.. /Shell32.dll

Star

Windows Shell Common Dll

• https://twitter.com/Hexacorn/status/885258886428725250
• https://twitter.com/pabraeken/status/991768766898941953
• https://twitter.com/mattifestation/status/776574940128485376
• https://twitter.com/KyleHanslovan/status/905189665120149506
• https://windows10dll.nirsoft.net/shell32_dll.html

Execute

1. Launch a DLL payload by calling the Control_RunDLL function.

   rundll32.exe shell32.dll,Control_RunDLL c:\path\to\payload.dll

   Use case

   Load a DLL payload.

   Privileges required

   User

   Operating systems

   Windows 10, Windows 11

   ATT&CK® technique

   T1218.011

   Tags

   Execute: DLL

   This LOLBAS executes Dynamic-Link Libraries (DLLs).

2. Launch an executable by calling the ShellExec_RunDLL function.

   rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe

   Use case

   Run an executable payload.

   Privileges required

   User

   Operating systems

   Windows 10, Windows 11

   ATT&CK® technique

   T1218.011

3. Launch command line by calling the ShellExec_RunDLL function.

   rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"

   Use case

   Run an executable payload.

   Privileges required

   User

   Operating systems

   Windows 10, Windows 11

   ATT&CK® technique

   T1218.011