2021-01-10 16:26:27 +01:00
---
Name : Ieadvpack.dll
Description : INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.
2022-09-11 05:37:10 +02:00
Author : LOLBAS Team
2021-01-10 16:26:27 +01:00
Created : 2018-05-25
Commands :
- Command : rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
Description : Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
2021-01-10 16:54:00 +01:00
Usecase : Run local or remote script(let) code through INF file specification.
2021-01-10 16:26:27 +01:00
Category : AWL Bypass
Privileges : User
2021-11-05 19:58:26 +01:00
MitreID : T1218.011
2021-01-10 16:26:27 +01:00
OperatingSystem : Windows
- Command : rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1,
Description : Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
2021-01-10 16:54:00 +01:00
Usecase : Run local or remote script(let) code through INF file specification.
2021-01-10 16:26:27 +01:00
Category : AWL Bypass
Privileges : User
2021-11-05 19:58:26 +01:00
MitreID : T1218.011
2021-01-10 16:26:27 +01:00
OperatingSystem : Windows
- Command : rundll32.exe ieadvpack.dll,RegisterOCX test.dll
Description : Launch a DLL payload by calling the RegisterOCX function.
2021-01-10 16:54:00 +01:00
Usecase : Load a DLL payload.
2021-01-10 16:26:27 +01:00
Category : Execute
Privileges : User
2021-11-05 19:58:26 +01:00
MitreID : T1218.011
2021-01-10 16:26:27 +01:00
OperatingSystem : Windows
- Command : rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
Description : Launch an executable by calling the RegisterOCX function.
2021-01-10 16:54:00 +01:00
Usecase : Run an executable payload.
2021-01-10 16:26:27 +01:00
Category : Execute
Privileges : User
2021-11-05 19:58:26 +01:00
MitreID : T1218.011
2022-09-11 05:41:38 +02:00
OperatingSystem : Windows
2021-01-10 16:26:27 +01:00
- Command : rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"
Description : Launch command line by calling the RegisterOCX function.
2021-01-10 16:54:00 +01:00
Usecase : Run an executable payload.
2021-01-10 16:26:27 +01:00
Category : Execute
Privileges : User
2021-11-05 19:58:26 +01:00
MitreID : T1218.011
2022-09-11 05:41:38 +02:00
OperatingSystem : Windows
2021-01-10 16:26:27 +01:00
Full_Path :
- Path : c:\windows\system32\ieadvpack.dll
- Path : c:\windows\syswow64\ieadvpack.dll
Code_Sample :
- Code : https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf
- Code : https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct
Detection :
2021-11-15 14:19:03 +01:00
- Sigma : https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
- Splunk : https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml
2021-01-10 16:26:27 +01:00
Resources :
- Link : https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
- Link : https://twitter.com/pabraeken/status/991695411902599168
- Link : https://twitter.com/0rbz_/status/974472392012689408
Acknowledgement :
- Person : Jimmy (LaunchINFSection)
Handle : '@bohops'
- Person : Fabrizio (RegisterOCX - DLL)
Handle : '@0rbz_'
- Person : Pierre-Alexandre Braeken (RegisterOCX - CMD)
Handle : '@pabraeken'