Running programs via Proxy & jumping on a EDR-bypass trampoline, Part 5


After I posted it bohops provided one more variant:

rundll32.exe shdocvw.dll, OpenURL [path to file.url]


Old Post

This is nothing new, but just documenting for the sake of documenting.

It crossed my mind to look for all the DLLs that refer to OpenURL – an API that is exported by the url.dll – which is used to launch URLs (and was a subject of the first part of the series). I quickly discovered that ieframe.dll also exports identically named function; a quick googling around followed and I noticed it was a subject to previous analysis (CVE-2016-3353) – as a result, the vulnerability that allowed remote execution of code was patched.

Still, the built-in functionality can help to launch other programs via proxy e.g. using the .url file:


and running:

rundll32 ieframe.dll, OpenURL <path to local URL file>

will launch calculator.