mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 14:29:24 +01:00
Fixed incorrect MItreLink
This commit is contained in:
parent
14dca38278
commit
38f9a0a032
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
|
||||
|
@ -1,67 +1,67 @@
|
||||
---
|
||||
Name: Advpack.dll
|
||||
Description: Utility for installing software and drivers with rundll32.exe
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
|
||||
UseCase: Run local or remote script(let) code through INF file specification.
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
|
||||
UseCase: Run local or remote script(let) code through INF file specification.
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe advpack.dll,RegisterOCX test.dll
|
||||
Description: Launch a DLL payload by calling the RegisterOCX function.
|
||||
UseCase: Load a DLL payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe advpack.dll,RegisterOCX calc.exe
|
||||
Description: Launch an executable by calling the RegisterOCX function.
|
||||
UseCase: Run an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
- Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
|
||||
Description: Launch command line by calling the RegisterOCX function.
|
||||
UseCase: Run an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\advpack.dll
|
||||
- Path: c:\windows\syswow64\advpack.dll
|
||||
Code_Sample:
|
||||
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf
|
||||
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
|
||||
- Link: https://twitter.com/ItsReallyNick/status/967859147977850880
|
||||
- Link: https://twitter.com/bohops/status/974497123101179904
|
||||
- Link: https://twitter.com/moriarty_meng/status/977848311603380224
|
||||
Acknowledegment:
|
||||
- Person: Jimmy (LaunchINFSection)
|
||||
Handle: '@bohops'
|
||||
- Person: Fabrizio (RegisterOCX - DLL)
|
||||
Handle: '@0rbz_'
|
||||
- Person: Moriarty (RegisterOCX - CMD)
|
||||
Handle: '@moriarty_meng'
|
||||
- Person: Nick Carr (Threat Intel)
|
||||
Handle: '@ItsReallyNick'
|
||||
---
|
||||
---
|
||||
Name: Advpack.dll
|
||||
Description: Utility for installing software and drivers with rundll32.exe
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
|
||||
UseCase: Run local or remote script(let) code through INF file specification.
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
|
||||
UseCase: Run local or remote script(let) code through INF file specification.
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe advpack.dll,RegisterOCX test.dll
|
||||
Description: Launch a DLL payload by calling the RegisterOCX function.
|
||||
UseCase: Load a DLL payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe advpack.dll,RegisterOCX calc.exe
|
||||
Description: Launch an executable by calling the RegisterOCX function.
|
||||
UseCase: Run an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
- Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
|
||||
Description: Launch command line by calling the RegisterOCX function.
|
||||
UseCase: Run an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\advpack.dll
|
||||
- Path: c:\windows\syswow64\advpack.dll
|
||||
Code_Sample:
|
||||
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf
|
||||
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
|
||||
- Link: https://twitter.com/ItsReallyNick/status/967859147977850880
|
||||
- Link: https://twitter.com/bohops/status/974497123101179904
|
||||
- Link: https://twitter.com/moriarty_meng/status/977848311603380224
|
||||
Acknowledegment:
|
||||
- Person: Jimmy (LaunchINFSection)
|
||||
Handle: '@bohops'
|
||||
- Person: Fabrizio (RegisterOCX - DLL)
|
||||
Handle: '@0rbz_'
|
||||
- Person: Moriarty (RegisterOCX - CMD)
|
||||
Handle: '@moriarty_meng'
|
||||
- Person: Nick Carr (Threat Intel)
|
||||
Handle: '@ItsReallyNick'
|
||||
---
|
||||
|
@ -1,64 +1,64 @@
|
||||
---
|
||||
Name: Ieadvpack.dll
|
||||
Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
|
||||
UseCase: Run local or remote script(let) code through INF file specification.
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1,
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
|
||||
UseCase: Run local or remote script(let) code through INF file specification.
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll
|
||||
Description: Launch a DLL payload by calling the RegisterOCX function.
|
||||
UseCase: Load a DLL payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
|
||||
Description: Launch an executable by calling the RegisterOCX function.
|
||||
UseCase: Run an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
- Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"
|
||||
Description: Launch command line by calling the RegisterOCX function.
|
||||
UseCase: Run an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\ieadvpack.dll
|
||||
- Path: c:\windows\syswow64\ieadvpack.dll
|
||||
Code_Sample:
|
||||
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf
|
||||
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
|
||||
- Link: https://twitter.com/pabraeken/status/991695411902599168
|
||||
- Link: https://twitter.com/0rbz_/status/974472392012689408
|
||||
Acknowledgement:
|
||||
- Person: Jimmy (LaunchINFSection)
|
||||
Handle: '@bohops'
|
||||
- Person: Fabrizio (RegisterOCX - DLL)
|
||||
Handle: '@0rbz_'
|
||||
- Person: Pierre-Alexandre Braeken (RegisterOCX - CMD)
|
||||
Handle: '@pabraeken'
|
||||
---
|
||||
---
|
||||
Name: Ieadvpack.dll
|
||||
Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
|
||||
UseCase: Run local or remote script(let) code through INF file specification.
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1,
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
|
||||
UseCase: Run local or remote script(let) code through INF file specification.
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll
|
||||
Description: Launch a DLL payload by calling the RegisterOCX function.
|
||||
UseCase: Load a DLL payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
|
||||
Description: Launch an executable by calling the RegisterOCX function.
|
||||
UseCase: Run an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
- Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"
|
||||
Description: Launch command line by calling the RegisterOCX function.
|
||||
UseCase: Run an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\ieadvpack.dll
|
||||
- Path: c:\windows\syswow64\ieadvpack.dll
|
||||
Code_Sample:
|
||||
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf
|
||||
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
|
||||
- Link: https://twitter.com/pabraeken/status/991695411902599168
|
||||
- Link: https://twitter.com/0rbz_/status/974472392012689408
|
||||
Acknowledgement:
|
||||
- Person: Jimmy (LaunchINFSection)
|
||||
Handle: '@bohops'
|
||||
- Person: Fabrizio (RegisterOCX - DLL)
|
||||
Handle: '@0rbz_'
|
||||
- Person: Pierre-Alexandre Braeken (RegisterOCX - CMD)
|
||||
Handle: '@pabraeken'
|
||||
---
|
||||
|
@ -1,33 +1,33 @@
|
||||
---
|
||||
Name: Ieaframe.dll
|
||||
Description: Internet Browser DLL for translating HTML code.
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
|
||||
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
|
||||
UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\ieframe.dll
|
||||
- Path: c:\windows\syswow64\ieframe.dll
|
||||
Code_Sample:
|
||||
- Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
|
||||
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
||||
- Link: https://twitter.com/bohops/status/997690405092290561
|
||||
- Link: https://windows10dll.nirsoft.net/ieframe_dll.html
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
---
|
||||
|
||||
---
|
||||
Name: Ieaframe.dll
|
||||
Description: Internet Browser DLL for translating HTML code.
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
|
||||
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
|
||||
UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\ieframe.dll
|
||||
- Path: c:\windows\syswow64\ieframe.dll
|
||||
Code_Sample:
|
||||
- Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
|
||||
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
||||
- Link: https://twitter.com/bohops/status/997690405092290561
|
||||
- Link: https://windows10dll.nirsoft.net/ieframe_dll.html
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
---
|
||||
|
||||
|
@ -1,28 +1,28 @@
|
||||
---
|
||||
Name: Mshtml.dll
|
||||
Description: Microsoft HTML Viewer
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"
|
||||
Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box).
|
||||
UseCase: Launch an HTA application.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\mshtml.dll
|
||||
- Path: c:\windows\syswow64\mshtml.dll
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://twitter.com/pabraeken/status/998567549670477824
|
||||
- Link: https://windows10dll.nirsoft.net/mshtml_dll.html
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
---
|
||||
---
|
||||
Name: Mshtml.dll
|
||||
Description: Microsoft HTML Viewer
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"
|
||||
Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box).
|
||||
UseCase: Launch an HTA application.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\mshtml.dll
|
||||
- Path: c:\windows\syswow64\mshtml.dll
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://twitter.com/pabraeken/status/998567549670477824
|
||||
- Link: https://windows10dll.nirsoft.net/mshtml_dll.html
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
---
|
||||
|
@ -1,28 +1,28 @@
|
||||
---
|
||||
Name: Pcwutl.dll
|
||||
Description: Microsoft HTML Viewer
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe
|
||||
Description: Launch executable by calling the LaunchApplication function.
|
||||
UseCase: Launch an executable.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\pcwutl.dll
|
||||
- Path: c:\windows\syswow64\pcwutl.dll
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://twitter.com/harr0ey/status/989617817849876488
|
||||
- Link: https://windows10dll.nirsoft.net/pcwutl_dll.html
|
||||
Acknowledgement:
|
||||
- Person: Matt harr0ey
|
||||
Handle: '@harr0ey'
|
||||
---
|
||||
---
|
||||
Name: Pcwutl.dll
|
||||
Description: Microsoft HTML Viewer
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe
|
||||
Description: Launch executable by calling the LaunchApplication function.
|
||||
UseCase: Launch an executable.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\pcwutl.dll
|
||||
- Path: c:\windows\syswow64\pcwutl.dll
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://twitter.com/harr0ey/status/989617817849876488
|
||||
- Link: https://windows10dll.nirsoft.net/pcwutl_dll.html
|
||||
Acknowledgement:
|
||||
- Person: Matt harr0ey
|
||||
Handle: '@harr0ey'
|
||||
---
|
||||
|
@ -1,46 +1,46 @@
|
||||
---
|
||||
Name: Setupapi.dll
|
||||
Description: Windows Setup Application Programming Interface
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
|
||||
UseCase: Run local or remote script(let) code through INF file specification.
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf
|
||||
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
|
||||
UseCase: Load an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\setupapi.dll
|
||||
- Path: c:\windows\syswow64\setupapi.dll
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
|
||||
- Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
|
||||
- Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct
|
||||
- Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://github.com/huntresslabs/evading-autoruns
|
||||
- Link: https://twitter.com/pabraeken/status/994742106852941825
|
||||
- Link: https://windows10dll.nirsoft.net/setupapi_dll.html
|
||||
Acknowledgement:
|
||||
- Person: Kyle Hanslovan (COM Scriptlet)
|
||||
Handle: '@KyleHanslovan'
|
||||
- Person: Huntress Labs (COM Scriptlet)
|
||||
Handle: '@HuntressLabs'
|
||||
- Person: Casey Smith (COM Scriptlet)
|
||||
Handle: '@subTee'
|
||||
- Person: Nick Carr (Threat Intel)
|
||||
Handle: '@ItsReallyNick'
|
||||
---
|
||||
---
|
||||
Name: Setupapi.dll
|
||||
Description: Windows Setup Application Programming Interface
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
|
||||
UseCase: Run local or remote script(let) code through INF file specification.
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf
|
||||
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
|
||||
UseCase: Load an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\setupapi.dll
|
||||
- Path: c:\windows\syswow64\setupapi.dll
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
|
||||
- Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
|
||||
- Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct
|
||||
- Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://github.com/huntresslabs/evading-autoruns
|
||||
- Link: https://twitter.com/pabraeken/status/994742106852941825
|
||||
- Link: https://windows10dll.nirsoft.net/setupapi_dll.html
|
||||
Acknowledgement:
|
||||
- Person: Kyle Hanslovan (COM Scriptlet)
|
||||
Handle: '@KyleHanslovan'
|
||||
- Person: Huntress Labs (COM Scriptlet)
|
||||
Handle: '@HuntressLabs'
|
||||
- Person: Casey Smith (COM Scriptlet)
|
||||
Handle: '@subTee'
|
||||
- Person: Nick Carr (Threat Intel)
|
||||
Handle: '@ItsReallyNick'
|
||||
---
|
||||
|
@ -1,32 +1,32 @@
|
||||
---
|
||||
Name: Shdocvw.dll
|
||||
Description: Shell Doc Object and Control Library.
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
|
||||
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
|
||||
UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\shdocvw.dll
|
||||
- Path: c:\windows\syswow64\shdocvw.dll
|
||||
Code_Sample:
|
||||
- Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
|
||||
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
||||
- Link: https://twitter.com/bohops/status/997690405092290561
|
||||
- Link: https://windows10dll.nirsoft.net/shdocvw_dll.html
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
---
|
||||
Name: Shdocvw.dll
|
||||
Description: Shell Doc Object and Control Library.
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
|
||||
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
|
||||
UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\shdocvw.dll
|
||||
- Path: c:\windows\syswow64\shdocvw.dll
|
||||
Code_Sample:
|
||||
- Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
|
||||
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
||||
- Link: https://twitter.com/bohops/status/997690405092290561
|
||||
- Link: https://windows10dll.nirsoft.net/shdocvw_dll.html
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
|
@ -1,51 +1,51 @@
|
||||
---
|
||||
Name: Shell32.dll
|
||||
Description: Windows Shell Common Dll
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll
|
||||
Description: Launch a DLL payload by calling the Control_RunDLL function.
|
||||
UseCase: Load a DLL payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
|
||||
Description: Launch an executable by calling the ShellExec_RunDLL function.
|
||||
UseCase: Run an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
- Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"
|
||||
Description: Launch command line by calling the ShellExec_RunDLL function.
|
||||
UseCase: Run an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\shell32.dll
|
||||
- Path: c:\windows\syswow64\shell32.dll
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://twitter.com/Hexacorn/status/885258886428725250
|
||||
- Link: https://twitter.com/pabraeken/status/991768766898941953
|
||||
- Link: https://twitter.com/mattifestation/status/776574940128485376
|
||||
- Link: https://twitter.com/KyleHanslovan/status/905189665120149506
|
||||
- Link: https://windows10dll.nirsoft.net/shell32_dll.html
|
||||
Acknowledgement:
|
||||
- Person: Adam (Control_RunDLL)
|
||||
Handle: '@hexacorn'
|
||||
- Person: Pierre-Alexandre Braeken (ShellExec_RunDLL)
|
||||
Handle: '@pabraeken'
|
||||
- Person: Matt Graeber (ShellExec_RunDLL)
|
||||
Handle: '@mattifestation'
|
||||
- Person: Kyle Hanslovan (ShellExec_RunDLL)
|
||||
Handle: '@KyleHanslovan'
|
||||
---
|
||||
---
|
||||
Name: Shell32.dll
|
||||
Description: Windows Shell Common Dll
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll
|
||||
Description: Launch a DLL payload by calling the Control_RunDLL function.
|
||||
UseCase: Load a DLL payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
|
||||
Description: Launch an executable by calling the ShellExec_RunDLL function.
|
||||
UseCase: Run an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
- Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"
|
||||
Description: Launch command line by calling the ShellExec_RunDLL function.
|
||||
UseCase: Run an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\shell32.dll
|
||||
- Path: c:\windows\syswow64\shell32.dll
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://twitter.com/Hexacorn/status/885258886428725250
|
||||
- Link: https://twitter.com/pabraeken/status/991768766898941953
|
||||
- Link: https://twitter.com/mattifestation/status/776574940128485376
|
||||
- Link: https://twitter.com/KyleHanslovan/status/905189665120149506
|
||||
- Link: https://windows10dll.nirsoft.net/shell32_dll.html
|
||||
Acknowledgement:
|
||||
- Person: Adam (Control_RunDLL)
|
||||
Handle: '@hexacorn'
|
||||
- Person: Pierre-Alexandre Braeken (ShellExec_RunDLL)
|
||||
Handle: '@pabraeken'
|
||||
- Person: Matt Graeber (ShellExec_RunDLL)
|
||||
Handle: '@mattifestation'
|
||||
- Person: Kyle Hanslovan (ShellExec_RunDLL)
|
||||
Handle: '@KyleHanslovan'
|
||||
---
|
||||
|
@ -1,44 +1,44 @@
|
||||
---
|
||||
Name: Syssetup.dll
|
||||
Description: Windows NT System Setup
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
|
||||
UseCase: Run local or remote script(let) code through INF file specification (Note May pop an error window).
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
|
||||
Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
|
||||
UseCase: Load an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\syssetup.dll
|
||||
- Path: c:\windows\syswow64\syssetup.dll
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
|
||||
- Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
|
||||
- Code: https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://twitter.com/pabraeken/status/994392481927258113
|
||||
- Link: https://twitter.com/harr0ey/status/975350238184697857
|
||||
- Link: https://twitter.com/bohops/status/975549525938135040
|
||||
- Link: https://windows10dll.nirsoft.net/syssetup_dll.html
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken (Execute)
|
||||
Handle: '@pabraeken'
|
||||
- Person: Matt harr0ey (Execute)
|
||||
Handle: '@harr0ey'
|
||||
- Person: Jimmy (Scriptlet)
|
||||
Handle: '@bohops'
|
||||
---
|
||||
---
|
||||
Name: Syssetup.dll
|
||||
Description: Windows NT System Setup
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
|
||||
UseCase: Run local or remote script(let) code through INF file specification (Note May pop an error window).
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
|
||||
Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
|
||||
UseCase: Load an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\syssetup.dll
|
||||
- Path: c:\windows\syswow64\syssetup.dll
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
|
||||
- Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
|
||||
- Code: https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://twitter.com/pabraeken/status/994392481927258113
|
||||
- Link: https://twitter.com/harr0ey/status/975350238184697857
|
||||
- Link: https://twitter.com/bohops/status/975549525938135040
|
||||
- Link: https://windows10dll.nirsoft.net/syssetup_dll.html
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken (Execute)
|
||||
Handle: '@pabraeken'
|
||||
- Person: Matt harr0ey (Execute)
|
||||
Handle: '@harr0ey'
|
||||
- Person: Jimmy (Scriptlet)
|
||||
Handle: '@bohops'
|
||||
---
|
||||
|
@ -1,78 +1,78 @@
|
||||
---
|
||||
Name: Url.dll
|
||||
Description: Internet Shortcut Shell Extension DLL.
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta"
|
||||
Description: Launch a HTML application payload by calling OpenURL.
|
||||
UseCase: Invoke an HTML Application via mshta.exe (Default Handler).
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url"
|
||||
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
|
||||
UseCase: Load an executable payload by calling a .url file with or without quotes.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
|
||||
Description: Launch an executable by calling OpenURL.
|
||||
UseCase: Load an executable payload by specifying the file protocol handler (obfuscated).
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe url.dll,FileProtocolHandler calc.exe
|
||||
Description: Launch an executable by calling FileProtocolHandler.
|
||||
UseCase: Launch an executable.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
|
||||
Description: Launch an executable by calling FileProtocolHandler.
|
||||
UseCase: Load an executable payload by specifying the file protocol handler (obfuscated).
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta
|
||||
Description: Launch a HTML application payload by calling FileProtocolHandler.
|
||||
UseCase: Invoke an HTML Application via mshta.exe (Default Handler).
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\url.dll
|
||||
- Path: c:\windows\syswow64\url.dll
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
||||
- Link: https://twitter.com/DissectMalware/status/995348436353470465
|
||||
- Link: https://twitter.com/bohops/status/974043815655956481
|
||||
- Link: https://twitter.com/yeyint_mth/status/997355558070927360
|
||||
- Link: https://twitter.com/Hexacorn/status/974063407321223168
|
||||
- Link: https://windows10dll.nirsoft.net/url_dll.html
|
||||
Acknowledgement:
|
||||
- Person: Adam (OpenURL)
|
||||
Handle: '@hexacorn'
|
||||
- Person: Jimmy (OpenURL)
|
||||
Handle: '@bohops'
|
||||
- Person: Malwrologist (FileProtocolHandler - HTA)
|
||||
Handle: '@DissectMalware'
|
||||
- Person: r0lan (Obfuscation)
|
||||
Handle: '@r0lan'
|
||||
---
|
||||
---
|
||||
Name: Url.dll
|
||||
Description: Internet Shortcut Shell Extension DLL.
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta"
|
||||
Description: Launch a HTML application payload by calling OpenURL.
|
||||
UseCase: Invoke an HTML Application via mshta.exe (Default Handler).
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url"
|
||||
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
|
||||
UseCase: Load an executable payload by calling a .url file with or without quotes.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
|
||||
Description: Launch an executable by calling OpenURL.
|
||||
UseCase: Load an executable payload by specifying the file protocol handler (obfuscated).
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe url.dll,FileProtocolHandler calc.exe
|
||||
Description: Launch an executable by calling FileProtocolHandler.
|
||||
UseCase: Launch an executable.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
|
||||
Description: Launch an executable by calling FileProtocolHandler.
|
||||
UseCase: Load an executable payload by specifying the file protocol handler (obfuscated).
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta
|
||||
Description: Launch a HTML application payload by calling FileProtocolHandler.
|
||||
UseCase: Invoke an HTML Application via mshta.exe (Default Handler).
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\url.dll
|
||||
- Path: c:\windows\syswow64\url.dll
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
||||
- Link: https://twitter.com/DissectMalware/status/995348436353470465
|
||||
- Link: https://twitter.com/bohops/status/974043815655956481
|
||||
- Link: https://twitter.com/yeyint_mth/status/997355558070927360
|
||||
- Link: https://twitter.com/Hexacorn/status/974063407321223168
|
||||
- Link: https://windows10dll.nirsoft.net/url_dll.html
|
||||
Acknowledgement:
|
||||
- Person: Adam (OpenURL)
|
||||
Handle: '@hexacorn'
|
||||
- Person: Jimmy (OpenURL)
|
||||
Handle: '@bohops'
|
||||
- Person: Malwrologist (FileProtocolHandler - HTA)
|
||||
Handle: '@DissectMalware'
|
||||
- Person: r0lan (Obfuscation)
|
||||
Handle: '@r0lan'
|
||||
---
|
||||
|
@ -1,39 +1,39 @@
|
||||
---
|
||||
Name: Zipfldr.dll
|
||||
Description: Compressed Folder library
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe
|
||||
Description: Launch an executable payload by calling RouteTheCall.
|
||||
UseCase: Launch an executable.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
|
||||
Description: Launch an executable payload by calling RouteTheCall (obfuscated).
|
||||
UseCase: Launch an executable.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\zipfldr.dll
|
||||
- Path: c:\windows\syswow64\zipfldr.dll
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://twitter.com/moriarty_meng/status/977848311603380224
|
||||
- Link: https://twitter.com/bohops/status/997896811904929792
|
||||
- Link: https://windows10dll.nirsoft.net/zipfldr_dll.html
|
||||
Acknowledgement:
|
||||
- Person: Moriarty (Execution)
|
||||
Handle: '@moriarty_meng'
|
||||
- Person: r0lan (Obfuscation)
|
||||
Handle: '@r0lan'
|
||||
---
|
||||
---
|
||||
Name: Zipfldr.dll
|
||||
Description: Compressed Folder library
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe
|
||||
Description: Launch an executable payload by calling RouteTheCall.
|
||||
UseCase: Launch an executable.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
|
||||
Description: Launch an executable payload by calling RouteTheCall (obfuscated).
|
||||
UseCase: Launch an executable.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\zipfldr.dll
|
||||
- Path: c:\windows\syswow64\zipfldr.dll
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://twitter.com/moriarty_meng/status/977848311603380224
|
||||
- Link: https://twitter.com/bohops/status/997896811904929792
|
||||
- Link: https://windows10dll.nirsoft.net/zipfldr_dll.html
|
||||
Acknowledgement:
|
||||
- Person: Moriarty (Execution)
|
||||
Handle: '@moriarty_meng'
|
||||
- Person: r0lan (Obfuscation)
|
||||
Handle: '@r0lan'
|
||||
---
|
||||
|
Loading…
Reference in New Issue
Block a user