mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-10-23 00:58:42 +02:00
4f83231697
* Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --------- Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
46 lines
2.5 KiB
YAML
46 lines
2.5 KiB
YAML
---
|
|
Name: Setupapi.dll
|
|
Description: Windows Setup Application Programming Interface
|
|
Author: LOLBAS Team
|
|
Created: 2018-05-25
|
|
Commands:
|
|
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf
|
|
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
|
|
Usecase: Run local or remote script(let) code through INF file specification.
|
|
Category: AWL Bypass
|
|
Privileges: User
|
|
MitreID: T1218.011
|
|
OperatingSystem: Windows 10, Windows 11
|
|
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf
|
|
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
|
|
Usecase: Load an executable payload.
|
|
Category: Execute
|
|
Privileges: User
|
|
MitreID: T1218.011
|
|
OperatingSystem: Windows
|
|
Full_Path:
|
|
- Path: c:\windows\system32\setupapi.dll
|
|
- Path: c:\windows\syswow64\setupapi.dll
|
|
Code_Sample:
|
|
- Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
|
|
- Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
|
|
- Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct
|
|
- Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
|
|
Detection:
|
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml
|
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
|
|
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml
|
|
Resources:
|
|
- Link: https://github.com/huntresslabs/evading-autoruns
|
|
- Link: https://twitter.com/pabraeken/status/994742106852941825
|
|
- Link: https://windows10dll.nirsoft.net/setupapi_dll.html
|
|
Acknowledgement:
|
|
- Person: Kyle Hanslovan (COM Scriptlet)
|
|
Handle: '@KyleHanslovan'
|
|
- Person: Huntress Labs (COM Scriptlet)
|
|
Handle: '@HuntressLabs'
|
|
- Person: Casey Smith (COM Scriptlet)
|
|
Handle: '@subTee'
|
|
- Person: Nick Carr (Threat Intel)
|
|
Handle: '@ItsReallyNick'
|