Update Shell32.yml (#435)

* Update Shell32.yml Added Control_RunDLLNoFallback used by threat actors. * Update Shell32.yml --------- Co-authored-by: Wietze <wietze@users.noreply.github.com>
2025-06-20 18:45:12 +02:00 · 2025-05-26 18:43:59 +02:00 · 2025-05-26 18:43:59 +02:00 · 373d0a52bb
commit 373d0a52bb
parent f8b06c611f
1 changed files with 11 additions and 1 deletions
--- a/yml/OSLibraries/Shell32.yml
+++ b/yml/OSLibraries/Shell32.yml
@ -31,6 +31,15 @@ Commands:
    OperatingSystem: Windows 10, Windows 11
    Tags:
      - Execute: CMD
+  - Command: rundll32.exe shell32.dll,#44 {PATH:.dll}
+    Description: Load a DLL/CPL by calling undocumented Control_RunDLLNoFallback function.
+    Usecase: Load a DLL/CPL payload.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218.011
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: DLL
 Full_Path:
  - Path: c:\windows\system32\shell32.dll
  - Path: c:\windows\syswow64\shell32.dll
@ -43,8 +52,9 @@ Resources:
  - Link: https://twitter.com/mattifestation/status/776574940128485376
  - Link: https://twitter.com/KyleHanslovan/status/905189665120149506
  - Link: https://windows10dll.nirsoft.net/shell32_dll.html
+  - Link: https://www.hexacorn.com/blog/2025/05/18/shell32-dll-44-lolbin/
 Acknowledgement:
-  - Person: Adam (Control_RunDLL)
+  - Person: Adam (Control_RunDLL, Control_RunDLLNoFallback)
    Handle: '@hexacorn'
  - Person: Pierre-Alexandre Braeken (ShellExec_RunDLL)
    Handle: '@pabraeken'