Advpack | LOLBAS

AWL bypass

Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).

rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,

Use case: Run local or remote script(let) code through INF file specification.

Privileges required: User

Operating systems: Windows 10, Windows 11

ATT&CK® technique: T1218.011

Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).

rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,

Use case: Run local or remote script(let) code through INF file specification.

Privileges required: User

Operating systems: Windows 10, Windows 11

ATT&CK® technique: T1218.011

Tags: Input: INF
This function was tagged with "Input: INF".

Execute

Launch a DLL payload by calling the RegisterOCX function.

rundll32.exe advpack.dll,RegisterOCX test.dll

Use case: Load a DLL payload.

Privileges required: User

Operating systems: Windows 10, Windows 11

ATT&CK® technique: T1218.011

Tags: Execute: DLL
This LOLBAS executes Dynamic-Link Libraries (DLLs).

Launch an executable by calling the RegisterOCX function.

rundll32.exe advpack.dll,RegisterOCX calc.exe

Use case: Run an executable payload.

Privileges required: User

Operating systems: Windows 10, Windows 11

ATT&CK® technique: T1218.011

Launch command line by calling the RegisterOCX function.

rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"

Use case: Run an executable payload.

Privileges required: User

Operating systems: Windows 10, Windows 11

ATT&CK® technique: T1218.011

.. /Advpack.dll Star

AWL bypass

Execute

.. /Advpack.dll
Star