mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-07-29 05:31:53 +02:00
Wietze
GitHub
@@ -4,7 +4,7 @@ Description: Windows Shell Common Dll
|
||||
Author: LOLBAS Team
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe shell32.dll,Control_RunDLL c:\path\to\payload.dll
|
||||
- Command: rundll32.exe shell32.dll,Control_RunDLL {PATH_ABSOLUTE:.dll}
|
||||
Description: Launch a DLL payload by calling the Control_RunDLL function.
|
||||
Usecase: Load a DLL payload.
|
||||
Category: Execute
|
||||
@@ -13,7 +13,7 @@ Commands:
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
|
||||
- Command: rundll32.exe shell32.dll,ShellExec_RunDLL {PATH:.exe}
|
||||
Description: Launch an executable by calling the ShellExec_RunDLL function.
|
||||
Usecase: Run an executable payload.
|
||||
Category: Execute
|
||||
@@ -22,7 +22,7 @@ Commands:
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"
|
||||
- Command: rundll32 SHELL32.DLL,ShellExec_RunDLL {PATH:.exe} {CMD:args}
|
||||
Description: Launch command line by calling the ShellExec_RunDLL function.
|
||||
Usecase: Run an executable payload.
|
||||
Category: Execute
|
||||
@@ -34,8 +34,6 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\shell32.dll
|
||||
- Path: c:\windows\syswow64\shell32.dll
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
|
||||
- Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/rundll32_control_rundll_hunt.yml
|
||||
|
||||
Reference in New Issue
Block a user