LOLBAS/yml/OSLibraries/Ieadvpack.yml

---
Name: Ieadvpack.dll
Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.
Author: LOLBAS Team
Created: 2018-05-25
Commands:
  - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
    Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
    Usecase: Run local or remote script(let) code through INF file specification.
    Category: AWL Bypass
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
  - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1,
    Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
    Usecase: Run local or remote script(let) code through INF file specification.
    Category: AWL Bypass
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
  - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll
    Description: Launch a DLL payload by calling the RegisterOCX function.
    Usecase: Load a DLL payload.
    Category: Execute
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
  - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
    Description: Launch an executable by calling the RegisterOCX function.
    Usecase: Run an executable payload.
    Category: Execute
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
  - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"
    Description: Launch command line by calling the RegisterOCX function.
    Usecase: Run an executable payload.
    Category: Execute
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
Full_Path:
  - Path: c:\windows\system32\ieadvpack.dll
  - Path: c:\windows\syswow64\ieadvpack.dll
Code_Sample:
  - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf
  - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct
Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
  - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml
Resources:
  - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
  - Link: https://twitter.com/pabraeken/status/991695411902599168
  - Link: https://twitter.com/0rbz_/status/974472392012689408
Acknowledgement:
  - Person: Jimmy (LaunchINFSection)
    Handle: '@bohops'
  - Person: Fabrizio (RegisterOCX - DLL)
    Handle: '@0rbz_'
  - Person: Pierre-Alexandre Braeken (RegisterOCX - CMD)
    Handle: '@pabraeken'
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`---`
			`Name: Ieadvpack.dll`
			`Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.`
Adding missing authors 2022-09-11 05:37:10 +02:00			`Author: LOLBAS Team`
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`Created: 2018-05-25`
			`Commands:`
			`- Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,`
			`Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).`
Fix Usecase field 2021-01-10 16:54:00 +01:00			`Usecase: Run local or remote script(let) code through INF file specification.`
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`Category: AWL Bypass`
			`Privileges: User`
MITRE ATT&CK realignment sprint 2021-11-05 19:58:26 +01:00			`MitreID: T1218.011`
Fixing various issues identified 2021-12-14 17:50:22 +01:00			`OperatingSystem: Windows 10, Windows 11`
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`- Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1,`
			`Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).`
Fix Usecase field 2021-01-10 16:54:00 +01:00			`Usecase: Run local or remote script(let) code through INF file specification.`
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`Category: AWL Bypass`
Addressing @bohops's feedback 2022-05-05 12:12:22 +02:00			`Privileges: User`
MITRE ATT&CK realignment sprint 2021-11-05 19:58:26 +01:00			`MitreID: T1218.011`
Fixing various issues identified 2021-12-14 17:50:22 +01:00			`OperatingSystem: Windows 10, Windows 11`
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`- Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll`
			`Description: Launch a DLL payload by calling the RegisterOCX function.`
Fix Usecase field 2021-01-10 16:54:00 +01:00			`Usecase: Load a DLL payload.`
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`Category: Execute`
			`Privileges: User`
MITRE ATT&CK realignment sprint 2021-11-05 19:58:26 +01:00			`MitreID: T1218.011`
Fixing various issues identified 2021-12-14 17:50:22 +01:00			`OperatingSystem: Windows 10, Windows 11`
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`- Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe`
			`Description: Launch an executable by calling the RegisterOCX function.`
Fix Usecase field 2021-01-10 16:54:00 +01:00			`Usecase: Run an executable payload.`
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`Category: Execute`
			`Privileges: User`
MITRE ATT&CK realignment sprint 2021-11-05 19:58:26 +01:00			`MitreID: T1218.011`
Fixing various issues identified 2021-12-14 17:50:22 +01:00			`OperatingSystem: Windows 10, Windows 11`
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`- Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"`
			`Description: Launch command line by calling the RegisterOCX function.`
Fix Usecase field 2021-01-10 16:54:00 +01:00			`Usecase: Run an executable payload.`
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`Category: Execute`
			`Privileges: User`
MITRE ATT&CK realignment sprint 2021-11-05 19:58:26 +01:00			`MitreID: T1218.011`
Fixing various issues identified 2021-12-14 17:50:22 +01:00			`OperatingSystem: Windows 10, Windows 11`
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`Full_Path:`
			`- Path: c:\windows\system32\ieadvpack.dll`
			`- Path: c:\windows\syswow64\ieadvpack.dll`
			`Code_Sample:`
			`- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf`
			`- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct`
			`Detection:`
Detection Resources and Other Updates (#179) * Add detection links for scripts * Add detection links for OtherMSBins. Fixed and updated as needed. * Add detection links for MSBins. Fixed and updated as needed. * Add detection links for oslibraries * Updating template for Detections * Removing empty Detection:Sigma entries * Remove redundant blank line * Replacing commit URL with file URL Co-authored-by: root <root@DESKTOP-5CR935D.localdomain> Co-authored-by: Wietze <wietze@users.noreply.github.com> 2021-11-15 14:19:03 +01:00			`- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml`
			`- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml`
Fixed incorrect MItreLink 2021-01-10 16:26:27 +01:00			`Resources:`
			`- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/`
			`- Link: https://twitter.com/pabraeken/status/991695411902599168`
			`- Link: https://twitter.com/0rbz_/status/974472392012689408`
			`Acknowledgement:`
			`- Person: Jimmy (LaunchINFSection)`
			`Handle: '@bohops'`
			`- Person: Fabrizio (RegisterOCX - DLL)`
			`Handle: '@0rbz_'`
			`- Person: Pierre-Alexandre Braeken (RegisterOCX - CMD)`
			`Handle: '@pabraeken'`