mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-07-29 05:31:53 +02:00
Changed to latest template
This commit is contained in:
bohops
GitHub
@@ -1,30 +1,65 @@
|
||||
---
|
||||
Name: Advpack.dll
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: rundll32.exe advpack.dll,LaunchINFSection c:\\test.inf,DefaultInstall_SingleUser,1,
|
||||
Description: Remote fetch and execute a COM Scriptlet by calling an information file directive (Section name specified).
|
||||
- Command: rundll32.exe advpack.dll,LaunchINFSection test.inf,,1,
|
||||
Description: Remote fetch and execute a COM Scriptlet by calling an information file directive (DefaultInstall section implied).
|
||||
- Command: rundll32.exe Advpack.dll,RegisterOCX calc.exe
|
||||
Description: Launch executable by calling the RegisterOCX function.
|
||||
- Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
|
||||
Description: Launch executable by calling the RegisterOCX function.
|
||||
- Command: rundll32.exe Advpack.dll,RegisterOCX test.dll
|
||||
Description: Launch a DLL payload by calling the RegisterOCX function.
|
||||
Full Path:
|
||||
- c:\windows\system32\advpack.dll
|
||||
- c:\windows\sysWOW64\advpack.dll
|
||||
Code Sample:
|
||||
- https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack.inf
|
||||
- https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack_calc.sct
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
|
||||
- https://twitter.com/ItsReallyNick/status/967859147977850880
|
||||
- https://twitter.com/bohops/status/974497123101179904
|
||||
- https://twitter.com/moriarty_meng/status/977848311603380224
|
||||
Notes: Thanks to Jimmy - @bohops (LaunchINFSection), fabrizio - @0rbz_ (RegisterOCX - DLL), Moriarty @moriarty_meng (RegisterOCX - Cmd)
|
||||
---
|
||||
Name: Advpack.dll
|
||||
Description: Utility for installing software and drivers with rundll32.exe
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Commands:
|
||||
- Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
|
||||
Usecase: Run local or remote script(let) code through INF file specification.
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
|
||||
Usecase: Run local or remote script(let) code through INF file specification.
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe advpack.dll,RegisterOCX test.dll
|
||||
Description: Launch a DLL payload by calling the RegisterOCX function.
|
||||
Usecase: Load a DLL payload.
|
||||
Category: Execution
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
- Command: rundll32.exe advpack.dll,RegisterOCX calc.exe
|
||||
Description: Launch an executable by calling the RegisterOCX function.
|
||||
Usecase: Run an executable payload.
|
||||
Category: Execution
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
- Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
|
||||
Description: Launch command line by calling the RegisterOCX function.
|
||||
Usecase: Run an executable payload.
|
||||
Category: Execution
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
Full Path:
|
||||
- path: c:\windows\system32\advpack.dll
|
||||
- path: c:\windows\syswow64\advpack.dll
|
||||
Code Sample:
|
||||
- https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf
|
||||
- https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct
|
||||
Detection: []
|
||||
Resources:
|
||||
- resource: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
|
||||
- resource: https://twitter.com/ItsReallyNick/status/967859147977850880
|
||||
- resource: https://twitter.com/bohops/status/974497123101179904
|
||||
- resource: https://twitter.com/moriarty_meng/status/977848311603380224
|
||||
Acknowledgment:
|
||||
- Person: Jimmy (LaunchINFSection)
|
||||
Handle: '@bohops'
|
||||
- Person: Fabrizio (RegisterOCX - DLL)
|
||||
Handle: '@0rbz_'
|
||||
- Person: Moriarty (RegisterOCX - CMD)
|
||||
Handle: '@moriarty_meng'
|
||||
- Person: Nick Carr (Threat Intel)
|
||||
Handle: @ItsReallyNick
|
||||
Reference in New Issue
Block a user