From 42bcafa0ff377da4d28aec1b261b877de5d4fb53 Mon Sep 17 00:00:00 2001 From: bohops Date: Mon, 24 Sep 2018 13:50:33 -0400 Subject: [PATCH] Update Ieframe.yml --- yml/OSLibraries/Ieframe.yml | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index da1b580..6c8fa19 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -6,25 +6,27 @@ Created: '2018-05-25' Commands: - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. - Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. + UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. Category: Execution Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 OperatingSystem: Windows Full Path: - - path: c:\windows\system32\ieframe.dll - - path: c:\windows\syswow64\ieframe.dll + - Path: c:\windows\system32\ieframe.dll + - Path: c:\windows\syswow64\ieframe.dll Code Sample: - - https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url -Detection: [] + - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url +Detection: + - IOC: '' Resources: - - resource: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ - - resource: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ - - resource: https://twitter.com/bohops/status/997690405092290561 - - resource: https://windows10dll.nirsoft.net/ieframe_dll.html + - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ + - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ + - Link: https://twitter.com/bohops/status/997690405092290561 + - Link: https://windows10dll.nirsoft.net/ieframe_dll.html Acknowledgment: - Person: Jimmy Handle: '@bohops' - Person: Adam Handle: '@hexacorn' +---