public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-01-27 22:10:20 +01:00
Code Issues Projects Releases Wiki Activity

Update Url.yml

Browse Source
This commit is contained in:
bohops 2018-09-24 14:34:40 -04:00 committed by GitHub
parent 9c3dbada06
commit d045db1755
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 20 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
yml/OSLibraries/Url.yml
View File

@ -6,7 +6,7 @@ Created: '2018-05-25'
Commands: Commands:
- Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta" - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta"
Description: Launch a HTML application payload by calling OpenURL. Description: Launch a HTML application payload by calling OpenURL.
Usecase: Invoke an HTML Application via mshta.exe (Default Handler). UseCase: Invoke an HTML Application via mshta.exe (Default Handler).
Category: Execution Category: Execution
Privileges: User Privileges: User
MitreID: T1085 MitreID: T1085
@ -14,7 +14,7 @@ Commands:
OperatingSystem: Windows OperatingSystem: Windows
- Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url" - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url"
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
Usecase: Load an executable payload by calling a .url file with or without quotes. UseCase: Load an executable payload by calling a .url file with or without quotes.
Category: Execution Category: Execution
Privileges: User Privileges: User
MitreID: T1085 MitreID: T1085
@ -22,7 +22,7 @@ Commands:
OperatingSystem: Windows OperatingSystem: Windows
- Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Description: Launch an executable by calling OpenURL. Description: Launch an executable by calling OpenURL.
Usecase: Load an executable payload by specifying the file protocol handler (obfuscated). UseCase: Load an executable payload by specifying the file protocol handler (obfuscated).
Category: Execution Category: Execution
Privileges: User Privileges: User
MitreID: T1085 MitreID: T1085
@ -30,7 +30,7 @@ Commands:
OperatingSystem: Windows OperatingSystem: Windows
- Command: rundll32.exe url.dll,FileProtocolHandler calc.exe - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe
Description: Launch an executable by calling FileProtocolHandler. Description: Launch an executable by calling FileProtocolHandler.
Usecase: Launch an executable. UseCase: Launch an executable.
Category: Execution Category: Execution
Privileges: User Privileges: User
MitreID: T1085 MitreID: T1085
@ -38,7 +38,7 @@ Commands:
OperatingSystem: Windows OperatingSystem: Windows
- Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e - Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Description: Launch an executable by calling FileProtocolHandler. Description: Launch an executable by calling FileProtocolHandler.
Usecase: Load an executable payload by specifying the file protocol handler (obfuscated). UseCase: Load an executable payload by specifying the file protocol handler (obfuscated).
Category: Execution Category: Execution
Privileges: User Privileges: User
MitreID: T1085 MitreID: T1085
@ -46,24 +46,26 @@ Commands:
OperatingSystem: Windows OperatingSystem: Windows
- Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta - Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta
Description: Launch a HTML application payload by calling FileProtocolHandler. Description: Launch a HTML application payload by calling FileProtocolHandler.
Usecase: Invoke an HTML Application via mshta.exe (Default Handler). UseCase: Invoke an HTML Application via mshta.exe (Default Handler).
Category: Execution Category: Execution
Privileges: User Privileges: User
MitreID: T1085 MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows OperatingSystem: Windows
Full Path: Full Path:
- path: c:\windows\system32\url.dll - Path: c:\windows\system32\url.dll
- path: c:\windows\syswow64\url.dll - Path: c:\windows\syswow64\url.dll
Code Sample: [] Code Sample
Detection: [] - Code: ''
Detection:
- IOC: ''
Resources: Resources:
- resource: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
- resource: https://twitter.com/DissectMalware/status/995348436353470465 - Link: https://twitter.com/DissectMalware/status/995348436353470465
- resource: https://twitter.com/bohops/status/974043815655956481 - Link: https://twitter.com/bohops/status/974043815655956481
- resource: https://twitter.com/yeyint_mth/status/997355558070927360 - Link: https://twitter.com/yeyint_mth/status/997355558070927360
- resource: https://twitter.com/Hexacorn/status/974063407321223168 - Link: https://twitter.com/Hexacorn/status/974063407321223168
- resource: https://windows10dll.nirsoft.net/url_dll.html - Link: https://windows10dll.nirsoft.net/url_dll.html
Acknowledgment: Acknowledgment:
- Person: Adam (OpenURL) - Person: Adam (OpenURL)
Handle: '@hexacorn' Handle: '@hexacorn'
@ -73,3 +75,4 @@ Acknowledgment:
Handle: '@DissectMalware' Handle: '@DissectMalware'
- Person: r0lan (Obfuscation) - Person: r0lan (Obfuscation)
Handle: '@r0lan' Handle: '@r0lan'
---