---
Name: Url.dll
Description: Internet Shortcut Shell Extension DLL.
Author:
Created: '2018-05-25'
Commands:
  - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta"
    Description: Launch a HTML application payload by calling OpenURL.
    UseCase: Invoke an HTML Application via mshta.exe (Default Handler).
    Category: Execute
    Privileges: User
    MitreID: T1085
    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
    OperatingSystem: Windows
  - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url"
    Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
    UseCase: Load an executable payload by calling a .url file with or without quotes.
    Category: Execute
    Privileges: User
    MitreID: T1085
    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
    OperatingSystem: Windows
  - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
    Description: Launch an executable by calling OpenURL.
    UseCase: Load an executable payload by specifying the file protocol handler (obfuscated).
    Category: Execute
    Privileges: User
    MitreID: T1085
    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
    OperatingSystem: Windows
  - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe
    Description: Launch an executable by calling FileProtocolHandler.
    UseCase: Launch an executable.
    Category: Execute
    Privileges: User
    MitreID: T1085
    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
    OperatingSystem: Windows
  - Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
    Description: Launch an executable by calling FileProtocolHandler.
    UseCase: Load an executable payload by specifying the file protocol handler (obfuscated).
    Category: Execute
    Privileges: User
    MitreID: T1085
    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
    OperatingSystem: Windows
  - Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta
    Description: Launch a HTML application payload by calling FileProtocolHandler.
    UseCase: Invoke an HTML Application via mshta.exe (Default Handler).
    Category: Execute
    Privileges: User
    MitreID: T1085
    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
    OperatingSystem: Windows
Full_Path:
  - Path: c:\windows\system32\url.dll
  - Path: c:\windows\syswow64\url.dll
Code_Sample:
  - Code:
Detection:
  - IOC:
Resources:
  - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
  - Link: https://twitter.com/DissectMalware/status/995348436353470465
  - Link: https://twitter.com/bohops/status/974043815655956481
  - Link: https://twitter.com/yeyint_mth/status/997355558070927360
  - Link: https://twitter.com/Hexacorn/status/974063407321223168
  - Link: https://windows10dll.nirsoft.net/url_dll.html
Acknowledgement:
  - Person: Adam (OpenURL)
    Handle: '@hexacorn'
  - Person: Jimmy (OpenURL)
    Handle: '@bohops'
  - Person: Malwrologist (FileProtocolHandler - HTA)
    Handle: '@DissectMalware'
  - Person: r0lan (Obfuscation)
    Handle: '@r0lan'
---