Added rundll32 -sta COM server execution

2024-12-26 06:49:09 +01:00 · 2018-12-04 18:59:08 -05:00 · 2018-12-04 18:59:08 -05:00 · 34b1287f10
commit 34b1287f10
parent 60874f9754
1 changed files with 14 additions and 1 deletions
--- a/yml/OSBinaries/Rundll32.yml
+++ b/yml/OSBinaries/Rundll32.yml
@ -52,6 +52,14 @@ Commands:
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: rundll32.exe -sta {CLSID}
+    Description: Use Rundll32.exe to load a registered or hijacked COM Server payload.  Also works with ProgID.
+    Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code.
+    Category: Execute
+    Privileges: User
+    MitreID: 
+    MitreLink: 
+    OperatingSystem: Windows 10 (and likely previous versions)
 Full Path:
  - Path: C:\Windows\System32\rundll32.exe
  - Path: C:\Windows\SysWOW64\rundll32.exe
@ -64,7 +72,12 @@ Resources:
  - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
  - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
  - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
+  - Link: https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
+  - Person: Oddvar Moe
+    Handle: '@oddvarmoe'
+  - Person: Jimmy
+    Handle: '@bohops'
 ---