Windows Shell Common Dll

Paths:

c:\windows\system32\shell32.dll
c:\windows\syswow64\shell32.dll

Detection:

Execute

Launch a DLL payload by calling the Control_RunDLL function.

rundll32.exe shell32.dll,Control_RunDLL payload.dll

Launch an executable by calling the ShellExec_RunDLL function.

rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe

Launch command line by calling the ShellExec_RunDLL function.

rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"