Update Ieframe.yml

This commit is contained in:
bohops 2018-09-24 13:50:33 -04:00 committed by GitHub
parent 3d7716bc14
commit 42bcafa0ff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -6,25 +6,27 @@ Created: '2018-05-25'
Commands: Commands:
- Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
Category: Execution Category: Execution
Privileges: User Privileges: User
MitreID: T1085 MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows OperatingSystem: Windows
Full Path: Full Path:
- path: c:\windows\system32\ieframe.dll - Path: c:\windows\system32\ieframe.dll
- path: c:\windows\syswow64\ieframe.dll - Path: c:\windows\syswow64\ieframe.dll
Code Sample: Code Sample:
- https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
Detection: [] Detection:
- IOC: ''
Resources: Resources:
- resource: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
- resource: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
- resource: https://twitter.com/bohops/status/997690405092290561 - Link: https://twitter.com/bohops/status/997690405092290561
- resource: https://windows10dll.nirsoft.net/ieframe_dll.html - Link: https://windows10dll.nirsoft.net/ieframe_dll.html
Acknowledgment: Acknowledgment:
- Person: Jimmy - Person: Jimmy
Handle: '@bohops' Handle: '@bohops'
- Person: Adam - Person: Adam
Handle: '@hexacorn' Handle: '@hexacorn'
---