mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-10-23 00:58:42 +02:00
23dd0236ae
* Add detection links for scripts * Add detection links for OtherMSBins. Fixed and updated as needed. * Add detection links for MSBins. Fixed and updated as needed. * Add detection links for oslibraries * Updating template for Detections * Removing empty Detection:Sigma entries * Remove redundant blank line * Replacing commit URL with file URL Co-authored-by: root <root@DESKTOP-5CR935D.localdomain> Co-authored-by: Wietze <wietze@users.noreply.github.com>
32 lines
1.4 KiB
YAML
32 lines
1.4 KiB
YAML
---
|
|
Name: Shdocvw.dll
|
|
Description: Shell Doc Object and Control Library.
|
|
Author:
|
|
Created: 2018-05-25
|
|
Commands:
|
|
- Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
|
|
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
|
|
Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
|
|
Category: Execute
|
|
Privileges: User
|
|
MitreID: T1218.011
|
|
OperatingSystem: Windows
|
|
Full_Path:
|
|
- Path: c:\windows\system32\shdocvw.dll
|
|
- Path: c:\windows\syswow64\shdocvw.dll
|
|
Code_Sample:
|
|
- Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
|
|
Detection:
|
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
|
Resources:
|
|
- Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
|
|
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
|
- Link: https://twitter.com/bohops/status/997690405092290561
|
|
- Link: https://windows10dll.nirsoft.net/shdocvw_dll.html
|
|
Acknowledgement:
|
|
- Person: Adam
|
|
Handle: '@hexacorn'
|
|
- Person: Jimmy
|
|
Handle: '@bohops'
|
|
---
|