LOLBAS/yml/OSLibraries/Advpack.yml
frack113 4f83231697
Update old sigma link (#303)
* Update SigmaHQ ref

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>

* Update SigmaHQ ref

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>

* Update SigmaHq ref

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>

* Update SigmaHq ref

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>

---------

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
2023-10-18 11:30:34 -04:00

65 lines
3.1 KiB
YAML

---
Name: Advpack.dll
Description: Utility for installing software and drivers with rundll32.exe
Author: LOLBAS Team
Created: 2018-05-25
Commands:
- Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
Usecase: Run local or remote script(let) code through INF file specification.
Category: AWL Bypass
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
Usecase: Run local or remote script(let) code through INF file specification.
Category: AWL Bypass
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe advpack.dll,RegisterOCX test.dll
Description: Launch a DLL payload by calling the RegisterOCX function.
Usecase: Load a DLL payload.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe advpack.dll,RegisterOCX calc.exe
Description: Launch an executable by calling the RegisterOCX function.
Usecase: Run an executable payload.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
- Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
Description: Launch command line by calling the RegisterOCX function.
Usecase: Run an executable payload.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\advpack.dll
- Path: c:\windows\syswow64\advpack.dll
Code_Sample:
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml
Resources:
- Link: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
- Link: https://twitter.com/ItsReallyNick/status/967859147977850880
- Link: https://twitter.com/bohops/status/974497123101179904
- Link: https://twitter.com/moriarty_meng/status/977848311603380224
Acknowledgement:
- Person: Jimmy (LaunchINFSection)
Handle: '@bohops'
- Person: Fabrizio (RegisterOCX - DLL)
Handle: '@0rbz_'
- Person: Moriarty (RegisterOCX - CMD)
Handle: '@moriarty_meng'
- Person: Nick Carr (Threat Intel)
Handle: '@ItsReallyNick'