LOLBAS/yml/OSLibraries/Syssetup.yml
2018-09-23 22:23:04 -04:00

42 lines
1.9 KiB
YAML

---
Name: Syssetup.dll
Description: Windows NT System Setup
Author: ''
Created: '2018-05-25'
Commands:
- Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
Usecase: Run local or remote script(let) code through INF file specification (Note: May pop an error window).
Category: AWL Bypass
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
Usecase: Load an executable payload.
Category: Execution
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
Full Path:
- path: c:\windows\system32\syssetup.dll
- path: c:\windows\syswow64\syssetup.dll
Code Sample:
- https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
- https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
- https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415
Detection: []
Resources:
- resource: https://twitter.com/pabraeken/status/994392481927258113
- resource: https://twitter.com/harr0ey/status/975350238184697857
- resource: https://twitter.com/bohops/status/975549525938135040
- resource: https://windows10dll.nirsoft.net/syssetup_dll.html
Acknowledgment:
- Person: Pierre-Alexandre Braeken (Execute)
Handle: '@pabraeken'
- Person: Matt harr0ey (Execute)
Handle: '@harr0ey'
- Person: Jimmy (Scriptlet)
Handle: '@bohops'