LOLBAS/yml/OSLibraries/Ieadvpack.yml

65 lines
3.0 KiB
YAML
Raw Normal View History

2018-09-24 04:23:04 +02:00
---
Name: Ieadvpack.dll
Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.
Author:
2018-09-24 04:23:04 +02:00
Created: '2018-05-25'
Commands:
- Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
2018-09-24 19:49:04 +02:00
UseCase: Run local or remote script(let) code through INF file specification.
2018-09-24 04:23:04 +02:00
Category: AWL Bypass
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
- Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1,
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
2018-09-24 19:49:04 +02:00
UseCase: Run local or remote script(let) code through INF file specification.
2018-09-24 04:23:04 +02:00
Category: AWL Bypass
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
- Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll
Description: Launch a DLL payload by calling the RegisterOCX function.
2018-09-24 19:49:04 +02:00
UseCase: Load a DLL payload.
2018-09-26 16:33:52 +02:00
Category: Execute
2018-09-24 04:23:04 +02:00
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
- Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
Description: Launch an executable by calling the RegisterOCX function.
2018-09-24 19:49:04 +02:00
UseCase: Run an executable payload.
2018-09-26 16:33:52 +02:00
Category: Execute
2018-09-24 04:23:04 +02:00
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
- Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"
Description: Launch command line by calling the RegisterOCX function.
2018-09-24 19:49:04 +02:00
UseCase: Run an executable payload.
2018-09-26 16:33:52 +02:00
Category: Execute
2018-09-24 04:23:04 +02:00
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
Full Path:
2018-09-24 19:49:04 +02:00
- Path: c:\windows\system32\ieadvpack.dll
- Path: c:\windows\syswow64\ieadvpack.dll
2018-09-24 04:23:04 +02:00
Code Sample:
2018-09-24 19:49:04 +02:00
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct
Detection:
- IOC:
2018-09-24 04:23:04 +02:00
Resources:
2018-09-24 19:49:04 +02:00
- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
- Link: https://twitter.com/pabraeken/status/991695411902599168
- Link: https://twitter.com/0rbz_/status/974472392012689408
2018-09-26 16:33:52 +02:00
Acknowledgement:
2018-09-24 04:23:04 +02:00
- Person: Jimmy (LaunchINFSection)
Handle: '@bohops'
- Person: Fabrizio (RegisterOCX - DLL)
Handle: '@0rbz_'
- Person: Pierre-Alexandre Braeken (RegisterOCX - CMD)
2018-09-24 19:49:04 +02:00
Handle: '@pabraeken'
2018-09-24 19:51:19 +02:00
---