From 1202d62c59cdea6715f581f669c833067fce4d6b Mon Sep 17 00:00:00 2001 From: KillrBunn3 Date: Thu, 22 Feb 2024 16:29:05 -0500 Subject: [PATCH] New test: T1218.011 Gamarue tradecraft commandline with rundll32 execution (#2678) * New test: T1218.011 Gamarue tradecraft commandline with rundll32 execution * Update T1218.011.yaml * Update T1218.011.yaml --------- Co-authored-by: Carrie Roberts --- atomics/T1218.011/T1218.011.yaml | 27 +++++++++++++++++++++++++++ atomics/T1218.011/bin/_WT.init | Bin 0 -> 3584 bytes 2 files changed, 27 insertions(+) create mode 100644 atomics/T1218.011/bin/_WT.init diff --git a/atomics/T1218.011/T1218.011.yaml b/atomics/T1218.011/T1218.011.yaml index 53d74493..6464ce73 100644 --- a/atomics/T1218.011/T1218.011.yaml +++ b/atomics/T1218.011/T1218.011.yaml @@ -295,3 +295,30 @@ atomic_tests: copy #{exe_to_launch} not_an_scr.scr rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr cleanup_command: del not_an_scr.scr + +- name: Running DLL with .init extension and function + description: | + This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up. + DLL created with the AtomicTestHarnesses Portable Executable Builder script. + supported_platforms: + - windows + input_arguments: + dll_file: + description: The DLL file to be called + type: string + default: PathToAtomicsFolder\T1218.011\bin\_WT.init + dll_url: + description: The URL to the DLL file that must be downloaded + type: url + default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init + dependency_executor_name: powershell + dependencies: + - description: The DLL file to be called must exist at the specified location (#{dll_file}) + prereq_command: if (Test-Path "#{dll_file}") {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path "#{dll_file}") -ErrorAction ignore | Out-Null + Invoke-WebRequest "#{dll_url}" -OutFile "#{dll_file}" + executor: + command: | + rundll32.exe #{dll_file},krnl + name: command_prompt diff --git a/atomics/T1218.011/bin/_WT.init b/atomics/T1218.011/bin/_WT.init new file mode 100644 index 0000000000000000000000000000000000000000..19114b69cf997560922bfb630492b90a07b056b4 GIT binary patch literal 3584 zcmeHJOKenC82;|GQ_299mWN;jZ&MzXn42~&72<0iOsB0atxOAPL!@_RPTDJX?w#DZ zEsqd`22D&{=*GmjVL^0ZOk9{ij8PV@4D8&vFk$1;xX_Kp1i$~BnGV#z!X1Wx=KSY> zo%27=>rO3vfHnZ_YEx`)Ya6MoaA zll)kdVeiE1e9V5|1|pkHa&5#-N`nn7I`xVhy8z2%au=JFFfB*}H=RiNVYw0OB6VW7 zE^yjqDZL-0t^|oKfh69y8B@o?yd=rw;06)aW`=XdU1`jJ&T)o0)zMw+e!a|rzrmo zHnC$J#BOcrU=v2+U>kRMfcDE+2W9$h951aIz>E$~?t>;AWj1T@;#62!@zu*HUZ}^a z>YP{!Vy~*4Tv)AnzKV(}TJ_4R4kK`5FAPp7-#xFXdM4&tl~!T}ryPe78pFky1|`q; z;tMSs;{(&BH&i)pdYp0tcS%)M5IdQbIIQZ4F%zDn^JV4x$VJMfgGPX}a>(*QIjnGx zU`fSi<^qqLVuZn}ieijLVKwX4)yS~fNGPbdL1ikHVmb0^YtD0_?=u!ARd-BStcRk{ zHTmKoW{Qo7$Ai`ItU`uSdgXjjsfAt;XVtR1>V=V0VXW19IgEU-gjrROG39!}1FU5M z-hS&8&hh*fkwF1-#0yv=UtiQOGRQoIisRwmfHQ&bLgez>yi8)brO!jcMK`mDN;%BQhxK_*(JIYkv}NUdLm2 z<6rW5l`X@KD*h!trR`0;;;$92$*1MNpyyklO%|)fWArWlC2Gk(k9lHKj|-#q6Krgc72g;71;)&6C?$=8e@B5&$9sq-sn{Sji5ujF&D{7zKBw_7Ib|r1AYfrMn zPV{tlCHVC1=-FfS^mbmqc>3h-;XChj4t{s!Q?&(tEYSIDl){~{YdkgPs`n$#2P5?OWD&ggtOJ l3VfVCb86P{0#BaR$MC3Dz&77nH%IK}AJr5d$Nk?c@DI^>dAR@p literal 0 HcmV?d00001