Keypoints
- LOLBins such as msiexec, rundll32, regsvr32, netsh, control.exe, register-cimprovider, and mavinject can load and execute a DLL reverse shell.
- msfvenom is used to build a 64-bit Windows reverse-TCP DLL payload (shell.dll) for delivery.
- A listener (rlwrap nc -lvnp 1234) must be active on the attacker host to receive the reverse shell.
- Detect suspicious behavior by alerting on outbound connections from trusted Windows binaries and DLL loads from user-writable paths.
- Mitigations include AppLocker/WDAC, Defender ASR rules, command-line auditing, network egress filtering, and limiting SeDebugPrivilege.
Read More: https://www.hackingarticles.in/windows-dll-execution-techniques/