Found a couple of interesting DLL exports while hunting for LOLBAS. Most of these have not been documented as far as I know. There are potentially a lot more out there, the system was behaving strangely when enumerating the list of exports. Unfortunately, I do not know of a good way to determine the effect a command has on a system. It is trivial for obvious cases like logoff or reboot, or if the export name is descriptive, e.g. DnsFlushResolverCache. It can be challenging in other cases.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 | # Logoff
rundll32 userinitext.dll,ProcesRemoteSessionInitialCommand
# Reboot
rundll32 BdeHdCfgLib.dll,BdeCfgRestart
# ipconfig /flushdns
rundll32 dnsapi.dll,DnsFlushResolverCache
# App incompatibility warning message - Text injection/Content Spoofing
rundll32 FirewallControlPanel.dll,ShowWarningDialog C:\Windows\System32\T3xt_1nj3ct10n.exe
rundll32 FirewallControlPanel.dll,ShowWarningDialog C:\Windows\System32\cmd.exe
rundll32 FirewallControlPanel.dll,ShowWarningDialog "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1911.3-0\MsMpEng.exe"
# Install inf files
# Have not been able to weaponize it
rundll32 printui.dll,PrintUIEntry
|