LOLBAS/yml/OSLibraries/Url.yml
frack113 4f83231697
Update old sigma link (#303)
* Update SigmaHQ ref

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>

* Update SigmaHQ ref

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>

* Update SigmaHq ref

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>

* Update SigmaHq ref

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>

---------

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
2023-10-18 11:30:34 -04:00

72 lines
3.1 KiB
YAML

---
Name: Url.dll
Description: Internet Shortcut Shell Extension DLL.
Author: LOLBAS Team
Created: 2018-05-25
Commands:
- Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta"
Description: Launch a HTML application payload by calling OpenURL.
Usecase: Invoke an HTML Application via mshta.exe (Default Handler).
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url"
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
Usecase: Load an executable payload by calling a .url file with or without quotes.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Description: Launch an executable by calling OpenURL.
Usecase: Load an executable payload by specifying the file protocol handler (obfuscated).
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe url.dll,FileProtocolHandler calc.exe
Description: Launch an executable by calling FileProtocolHandler.
Usecase: Launch an executable.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Description: Launch an executable by calling FileProtocolHandler.
Usecase: Load an executable payload by specifying the file protocol handler (obfuscated).
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta
Description: Launch a HTML application payload by calling FileProtocolHandler.
Usecase: Invoke an HTML Application via mshta.exe (Default Handler).
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\url.dll
- Path: c:\windows\syswow64\url.dll
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
Resources:
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
- Link: https://twitter.com/DissectMalware/status/995348436353470465
- Link: https://twitter.com/bohops/status/974043815655956481
- Link: https://twitter.com/yeyint_mth/status/997355558070927360
- Link: https://twitter.com/Hexacorn/status/974063407321223168
- Link: https://windows10dll.nirsoft.net/url_dll.html
Acknowledgement:
- Person: Adam (OpenURL)
Handle: '@hexacorn'
- Person: Jimmy (OpenURL)
Handle: '@bohops'
- Person: Malwrologist (FileProtocolHandler - HTA)
Handle: '@DissectMalware'
- Person: r0lan (Obfuscation)
Handle: '@r0lan'