Found a couple of interesting DLL exports while hunting for LOLBAS. Most of these have not been documented as far as I know. There are potentially a lot more out there, the system was behaving strangely when enumerating the list of exports. Unfortunately, I do not know of a good way to determine the effect a command has on a system. It is trivial for obvious cases like logoff or reboot, or if the export name is descriptive, e.g. DnsFlushResolverCache. It can be challenging in other cases.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
# Logoff rundll32 userinitext.dll,ProcesRemoteSessionInitialCommand # Reboot rundll32 BdeHdCfgLib.dll,BdeCfgRestart # ipconfig /flushdns rundll32 dnsapi.dll,DnsFlushResolverCache # App incompatibility warning message - Text injection/Content Spoofing rundll32 FirewallControlPanel.dll,ShowWarningDialog C:\Windows\System32\T3xt_1nj3ct10n.exe rundll32 FirewallControlPanel.dll,ShowWarningDialog C:\Windows\System32\cmd.exe rundll32 FirewallControlPanel.dll,ShowWarningDialog "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1911.3-0\MsMpEng.exe" # Install inf files # Have not been able to weaponize it rundll32 printui.dll,PrintUIEntry