2021-01-10 16:26:27 +01:00
Full_Path:
- Path: c:\windows\system32\ieframe.dll
- Path: c:\windows\syswow64\ieframe.dll
Code_Sample:
- Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
2021-01-10 16:26:27 +01:00
Resources:
- Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
- Link: https://twitter.com/bohops/status/997690405092290561
- Link: https://windows10dll.nirsoft.net/ieframe_dll.html
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'
- Person: Adam
Handle: '@hexacorn'