public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-10-22 16:49:11 +02:00
Code Issues Projects Releases Wiki Activity

Changed to latest template

Browse Source
This commit is contained in:
bohops 2018-09-23 22:23:04 -04:00 committed by GitHub
parent adafa6de3f
commit b330d43116
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 485 additions and 262 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
yml/OSLibraries/Advpack.yml
View File

@ -1,30 +1,65 @@
--- ---
Name: Advpack.dll Name: Advpack.dll
Description: Execute Description: Utility for installing software and drivers with rundll32.exe
Author: '' Author: ''
Created: '2018-05-25' Created: '2018-05-25'
Categories: [] Commands:
Commands: - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
- Command: rundll32.exe advpack.dll,LaunchINFSection c:\\test.inf,DefaultInstall_SingleUser,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
Description: Remote fetch and execute a COM Scriptlet by calling an information file directive (Section name specified). Usecase: Run local or remote script(let) code through INF file specification.
- Command: rundll32.exe advpack.dll,LaunchINFSection test.inf,,1, Category: AWL Bypass
Description: Remote fetch and execute a COM Scriptlet by calling an information file directive (DefaultInstall section implied). Privileges: User
- Command: rundll32.exe Advpack.dll,RegisterOCX calc.exe MitreID: T1085
Description: Launch executable by calling the RegisterOCX function. MItreLink: https://attack.mitre.org/wiki/Technique/T1085
- Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" OperatingSystem: Windows
Description: Launch executable by calling the RegisterOCX function. - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,
- Command: rundll32.exe Advpack.dll,RegisterOCX test.dll Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
Description: Launch a DLL payload by calling the RegisterOCX function. Usecase: Run local or remote script(let) code through INF file specification.
Full Path: Category: AWL Bypass
- c:\windows\system32\advpack.dll Privileges: User
- c:\windows\sysWOW64\advpack.dll MitreID: T1085
Code Sample: MItreLink: https://attack.mitre.org/wiki/Technique/T1085
- https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack.inf OperatingSystem: Windows
- https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack_calc.sct - Command: rundll32.exe advpack.dll,RegisterOCX test.dll
Detection: [] Description: Launch a DLL payload by calling the RegisterOCX function.
Resources: Usecase: Load a DLL payload.
- https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ Category: Execution
- https://twitter.com/ItsReallyNick/status/967859147977850880 Privileges: User
- https://twitter.com/bohops/status/974497123101179904 MitreID: T1085
- https://twitter.com/moriarty_meng/status/977848311603380224 MItreLink: https://attack.mitre.org/wiki/Technique/T1085
Notes: Thanks to Jimmy - @bohops (LaunchINFSection), fabrizio - @0rbz_ (RegisterOCX - DLL), Moriarty @moriarty_meng (RegisterOCX - Cmd) OperatingSystem: Windows
- Command: rundll32.exe advpack.dll,RegisterOCX calc.exe
Description: Launch an executable by calling the RegisterOCX function.
Usecase: Run an executable payload.
Category: Execution
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
- Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
Description: Launch command line by calling the RegisterOCX function.
Usecase: Run an executable payload.
Category: Execution
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
Full Path:
- path: c:\windows\system32\advpack.dll
- path: c:\windows\syswow64\advpack.dll
Code Sample:
- https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf
- https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct
Detection: []
Resources:
- resource: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
- resource: https://twitter.com/ItsReallyNick/status/967859147977850880
- resource: https://twitter.com/bohops/status/974497123101179904
- resource: https://twitter.com/moriarty_meng/status/977848311603380224
Acknowledgment:
- Person: Jimmy (LaunchINFSection)
Handle: '@bohops'
- Person: Fabrizio (RegisterOCX - DLL)
Handle: '@0rbz_'
- Person: Moriarty (RegisterOCX - CMD)
Handle: '@moriarty_meng'
- Person: Nick Carr (Threat Intel)
Handle: @ItsReallyNick

90
yml/OSLibraries/Ieadvpack.yml
View File

@ -1,28 +1,62 @@
--- ---
Name: Ieadvpack.dll Name: Ieadvpack.dll
Description: Execute Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.
Author: '' Author: ''
Created: '2018-05-25' Created: '2018-05-25'
Categories: [] Commands:
Commands: - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
- Command: rundll32.exe IEAdvpack.dll,LaunchINFSection c:\\test.inf,DefaultInstall_SingleUser,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
Description: Remote fetch and execute a COM Scriptlet by calling an information file directive (Section name specified). Usecase: Run local or remote script(let) code through INF file specification.
- Command: rundll32.exe IEAdvpack.dll,LaunchINFSection test.inf,,1, Category: AWL Bypass
Description: Remote fetch and execute a COM Scriptlet by calling an information file directive (DefaultInstall section implied). Privileges: User
- Command: rundll32.exe IEAdvpack.dll,RegisterOCX calc.exe MitreID: T1085
Description: Launch executable by calling the RegisterOCX function. MItreLink: https://attack.mitre.org/wiki/Technique/T1085
- Command: rundll32.exe IEAdvpack.dll,RegisterOCX test.dll OperatingSystem: Windows
Description: Launch a DLL payload by calling the RegisterOCX function. - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1,
Full Path: Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
- c:\windows\system32\ieadvpack.dll Usecase: Run local or remote script(let) code through INF file specification.
- c:\windows\sysWOW64\ieadvpack.dll Category: AWL Bypass
Code Sample: Privileges: User
- https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack.inf MitreID: T1085
- https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack_calc.sct MItreLink: https://attack.mitre.org/wiki/Technique/T1085
Detection: [] OperatingSystem: Windows
Resources: - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll
- https://twitter.com/pabraeken/status/991695411902599168 Description: Launch a DLL payload by calling the RegisterOCX function.
- https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ Usecase: Load a DLL payload.
- https://twitter.com/0rbz_/status/974472392012689408 Category: Execution
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (RegisterOCX - Cmd), Jimmy - @bohops (LaunchINFSection), fabrizio - @0rbz_ (RegisterOCX - DLL) Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
- Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
Description: Launch an executable by calling the RegisterOCX function.
Usecase: Run an executable payload.
Category: Execution
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
- Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"
Description: Launch command line by calling the RegisterOCX function.
Usecase: Run an executable payload.
Category: Execution
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
Full Path:
- path: c:\windows\system32\ieadvpack.dll
- path: c:\windows\syswow64\ieadvpack.dll
Code Sample:
- https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf
- https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct
Detection: []
Resources:
- resource: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
- resource: https://twitter.com/pabraeken/status/991695411902599168
- resource: https://twitter.com/0rbz_/status/974472392012689408
Acknowledgment:
- Person: Jimmy (LaunchINFSection)
Handle: '@bohops'
- Person: Fabrizio (RegisterOCX - DLL)
Handle: '@0rbz_'
- Person: Pierre-Alexandre Braeken (RegisterOCX - CMD)
Handle: '@pabraeken'

52
yml/OSLibraries/Ieframe.yml
View File

@ -1,22 +1,30 @@
--- ---
Name: Ieframe.dll Name: Ieaframe.dll
Description: Execute Description: Internet Browser DLL for translating HTML code.
Author: '' Author: ''
Created: '2018-05-25' Created: '2018-05-25'
Categories: [] Commands:
Commands: - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
- Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
- Command: rundll32.exe ieframe.dll,OpenURL c:\\test\\calc-url-file.zz Category: Execution
Description: Renamed URL file. Privileges: User
Full Path: MitreID: T1085
- c:\windows\system32\Ieframe.dll MItreLink: https://attack.mitre.org/wiki/Technique/T1085
- c:\windows\sysWOW64\Ieframe.dll OperatingSystem: Windows
Code Sample: Full Path:
- https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url - path: c:\windows\system32\ieframe.dll
Detection: [] - path: c:\windows\syswow64\ieframe.dll
Resources: Code Sample:
- http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ - https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
- https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ Detection: []
- https://twitter.com/bohops/status/997690405092290561 Resources:
Notes: Thanks to Adam - @hexacorn, Jimmy - @bohops - resource: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
- resource: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
- resource: https://twitter.com/bohops/status/997690405092290561
- resource: https://windows10dll.nirsoft.net/ieframe_dll.html
Acknowledgment:
- Person: Jimmy
Handle: '@bohops'
- Person: Adam
Handle: '@hexacorn'

43
yml/OSLibraries/Mshtml.yml
View File

@ -1,17 +1,26 @@
--- ---
Name: Mshtml.dll Name: Mshtml.dll
Description: Execute Description: Microsoft HTML Viewer
Author: '' Author: ''
Created: '2018-05-25' Created: '2018-05-25'
Categories: [] Commands:
Commands: - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"
- Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta" Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box).
Description: Invoke an HTML Application. Note - Pops a security warning and a print dialogue box. Usecase: Launch an HTA application.
Full Path: Category: Execution
- c:\windows\system32\Mshtml.dll Privileges: User
- c:\windows\sysWOW64\Mshtml.dll MitreID: T1085
Code Sample: [] MItreLink: https://attack.mitre.org/wiki/Technique/T1085
Detection: [] OperatingSystem: Windows
Resources: Full Path:
- https://twitter.com/pabraeken/status/998567549670477824 - path: c:\windows\system32\mshtml.dll
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken - path: c:\windows\syswow64\mshtml.dll
Code Sample:
- ''
Detection: []
Resources:
- resource: https://twitter.com/pabraeken/status/998567549670477824
- resource: https://windows10dll.nirsoft.net/mshtml_dll.html
Acknowledgment:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'

43
yml/OSLibraries/Pcwutl.yml
View File

@ -1,17 +1,26 @@
--- ---
Name: Pcwutl.dll Name: Pcwutl.dll
Description: Execute Description: Microsoft HTML Viewer
Author: '' Author: ''
Created: '2018-05-25' Created: '2018-05-25'
Categories: [] Commands:
Commands: - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe
- Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe Description: Launch executable by calling the LaunchApplication function.
Description: Launch executable by calling the LaunchApplication function. Usecase: Launch an executable.
Full Path: Category: Execution
- c:\windows\system32\Pcwutl.dll Privileges: User
- c:\windows\sysWOW64\Pcwutl.dll MitreID: T1085
Code Sample: [] MItreLink: https://attack.mitre.org/wiki/Technique/T1085
Detection: [] OperatingSystem: Windows
Resources: Full Path:
- https://twitter.com/harr0ey/status/989617817849876488 - path: c:\windows\system32\pcwutl.dll
Notes: Thanks to Matt harr0ey - @harr0ey - path: c:\windows\syswow64\pcwutl.dll
Code Sample:
- ''
Detection: []
Resources:
- resource: https://twitter.com/harr0ey/status/989617817849876488
- resource: https://windows10dll.nirsoft.net/pcwutl_dll.html
Acknowledgment:
- Person: Matt harr0ey
Handle: '@harr0ey'

69
yml/OSLibraries/Setupapi.yml
View File

@ -1,25 +1,44 @@
--- ---
Name: Setupapi.dll Name: Setupapi.dll
Description: Execute Description: Windows Setup Application Programming Interface
Author: '' Author: ''
Created: '2018-05-25' Created: '2018-05-25'
Categories: [] Commands:
Commands: - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf
- Command: rundll32 setupapi,InstallHinfSection DefaultInstall 132 c:\temp\calc.inf Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. Usecase: Run local or remote script(let) code through INF file specification.
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\shady.inf Category: AWL Bypass
Description: Remote fetch and execute a COM Scriptlet by calling an information file directive. Privileges: User
Full Path: MitreID: T1085
- c:\windows\system32\Setupapi.dll MItreLink: https://attack.mitre.org/wiki/Technique/T1085
- c:\windows\sysWOW64\Setupapi.dll OperatingSystem: Windows
Code Sample: - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf
- https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
- https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct Usecase: Load an executable payload.
- https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf Category: Execution
Detection: [] Privileges: User
Resources: MitreID: T1085
- https://twitter.com/pabraeken/status/994742106852941825 MItreLink: https://attack.mitre.org/wiki/Technique/T1085
- https://twitter.com/subTee/status/951115319040356352 OperatingSystem: Windows
- https://twitter.com/KyleHanslovan/status/911997635455852544 Full Path:
- https://github.com/huntresslabs/evading-autoruns - path: c:\windows\system32\setupapi.dll
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Executable), Kyle Hanslovan - @KyleHanslovan (COM Scriptlet), Huntress Labs - @HuntressLabs (COM Scriptlet), Casey Smith - @subTee (COM Scriptlet) - path: c:\windows\syswow64\setupapi.dll
Code Sample:
- https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
- https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
- https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct
- https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
Detection: []
Resources:
- resource: https://github.com/huntresslabs/evading-autoruns
- resource: https://twitter.com/pabraeken/status/994742106852941825
- resource: https://windows10dll.nirsoft.net/setupapi_dll.html
Acknowledgment:
- Person: Kyle Hanslovan (COM Scriptlet)
Handle: '@KyleHanslovan'
- Person: Huntress Labs (COM Scriptlet)
Handle: '@HuntressLabs'
- Person: Casey Smith (COM Scriptlet)
Handle: '@subTee'
- Person: Nick Carr (Threat Intel)
Handle: @ItsReallyNick

52
yml/OSLibraries/Shdocvw.yml
View File

@ -1,22 +1,30 @@
--- ---
Name: Shdocvw.dll Name: Shdocvw.dll
Description: Execute Description: Shell Doc Object and Control Library.
Author: '' Author: ''
Created: '2018-05-25' Created: '2018-05-25'
Categories: [] Commands:
Commands: - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
- Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url" Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
- Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.zz" Category: Execution
Description: Renamed URL file. Privileges: User
Full Path: MitreID: T1085
- c:\windows\system32\Shdocvw.dll MItreLink: https://attack.mitre.org/wiki/Technique/T1085
- c:\windows\sysWOW64\Shdocvw.dll OperatingSystem: Windows
Code Sample: Full Path:
- https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url - path: c:\windows\system32\shdocvw.dll
Detection: [] - path: c:\windows\syswow64\shdocvw.dll
Resources: Code Sample:
- http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ - https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
- https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ Detection: []
- https://twitter.com/bohops/status/997690405092290561 Resources:
Notes: Thanks to Adam - @hexacorn, Jimmy - @bohops - resource: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
- resource: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
- resource: https://twitter.com/bohops/status/997690405092290561
- resource: https://windows10dll.nirsoft.net/shdocvw_dll.html
Acknowledgment:
- Person: Adam
Handle: '@hexacorn'
- Person: Jimmy
Handle: '@bohops'

72
yml/OSLibraries/Shell32.yml
View File

@ -1,24 +1,48 @@
--- ---
Name: Shell32.dll Name: Shell32.dll
Description: Execute Description: Windows Shell Common Dll
Author: '' Author: ''
Created: '2018-05-25' Created: '2018-05-25'
Categories: [] Commands:
Commands: - Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll
- Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll Description: Launch a DLL payload by calling the Control_RunDLL function.
Description: Launch DLL payload. Usecase: Load a DLL payload.
- Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe Category: Execution
Description: Launch executable payload. Privileges: User
- Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi" MitreID: T1085
Description: Launch executable payload with arguments. MItreLink: https://attack.mitre.org/wiki/Technique/T1085
Full Path: OperatingSystem: Windows
- c:\windows\system32\shell32.dll - Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
- c:\windows\sysWOW64\shell32.dll Description: Launch an executable by calling the ShellExec_RunDLL function.
Code Sample: [] Usecase: Run an executable payload.
Detection: [] Category: Execution
Resources: Privileges: User
- https://twitter.com/Hexacorn/status/885258886428725250 MitreID: T1085
- https://twitter.com/pabraeken/status/991768766898941953 MItreLink: https://attack.mitre.org/wiki/Technique/T1085
- https://twitter.com/mattifestation/status/776574940128485376 - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"
- https://twitter.com/KyleHanslovan/status/905189665120149506 Description: Launch command line by calling the ShellExec_RunDLL function.
Notes: Thanks to Adam - @hexacorn (Control_RunDLL), Pierre-Alexandre Braeken - @pabraeken (ShellExec_RunDLL), Matt Graeber - @mattifestation (ShellExec_RunDLL), Kyle Hanslovan - @KyleHanslovan (ShellExec_RunDLL) Usecase: Run an executable payload.
Category: Execution
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
Full Path:
- path: c:\windows\system32\shell32.dll
- path: c:\windows\syswow64\shell32.dll
Code Sample: []
Detection: []
Resources:
- resource: https://twitter.com/Hexacorn/status/885258886428725250
- resource: https://twitter.com/pabraeken/status/991768766898941953
- resource: https://twitter.com/mattifestation/status/776574940128485376
- resource: https://twitter.com/KyleHanslovan/status/905189665120149506
- resource: https://windows10dll.nirsoft.net/shell32_dll.html
Acknowledgment:
- Person: Adam (Control_RunDLL)
Handle: '@hexacorn'
- Person: Pierre-Alexandre Braeken (ShellExec_RunDLL)
Handle: '@pabraeken'
- Person: Matt Graeber (ShellExec_RunDLL)
Handle: '@mattifestation'
- Person: Kyle Hanslovan (ShellExec_RunDLL)
Handle: '@KyleHanslovan'

66
yml/OSLibraries/Syssetup.yml
View File

@ -1,24 +1,42 @@
--- ---
Name: Syssetup.dll Name: Syssetup.dll
Description: Execute Description: Windows NT System Setup
Author: '' Author: ''
Created: '2018-05-25' Created: '2018-05-25'
Categories: [] Commands:
Commands: - Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf
- Command: rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\calc.INF Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive. Usecase: Run local or remote script(let) code through INF file specification (Note: May pop an error window).
- Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\\test\\shady.inf Category: AWL Bypass
Description: Remote fetch and execute a COM Scriptlet by calling an information file directive. Privileges: User
Full Path: MitreID: T1085
- c:\windows\system32\Syssetup.dll MItreLink: https://attack.mitre.org/wiki/Technique/T1085
- c:\windows\sysWOW64\Syssetup.dll OperatingSystem: Windows
Code Sample: - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
- https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
- https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct Usecase: Load an executable payload.
- https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf Category: Execution
Detection: [] Privileges: User
Resources: MitreID: T1085
- https://twitter.com/pabraeken/status/994392481927258113 MItreLink: https://attack.mitre.org/wiki/Technique/T1085
- https://twitter.com/harr0ey/status/975350238184697857 OperatingSystem: Windows
- https://twitter.com/bohops/status/975549525938135040 Full Path:
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Execute), Matt harr0ey - @harr0ey (Execute), Jimmy - @bohops (COM Scriptlet) - path: c:\windows\system32\syssetup.dll
- path: c:\windows\syswow64\syssetup.dll
Code Sample:
- https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
- https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
- https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415
Detection: []
Resources:
- resource: https://twitter.com/pabraeken/status/994392481927258113
- resource: https://twitter.com/harr0ey/status/975350238184697857
- resource: https://twitter.com/bohops/status/975549525938135040
- resource: https://windows10dll.nirsoft.net/syssetup_dll.html
Acknowledgment:
- Person: Pierre-Alexandre Braeken (Execute)
Handle: '@pabraeken'
- Person: Matt harr0ey (Execute)
Handle: '@harr0ey'
- Person: Jimmy (Scriptlet)
Handle: '@bohops'

108
yml/OSLibraries/Url.yml
View File

@ -1,33 +1,75 @@
--- ---
Name: Url.dll Name: Url.dll
Description: Execute Description: Internet Shortcut Shell Extension DLL.
Author: '' Author: ''
Created: '2018-05-25' Created: '2018-05-25'
Categories: [] Commands:
Commands: - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta"
- Command: rundll32.exe url.dll,OpenURL "C:\\test\\calc.hta" Description: Launch a HTML application payload by calling OpenURL.
Description: Launch a HTML application payload by calling OpenURL. Usecase: Invoke an HTML Application via mshta.exe (Default Handler).
- Command: rundll32.exe url.dll,OpenURL "C:\\test\\calc.url" Category: Execution
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. Privileges: User
- Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e MitreID: T1085
Description: Launch an executable payload by calling OpenURL. MItreLink: https://attack.mitre.org/wiki/Technique/T1085
- Command: rundll32.exe url.dll,FileProtocolHandler calc.exe OperatingSystem: Windows
Description: Launch an executable payload by calling FileProtocolHandler. - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url"
- Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
Description: Launch a HTML application payload by calling FileProtocolHandler. Usecase: Load an executable payload by calling a .url file with or without quotes.
- Command: rundll32 url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Category: Execution
Description: Launch an executable payload by calling FileProtocolHandler. Privileges: User
MitreID: T1085
Full Path: MItreLink: https://attack.mitre.org/wiki/Technique/T1085
- c:\windows\system32\url.dll OperatingSystem: Windows
- c:\windows\sysWOW64\url.dll - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Code Sample: Description: Launch an executable by calling OpenURL.
- https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url Usecase: Load an executable payload by specifying the file protocol handler (obfuscated).
Detection: [] Category: Execution
Resources: Privileges: User
- https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ MitreID: T1085
- https://twitter.com/bohops/status/974043815655956481 MItreLink: https://attack.mitre.org/wiki/Technique/T1085
- https://twitter.com/DissectMalware/status/995348436353470465 OperatingSystem: Windows
- https://twitter.com/yeyint_mth/status/997355558070927360 - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe
- https://twitter.com/Hexacorn/status/974063407321223168 Description: Launch an executable by calling FileProtocolHandler.
Notes: Thanks to Jimmy - @bohops (OpenURL), Adam - @hexacorn (OpenURL), Malwrologist - @DissectMalware (FileProtocolHandler - HTA), r0lan - @yeyint_mth (Obfuscation) Usecase: Launch an executable.
Category: Execution
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
- Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Description: Launch an executable by calling FileProtocolHandler.
Usecase: Load an executable payload by specifying the file protocol handler (obfuscated).
Category: Execution
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
- Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta
Description: Launch a HTML application payload by calling FileProtocolHandler.
Usecase: Invoke an HTML Application via mshta.exe (Default Handler).
Category: Execution
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
Full Path:
- path: c:\windows\system32\url.dll
- path: c:\windows\syswow64\url.dll
Code Sample: []
Detection: []
Resources:
- resource: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
- resource: https://twitter.com/DissectMalware/status/995348436353470465
- resource: https://twitter.com/bohops/status/974043815655956481
- resource: https://twitter.com/yeyint_mth/status/997355558070927360
- resource: https://twitter.com/Hexacorn/status/974063407321223168
- resource: https://windows10dll.nirsoft.net/url_dll.html
Acknowledgment:
- Person: Adam (OpenURL)
Handle: '@hexacorn'
- Person: Jimmy (OpenURL)
Handle: '@bohops'
- Person: Malwrologist (FileProtocolHandler - HTA)
Handle: '@DissectMalware'
- Person: r0lan (Obfuscation)
Handle: '@r0lan'

57
yml/OSLibraries/Zipfldr.yml
View File

@ -1,20 +1,37 @@
--- ---
Name: Zipfldr.dll Name: Zipfldr.dll
Description: Execute Description: Compressed Folder library
Author: '' Author: ''
Created: '2018-05-25' Created: '2018-05-25'
Categories: [] Commands:
Commands: - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe
- Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe Description: Launch an executable payload by calling RouteTheCall.
Description: Launch an executable payload by calling RouteTheCall. Usecase: Launch an executable.
- Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Category: Execution
Description: Launch an executable payload by calling RouteTheCall. Privileges: User
Full Path: MitreID: T1085
- c:\windows\system32\zipfldr.dll MItreLink: https://attack.mitre.org/wiki/Technique/T1085
- c:\windows\sysWOW64\zipfldr.dll OperatingSystem: Windows
Code Sample: [] - Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Detection: [] Description: Launch an executable payload by calling RouteTheCall (obfuscated).
Resources: Usecase: Launch an executable.
- https://twitter.com/moriarty_meng/status/977848311603380224 Category: Execution
- https://twitter.com/bohops/status/997896811904929792 Privileges: User
Notes: Thanks to Moriarty - @moriarty_meng (Execute), r0lan - @yeyint_mth (Obfuscation) MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
Full Path:
- path: c:\windows\system32\zipfldr.dll
- path: c:\windows\syswow64\zipfldr.dll
Code Sample:
- ''
Detection: []
Resources:
- resource: https://twitter.com/moriarty_meng/status/977848311603380224
- resource: https://twitter.com/bohops/status/997896811904929792
- resource: https://windows10dll.nirsoft.net/zipfldr_dll.html
Acknowledgment:
- Person: Moriarty (Execution)
Handle: '@moriarty_meng'
- Person: r0lan (Obfuscation)
Handle: '@r0lan'