LOLBAS/yml/OSLibraries/Setupapi.yml

---
Name: Setupapi.dll
Description: Windows Setup Application Programming Interface
Author: LOLBAS Team
Created: 2018-05-25
Commands:
  - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf
    Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
    Usecase: Run local or remote script(let) code through INF file specification.
    Category: AWL Bypass
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Input: INF
  - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf
    Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
    Usecase: Load an executable payload.
    Category: Execute
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows
    Tags:
      - Input: INF
Full_Path:
  - Path: c:\windows\system32\setupapi.dll
  - Path: c:\windows\syswow64\setupapi.dll
Code_Sample:
  - Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
  - Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
  - Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct
  - Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
  - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml
Resources:
  - Link: https://github.com/huntresslabs/evading-autoruns
  - Link: https://twitter.com/pabraeken/status/994742106852941825
  - Link: https://windows10dll.nirsoft.net/setupapi_dll.html
Acknowledgement:
  - Person: Kyle Hanslovan (COM Scriptlet)
    Handle: '@KyleHanslovan'
  - Person: Huntress Labs (COM Scriptlet)
    Handle: '@HuntressLabs'
  - Person: Casey Smith (COM Scriptlet)
    Handle: '@subTee'
  - Person: Nick Carr (Threat Intel)
    Handle: '@ItsReallyNick'
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`---`
			`Name: Setupapi.dll`
			`Description: Windows Setup Application Programming Interface`
Adding missing authors 2022-09-11 05:37:10 +02:00			`Author: LOLBAS Team`
Minor formatting changes (redudant backslashes, incorrect dates, typos, etc.) 2021-12-14 15:57:32 +01:00			`Created: 2018-05-25`
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`Commands:`
			`- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf`
			`Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).`
Correcting case in Usecase key names. 2022-09-11 05:45:28 +02:00			`Usecase: Run local or remote script(let) code through INF file specification.`
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`Category: AWL Bypass`
			`Privileges: User`
MITRE ATT&CK realignment sprint 2021-11-05 19:58:26 +01:00			`MitreID: T1218.011`
Adding more missed-out entries 2021-12-15 12:46:04 +01:00			`OperatingSystem: Windows 10, Windows 11`
Adding tags (closes #9, #318) (#362) * Adding various tags as a first iteration * Adding quotes * Adding 'Custom Format' properly * Updating to key:value pairs * Update template 2024-04-03 17:53:36 +02:00			`Tags:`
			`- Input: INF`
Minor formatting changes (redudant backslashes, incorrect dates, typos, etc.) 2021-12-14 15:57:32 +01:00			`- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf`
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.`
Correcting case in Usecase key names. 2022-09-11 05:45:28 +02:00			`Usecase: Load an executable payload.`
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`Category: Execute`
			`Privileges: User`
MITRE ATT&CK realignment sprint 2021-11-05 19:58:26 +01:00			`MitreID: T1218.011`
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`OperatingSystem: Windows`
Adding tags (closes #9, #318) (#362) * Adding various tags as a first iteration * Adding quotes * Adding 'Custom Format' properly * Updating to key:value pairs * Update template 2024-04-03 17:53:36 +02:00			`Tags:`
			`- Input: INF`
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`Full_Path:`
			`- Path: c:\windows\system32\setupapi.dll`
			`- Path: c:\windows\syswow64\setupapi.dll`
			`Code_Sample:`
			`- Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf`
			`- Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct`
			`- Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct`
			`- Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf`
			`Detection:`
$frack113$ Update old sigma link (#303) * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --------- Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> 2023-10-18 17:30:34 +02:00			`- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml`
			`- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml`
Detection Resources and Other Updates (#179) * Add detection links for scripts * Add detection links for OtherMSBins. Fixed and updated as needed. * Add detection links for MSBins. Fixed and updated as needed. * Add detection links for oslibraries * Updating template for Detections * Removing empty Detection:Sigma entries * Remove redundant blank line * Replacing commit URL with file URL Co-authored-by: root <root@DESKTOP-5CR935D.localdomain> Co-authored-by: Wietze <wietze@users.noreply.github.com> 2021-11-15 14:19:03 +01:00			`- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml`
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`Resources:`
			`- Link: https://github.com/huntresslabs/evading-autoruns`
			`- Link: https://twitter.com/pabraeken/status/994742106852941825`
			`- Link: https://windows10dll.nirsoft.net/setupapi_dll.html`
			`Acknowledgement:`
			`- Person: Kyle Hanslovan (COM Scriptlet)`
			`Handle: '@KyleHanslovan'`
Merge branch 'master' into feat/yamllinting 2021-10-22 15:20:35 +02:00			`- Person: Huntress Labs (COM Scriptlet)`
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`Handle: '@HuntressLabs'`
			`- Person: Casey Smith (COM Scriptlet)`
			`Handle: '@subTee'`
			`- Person: Nick Carr (Threat Intel)`
			`Handle: '@ItsReallyNick'`