public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-26 06:49:09 +01:00
Code Issues Projects Releases Wiki Activity

Update Advpack.yml

Browse Source
This commit is contained in:
bohops 2018-09-24 13:42:17 -04:00 committed by GitHub
parent 26f5d809c4
commit f9d4581396
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
yml/OSLibraries/Advpack.yml
View File

@ -6,7 +6,7 @@ Created: '2018-05-25'
Commands:
- Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
Usecase: Run local or remote script(let) code through INF file specification.
UseCase: Run local or remote script(let) code through INF file specification.
Category: AWL Bypass
Privileges: User
MitreID: T1085
@ -14,7 +14,7 @@ Commands:
OperatingSystem: Windows
- Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
Usecase: Run local or remote script(let) code through INF file specification.
UseCase: Run local or remote script(let) code through INF file specification.
Category: AWL Bypass
Privileges: User
MitreID: T1085
@ -22,7 +22,7 @@ Commands:
OperatingSystem: Windows
- Command: rundll32.exe advpack.dll,RegisterOCX test.dll
Description: Launch a DLL payload by calling the RegisterOCX function.
Usecase: Load a DLL payload.
UseCase: Load a DLL payload.
Category: Execution
Privileges: User
MitreID: T1085
@ -30,25 +30,26 @@ Commands:
OperatingSystem: Windows
- Command: rundll32.exe advpack.dll,RegisterOCX calc.exe
Description: Launch an executable by calling the RegisterOCX function.
Usecase: Run an executable payload.
UseCase: Run an executable payload.
Category: Execution
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
- Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
Description: Launch command line by calling the RegisterOCX function.
Usecase: Run an executable payload.
UseCase: Run an executable payload.
Category: Execution
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
Full Path:
- path: c:\windows\system32\advpack.dll
- path: c:\windows\syswow64\advpack.dll
- Path: c:\windows\system32\advpack.dll
- Path: c:\windows\syswow64\advpack.dll
Code Sample:
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct
Detection: []
Detection:
- IOC: ''
Resources:
- Link: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
- Link: https://twitter.com/ItsReallyNick/status/967859147977850880