mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-28 15:58:24 +01:00
23dd0236ae
* Add detection links for scripts * Add detection links for OtherMSBins. Fixed and updated as needed. * Add detection links for MSBins. Fixed and updated as needed. * Add detection links for oslibraries * Updating template for Detections * Removing empty Detection:Sigma entries * Remove redundant blank line * Replacing commit URL with file URL Co-authored-by: root <root@DESKTOP-5CR935D.localdomain> Co-authored-by: Wietze <wietze@users.noreply.github.com>
61 lines
2.9 KiB
YAML
61 lines
2.9 KiB
YAML
---
|
|
Name: Ieadvpack.dll
|
|
Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.
|
|
Author:
|
|
Created: 2018-05-25
|
|
Commands:
|
|
- Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
|
|
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
|
|
Usecase: Run local or remote script(let) code through INF file specification.
|
|
Category: AWL Bypass
|
|
Privileges: User
|
|
MitreID: T1218.011
|
|
OperatingSystem: Windows
|
|
- Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1,
|
|
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
|
|
Usecase: Run local or remote script(let) code through INF file specification.
|
|
Category: AWL Bypass
|
|
Privileges: User
|
|
MitreID: T1218.011
|
|
OperatingSystem: Windows
|
|
- Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll
|
|
Description: Launch a DLL payload by calling the RegisterOCX function.
|
|
Usecase: Load a DLL payload.
|
|
Category: Execute
|
|
Privileges: User
|
|
MitreID: T1218.011
|
|
OperatingSystem: Windows
|
|
- Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
|
|
Description: Launch an executable by calling the RegisterOCX function.
|
|
Usecase: Run an executable payload.
|
|
Category: Execute
|
|
Privileges: User
|
|
MitreID: T1218.011
|
|
- Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"
|
|
Description: Launch command line by calling the RegisterOCX function.
|
|
Usecase: Run an executable payload.
|
|
Category: Execute
|
|
Privileges: User
|
|
MitreID: T1218.011
|
|
Full_Path:
|
|
- Path: c:\windows\system32\ieadvpack.dll
|
|
- Path: c:\windows\syswow64\ieadvpack.dll
|
|
Code_Sample:
|
|
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf
|
|
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct
|
|
Detection:
|
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
|
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml
|
|
Resources:
|
|
- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
|
|
- Link: https://twitter.com/pabraeken/status/991695411902599168
|
|
- Link: https://twitter.com/0rbz_/status/974472392012689408
|
|
Acknowledgement:
|
|
- Person: Jimmy (LaunchINFSection)
|
|
Handle: '@bohops'
|
|
- Person: Fabrizio (RegisterOCX - DLL)
|
|
Handle: '@0rbz_'
|
|
- Person: Pierre-Alexandre Braeken (RegisterOCX - CMD)
|
|
Handle: '@pabraeken'
|
|
---
|