.. / Shell32.dll
Star

Windows Shell Common Dll


Paths:


Resources:
https://twitter.com/Hexacorn/status/885258886428725250
https://twitter.com/pabraeken/status/991768766898941953
https://twitter.com/mattifestation/status/776574940128485376
https://twitter.com/KyleHanslovan/status/905189665120149506
https://windows10dll.nirsoft.net/shell32_dll.html

Acknowledgement:
Adam (Control_RunDLL) - @hexacorn
Pierre-Alexandre Braeken (ShellExec_RunDLL) - @pabraeken
Matt Graeber (ShellExec_RunDLL) - @mattifestation
Kyle Hanslovan (ShellExec_RunDLL) - @KyleHanslovan


Detection:



Execute

Launch a DLL payload by calling the Control_RunDLL function.
rundll32.exe shell32.dll,Control_RunDLL payload.dll
Usecase:
Privileges required:User
OS:Windows
Mitre:T1085



Launch an executable by calling the ShellExec_RunDLL function.
rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
Usecase:
Privileges required:User
OS:
Mitre:T1085



Launch command line by calling the ShellExec_RunDLL function.
rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"
Usecase:
Privileges required:User
OS:
Mitre:T1085