2018-09-24 04:23:04 +02:00
---
Name : Advpack.dll
Description : Utility for installing software and drivers with rundll32.exe
2018-09-26 11:41:58 +02:00
Author :
2018-09-24 04:23:04 +02:00
Created : '2018-05-25'
Commands :
- Command : rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
Description : Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
2018-09-24 19:42:17 +02:00
UseCase : Run local or remote script(let) code through INF file specification.
2018-09-24 04:23:04 +02:00
Category : AWL Bypass
Privileges : User
MitreID : T1085
MItreLink : https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem : Windows
- Command : rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,
Description : Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
2018-09-24 19:42:17 +02:00
UseCase : Run local or remote script(let) code through INF file specification.
2018-09-24 04:23:04 +02:00
Category : AWL Bypass
Privileges : User
MitreID : T1085
MItreLink : https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem : Windows
- Command : rundll32.exe advpack.dll,RegisterOCX test.dll
Description : Launch a DLL payload by calling the RegisterOCX function.
2018-09-24 19:42:17 +02:00
UseCase : Load a DLL payload.
2018-09-26 16:33:52 +02:00
Category : Execute
2018-09-24 04:23:04 +02:00
Privileges : User
MitreID : T1085
MItreLink : https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem : Windows
- Command : rundll32.exe advpack.dll,RegisterOCX calc.exe
Description : Launch an executable by calling the RegisterOCX function.
2018-09-24 19:42:17 +02:00
UseCase : Run an executable payload.
2018-09-26 16:33:52 +02:00
Category : Execute
2018-09-24 04:23:04 +02:00
Privileges : User
MitreID : T1085
MItreLink : https://attack.mitre.org/wiki/Technique/T1085
- Command : rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
Description : Launch command line by calling the RegisterOCX function.
2018-09-24 19:42:17 +02:00
UseCase : Run an executable payload.
2018-09-26 16:33:52 +02:00
Category : Execute
2018-09-24 04:23:04 +02:00
Privileges : User
MitreID : T1085
MItreLink : https://attack.mitre.org/wiki/Technique/T1085
Full Path :
2018-09-24 19:42:17 +02:00
- Path : c:\windows\system32\advpack.dll
- Path : c:\windows\syswow64\advpack.dll
2018-09-24 04:23:04 +02:00
Code Sample :
2018-09-24 04:29:44 +02:00
- Code : https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf
- Code : https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct
2018-09-24 19:42:17 +02:00
Detection :
2018-09-24 23:18:00 +02:00
- IOC :
2018-09-24 04:23:04 +02:00
Resources :
2018-09-24 04:29:44 +02:00
- Link : https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
- Link : https://twitter.com/ItsReallyNick/status/967859147977850880
- Link : https://twitter.com/bohops/status/974497123101179904
- Link : https://twitter.com/moriarty_meng/status/977848311603380224
2018-09-26 16:33:52 +02:00
Acknowledegment :
2018-09-24 04:23:04 +02:00
- Person : Jimmy (LaunchINFSection)
Handle : '@bohops'
- Person : Fabrizio (RegisterOCX - DLL)
Handle : '@0rbz_'
- Person : Moriarty (RegisterOCX - CMD)
Handle : '@moriarty_meng'
- Person : Nick Carr (Threat Intel)
2018-09-24 23:18:00 +02:00
Handle : '@ItsReallyNick'
---