.. / Url.dll
Star

Internet Shortcut Shell Extension DLL.


Paths:


Resources:
https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
https://twitter.com/DissectMalware/status/995348436353470465
https://twitter.com/bohops/status/974043815655956481
https://twitter.com/yeyint_mth/status/997355558070927360
https://twitter.com/Hexacorn/status/974063407321223168
https://windows10dll.nirsoft.net/url_dll.html

Acknowledgement:
Adam (OpenURL) - @hexacorn
Jimmy (OpenURL) - @bohops
Malwrologist (FileProtocolHandler - HTA) - @DissectMalware
r0lan (Obfuscation) - @r0lan


Detection:



Execute

Launch a HTML application payload by calling OpenURL.
rundll32.exe url.dll,OpenURL "C:\test\calc.hta"
Usecase:
Privileges required:User
OS:Windows
Mitre:T1085



Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
rundll32.exe url.dll,OpenURL "C:\test\calc.url"
Usecase:
Privileges required:User
OS:Windows
Mitre:T1085



Launch an executable by calling OpenURL.
rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Usecase:
Privileges required:User
OS:Windows
Mitre:T1085



Launch an executable by calling FileProtocolHandler.
rundll32.exe url.dll,FileProtocolHandler calc.exe
Usecase:
Privileges required:User
OS:Windows
Mitre:T1085



Launch an executable by calling FileProtocolHandler.
rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Usecase:
Privileges required:User
OS:Windows
Mitre:T1085



Launch a HTML application payload by calling FileProtocolHandler.
rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta
Usecase:
Privileges required:User
OS:Windows
Mitre:T1085