Windows NT System Setup

Paths:

c:\windows\system32\syssetup.dll
c:\windows\syswow64\syssetup.dll

Detection:

AWL bypass

Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).

rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf

Execute

Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.

rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf