.. / Advpack.dll
Star

Utility for installing software and drivers with rundll32.exe


Paths:


Resources:
https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
https://twitter.com/ItsReallyNick/status/967859147977850880
https://twitter.com/bohops/status/974497123101179904
https://twitter.com/moriarty_meng/status/977848311603380224

Acknowledgement:


Detection:



AWL bypass

Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
Usecase:
Privileges required:User
OS:Windows
Mitre:T1085



Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,
Usecase:
Privileges required:User
OS:Windows
Mitre:T1085



Execute

Launch a DLL payload by calling the RegisterOCX function.
rundll32.exe advpack.dll,RegisterOCX test.dll
Usecase:
Privileges required:User
OS:Windows
Mitre:T1085



Launch an executable by calling the RegisterOCX function.
rundll32.exe advpack.dll,RegisterOCX calc.exe
Usecase:
Privileges required:User
OS:
Mitre:T1085



Launch command line by calling the RegisterOCX function.
rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
Usecase:
Privileges required:User
OS:
Mitre:T1085