2018-04-25 21:39:31 +00:00
|
|
|
## Ieadvpack.dll
|
|
|
|
|
|
|
|
|
|
* Functions: Execute
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
rundll32.exe ieadvpack.dll,LaunchINFSection test.inf,,1,
|
2018-05-02 15:33:30 +00:00
|
|
|
|
2018-05-04 06:03:15 +00:00
|
|
|
rundll32.exe IEAdvpack.dll,RegisterOCX calc.exe
|
2018-05-02 15:07:56 +00:00
|
|
|
```
|
|
|
|
|
|
2018-04-25 21:39:31 +00:00
|
|
|
Acknowledgements:
|
2018-05-02 15:07:56 +00:00
|
|
|
* Pierre-Alexandre Braeken - @pabraeken (RegisterOCX)
|
2018-05-02 15:33:30 +00:00
|
|
|
* Jimmy - @bohops
|
2018-04-25 21:39:31 +00:00
|
|
|
|
|
|
|
|
Code sample:
|
|
|
|
|
* [Ieadvpack.inf](https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Ieadvpack.inf)
|
|
|
|
|
* [Ieadvpack_calc.sct](https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Ieadvpack_calc.sct)
|
|
|
|
|
|
|
|
|
|
Resources:
|
2018-05-02 15:07:56 +00:00
|
|
|
* https://twitter.com/pabraeken/status/991695411902599168
|
2018-05-02 15:33:30 +00:00
|
|
|
* https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
|
2018-04-25 21:39:31 +00:00
|
|
|
|
|
|
|
|
Full path:
|
|
|
|
|
```
|
|
|
|
|
c:\windows\system32\ieadvpack.dll
|
|
|
|
|
c:\windows\sysWOW64\ieadvpack.dll
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Notes:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Detection:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
