LOLBAS/yml/OSLibraries/Advpack.yml

---
Name: Advpack.dll
Description: Utility for installing software and drivers with rundll32.exe
Author: ''
Created: '2018-05-25'
Commands:
  - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
    Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
    UseCase: Run local or remote script(let) code through INF file specification.
    Category: AWL Bypass
    Privileges: User
    MitreID: T1085
    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
    OperatingSystem: Windows
  - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,
    Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
    UseCase: Run local or remote script(let) code through INF file specification.
    Category: AWL Bypass
    Privileges: User
    MitreID: T1085
    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
    OperatingSystem: Windows
  - Command: rundll32.exe advpack.dll,RegisterOCX test.dll
    Description: Launch a DLL payload by calling the RegisterOCX function.
    UseCase: Load a DLL payload.
    Category: Execution
    Privileges: User
    MitreID: T1085
    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
    OperatingSystem: Windows
  - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe
    Description: Launch an executable by calling the RegisterOCX function.
    UseCase: Run an executable payload.
    Category: Execution
    Privileges: User
    MitreID: T1085
    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
  - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
    Description: Launch command line by calling the RegisterOCX function.
    UseCase: Run an executable payload.
    Category: Execution
    Privileges: User
    MitreID: T1085
    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
Full Path:
  - Path: c:\windows\system32\advpack.dll
  - Path: c:\windows\syswow64\advpack.dll
Code Sample:
  - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf
  - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct
Detection:
  - IOC: ''
Resources:
  - Link: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
  - Link: https://twitter.com/ItsReallyNick/status/967859147977850880
  - Link: https://twitter.com/bohops/status/974497123101179904
  - Link: https://twitter.com/moriarty_meng/status/977848311603380224
Acknowledgment:
  - Person: Jimmy (LaunchINFSection)
    Handle: '@bohops'
  - Person: Fabrizio (RegisterOCX - DLL)
    Handle: '@0rbz_'
  - Person: Moriarty (RegisterOCX - CMD)
    Handle: '@moriarty_meng'
  - Person: Nick Carr (Threat Intel)
    Handle: @ItsReallyNick
---
Changed to latest template 2018-09-24 04:23:04 +02:00			`---`
			`Name: Advpack.dll`
			`Description: Utility for installing software and drivers with rundll32.exe`
			`Author: ''`
			`Created: '2018-05-25'`
			`Commands:`
			`- Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,`
			`Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).`
Update Advpack.yml 2018-09-24 19:42:17 +02:00			`UseCase: Run local or remote script(let) code through INF file specification.`
Changed to latest template 2018-09-24 04:23:04 +02:00			`Category: AWL Bypass`
			`Privileges: User`
			`MitreID: T1085`
			`MItreLink: https://attack.mitre.org/wiki/Technique/T1085`
			`OperatingSystem: Windows`
			`- Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,`
			`Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).`
Update Advpack.yml 2018-09-24 19:42:17 +02:00			`UseCase: Run local or remote script(let) code through INF file specification.`
Changed to latest template 2018-09-24 04:23:04 +02:00			`Category: AWL Bypass`
			`Privileges: User`
			`MitreID: T1085`
			`MItreLink: https://attack.mitre.org/wiki/Technique/T1085`
			`OperatingSystem: Windows`
			`- Command: rundll32.exe advpack.dll,RegisterOCX test.dll`
			`Description: Launch a DLL payload by calling the RegisterOCX function.`
Update Advpack.yml 2018-09-24 19:42:17 +02:00			`UseCase: Load a DLL payload.`
Changed to latest template 2018-09-24 04:23:04 +02:00			`Category: Execution`
			`Privileges: User`
			`MitreID: T1085`
			`MItreLink: https://attack.mitre.org/wiki/Technique/T1085`
			`OperatingSystem: Windows`
			`- Command: rundll32.exe advpack.dll,RegisterOCX calc.exe`
			`Description: Launch an executable by calling the RegisterOCX function.`
Update Advpack.yml 2018-09-24 19:42:17 +02:00			`UseCase: Run an executable payload.`
Changed to latest template 2018-09-24 04:23:04 +02:00			`Category: Execution`
			`Privileges: User`
			`MitreID: T1085`
			`MItreLink: https://attack.mitre.org/wiki/Technique/T1085`
			`- Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"`
			`Description: Launch command line by calling the RegisterOCX function.`
Update Advpack.yml 2018-09-24 19:42:17 +02:00			`UseCase: Run an executable payload.`
Changed to latest template 2018-09-24 04:23:04 +02:00			`Category: Execution`
			`Privileges: User`
			`MitreID: T1085`
			`MItreLink: https://attack.mitre.org/wiki/Technique/T1085`
			`Full Path:`
Update Advpack.yml 2018-09-24 19:42:17 +02:00			`- Path: c:\windows\system32\advpack.dll`
			`- Path: c:\windows\syswow64\advpack.dll`
Changed to latest template 2018-09-24 04:23:04 +02:00			`Code Sample:`
Update Advpack.yml 2018-09-24 04:29:44 +02:00			`- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf`
			`- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct`
Update Advpack.yml 2018-09-24 19:42:17 +02:00			`Detection:`
			`- IOC: ''`
Changed to latest template 2018-09-24 04:23:04 +02:00			`Resources:`
Update Advpack.yml 2018-09-24 04:29:44 +02:00			`- Link: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/`
			`- Link: https://twitter.com/ItsReallyNick/status/967859147977850880`
			`- Link: https://twitter.com/bohops/status/974497123101179904`
			`- Link: https://twitter.com/moriarty_meng/status/977848311603380224`
Changed to latest template 2018-09-24 04:23:04 +02:00			`Acknowledgment:`
			`- Person: Jimmy (LaunchINFSection)`
			`Handle: '@bohops'`
			`- Person: Fabrizio (RegisterOCX - DLL)`
			`Handle: '@0rbz_'`
			`- Person: Moriarty (RegisterOCX - CMD)`
			`Handle: '@moriarty_meng'`
			`- Person: Nick Carr (Threat Intel)`
Update Advpack.yml 2018-09-24 04:29:44 +02:00			`Handle: @ItsReallyNick`
Update Advpack.yml 2018-09-24 19:52:23 +02:00			`---`