public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-07-29 05:31:53 +02:00
Code Issues Projects Releases Wiki Activity

Merge branch 'master' into feat/yamllinting

Browse Source
This commit is contained in:
Oddvar Moe
2021-10-22 15:20:35 +02:00
committed by GitHub
parent 79cf7bfb88 19a8d5ac08
commit 9f9af1cfee
159 changed files with 1270 additions and 932 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
yml/OSLibraries/Setupapi.yml
View File

@@ -1,46 +1,46 @@
---
Name: Setupapi.dll
Description: Windows Setup Application Programming Interface
Author:
Created: '2018-05-25'
Commands:
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
UseCase: Run local or remote script(let) code through INF file specification.
Category: AWL Bypass
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
UseCase: Load an executable payload.
Category: Execute
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
Full_Path:
- Path: c:\windows\system32\setupapi.dll
- Path: c:\windows\syswow64\setupapi.dll
Code_Sample:
- Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
- Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
- Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct
- Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
Detection:
- IOC:
Resources:
- Link: https://github.com/huntresslabs/evading-autoruns
- Link: https://twitter.com/pabraeken/status/994742106852941825
- Link: https://windows10dll.nirsoft.net/setupapi_dll.html
Acknowledgement:
- Person: Kyle Hanslovan (COM Scriptlet)
Handle: '@KyleHanslovan'
- Person: Huntress Labs (COM Scriptlet)
Handle: '@HuntressLabs'
- Person: Casey Smith (COM Scriptlet)
Handle: '@subTee'
- Person: Nick Carr (Threat Intel)
Handle: '@ItsReallyNick'
---
Name: Setupapi.dll
Description: Windows Setup Application Programming Interface
Author:
Created: '2018-05-25'
Commands:
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
UseCase: Run local or remote script(let) code through INF file specification.
Category: AWL Bypass
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
UseCase: Load an executable payload.
Category: Execute
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
Full_Path:
- Path: c:\windows\system32\setupapi.dll
- Path: c:\windows\syswow64\setupapi.dll
Code_Sample:
- Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
- Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
- Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct
- Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
Detection:
- IOC:
Resources:
- Link: https://github.com/huntresslabs/evading-autoruns
- Link: https://twitter.com/pabraeken/status/994742106852941825
- Link: https://windows10dll.nirsoft.net/setupapi_dll.html
Acknowledgement:
- Person: Kyle Hanslovan (COM Scriptlet)
Handle: '@KyleHanslovan'
- Person: Huntress Labs (COM Scriptlet)
Handle: '@HuntressLabs'
- Person: Casey Smith (COM Scriptlet)
Handle: '@subTee'
- Person: Nick Carr (Threat Intel)
Handle: '@ItsReallyNick'
---