From 167fb3c2f6a70eeefe3a91f10a64d5addcb8bba8 Mon Sep 17 00:00:00 2001
From: Raislin <Raislin@users.noreply.github.com>
Date: Thu, 9 Sep 2021 15:58:43 -0500
Subject: [PATCH] T1047_update (#1623)

* T1047_update

* T1047_update

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1047/T1047.yaml   |  30 ++++++++++++++++++++++++++++++
 atomics/T1047/bin/calc.dll | Bin 0 -> 10240 bytes
 2 files changed, 30 insertions(+)
 create mode 100644 atomics/T1047/bin/calc.dll

diff --git a/atomics/T1047/T1047.yaml b/atomics/T1047/T1047.yaml
index f0eda25f..d997f51f 100644
--- a/atomics/T1047/T1047.yaml
+++ b/atomics/T1047/T1047.yaml
@@ -149,3 +149,33 @@ atomic_tests:
     cleanup_command: |
       $CleanupClass = New-Object Management.ManagementClass(New-Object Management.ManagementPath("#{new_class}"))
       $CleanupClass.Delete()
+- name: WMI Execute rundll32
+  description: |
+    This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter.
+  supported_platforms:
+  - windows
+  input_arguments:
+    node:
+      description: Ip Address
+      type: String
+      default: 127.0.0.1
+    dll_to_execute:
+      description: Path to DLL.
+      type: String
+      default: $env:TEMP\calc.dll
+    function_to_execute:
+      description: Name of DLL function to call
+      type: String
+      default: StartW
+  dependency_executor_name: powershell
+  dependencies:
+  - description: DLL with function to execute must exist on disk at specified location (#{dll_to_execute})
+    prereq_command: 'if (Test-Path #{dll_to_execute}) {exit 0} else {exit 1}'
+    get_prereq_command: |
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1047/bin/calc.dll" -OutFile "#{dll_to_execute}"
+  executor:
+    command: |
+      wmic /node:#{node} process call create "rundll32.exe #{dll_to_execute} #{function_to_execute}"
+    cleanup_command: |-
+      taskkill /f /im calculator.exe
+    name: powershell
\ No newline at end of file
diff --git a/atomics/T1047/bin/calc.dll b/atomics/T1047/bin/calc.dll
new file mode 100644
index 0000000000000000000000000000000000000000..b3a8095e593ce0c66de556a1017d04b73955a92e
GIT binary patch
literal 10240
zcmeHMdvqMtdA}>|tX`H^Hd-PchOxay;vr?N6(C~^uWSjf$O?od8-fk1^=f2ok#@JU
zvqmPS$XzS(YPzkHLXM#%HO4fYmZSzlBAfPfWw}TO3`T^54Wt;Fv?Jt`BYX<jKr;P(
zGqZYtY5!?X&k5Xf?tJg>-uvD6o#s1svRuZP9a+~I8w8}}Grs@x=M2PiFFiPyJyURW
z;h@cbbYWXpI4;KI=q5SXBZh*JNK_FwN}`;Ih~bFXa7(M$6YY?yii-=~mg|NmJKkkS
z3!l#Bf@dFkItTQc$BXux(7C_Bpy%$-H(-Imm;Rw>f39Iy^t1@LdvDHun*j?g_~Fwg
zoo~=<!l5ps46EFhM#eh6>tK&pTo=r?a*{0)i*n|cuo7@CG`V}v10<TUJ{x@r&tc3#
zI8qj}7zhd?QVwf}s%ex3U!*NgIb#j5X#i{?V|*yC)B(GU0*OFsXRM6CLS__2taGJf
zkh7U~B4gUQ6fItrBK0c37th6qs!Z8x2QVXvD7H%O2r5CweqRU{7;Fx5De{cuL#?Y!
zHC9W3@gO5shCV<x`54Po#Y{z`jbIphi?SLf1lw07$K?=6BPNKAp_d&zrW%C`dQx{3
ziWDP?m7#YT5!1=X*s5vjYm6e`9pmZZTjnvw^(B)|faIx)<R`X-(-2$(f$lmE{veGh
zo;+MJ{L(p6XQ%Vh?M6WP^5Um1W$bifJ|7w?>HK&|*H0&MP7m{;BPHWM$z=@IR7U@p
zvMl+&O{t*I`6y8-oGwE96O5h-L0b;s{CUPGwn;rka2$1E&HWkYgF^;+G3v!r8{GLk
zrMOFYYO7nUUxxxjuAcU*A9#;wZ^Fs;Orp%2;pzsrhpURamaALc9QI=UUBg<lz}Ud?
z9Sv@u?-#aY-4PmH&i-fc9T5(Ipq6X9ptL=s+@gJ40BX#R&sltU+VuiOEnWN^fabug
z=+7iB*RD3zMaUmE<toWf7Ln5qIHhUftJViz)IP}rwq1Ajuh(^5TagcM>T#Z|Wr~}t
zquNS{QE-`Gef}UBHK{LiHP^2eSHoew{;Do)xy0(8@r&T$0Q8wAz|BtTsHxbL-9}OI
z4Sb*q90uOE`ZM>>pAi!ug(EPmkEVnQ$hB+HI^Vz<grzoF_v~WSIB~Uh6Pl&{2EC|V
zg)pQR{1|*q0@F9}inbIbd&hhOFKgd2>g;@QSRJ1Du~{JnEUFM!5A)RRqCe#;OSPcC
zc>cQEj1KcPsgvp_=(7H?gmal|?*hi|&+}%+C()erDm{6|c26T$g}=Z$#S!Adkp{Pi
zdS;?jca?*w9#4UTfw7%>4$)HIK&Z5xzti<;(L*yu^QJ^e-Il0@(;Aq0$H?r%&vbo?
z@Iw(r&ohfw=4J)D>u1I2Z(R|RdTzouRp!N0j{7sp<*<AMYE<ch^zAl`RnJ6eR#$i3
z4VhWN35WMBlB&ZrP<zoIzWTcYcMVVXVTsX)P3jr-O|E`G(^Sy@20`$vBkF6M2FBC?
zr_LPztKaK7V(x1-C&UTw5#6;OLzJs8>aIJ0=&lBX96eZIXEe{m^;icgh?nwXP9;y(
z9{2`grrn0_Mq~00&=5R&ImY|`i^2YTP+Y|j;VI!^^cYVQp3Go23Re)V3P}Pf;lD02
zHGRO(z;r}-85}BgL>L7|T{$9*S=b<kFXMM-XkxuUmLql>l|0Q?i*F)+%5N95OdD5=
zE3-@(hS3ZShZ-I2s-<Pi*Sd}Z=;P`M-4(}F<m!IfSG;;7CPKQ+-HsUQu3Jfh#xCQ@
z4tFi8;CFX%6;i)CN@4M!^N1NEqQZNGrkJR^=EF=MN$NRUpQ5e{+_j#{G=yupddlnq
z;Q^d0_;b~J-l=@(N?^-}6ADjCWhkY&Om}@3yDL{4%Xq4>M0fRpQZsxh;ag2S-7K24
zLUf}Dvl2dZQsiFX-o_H{9pVSjWF&Z648l8I6n8cZA^h{G3K%Jze|!w&Cl`Q3&)+$W
znEe!MH%7om=x)?KUHl`^<CkFW^0e?MaOhYNYq<8GD26BV?b?5sNDlm9gFsU&v{$g~
zB8UqmuG*K-L4d0~e?s8PN0m}<W|BLfD(-^A#BZz3^?jdh;$w;z+5WX@o2NOjv`k!}
zeFrp_!e>mjy*e|Ir~MSfKATY>*<his!x-9*jluMn_4OF^u>6zJeC>xOk*B4BOq`lw
zZ<L{Jo_1>W9Y%6D?JJ7gTtJ)Dv$RlQ{*7y=P&>@(^OK+267!5jfvZQkI-<LNi1^Wv
zxn1?UTdY~xP1}y*_ED?@<L|-NXzNc5CrSx|-Gz0R8Z`bZ@U-8W-UaP-LluFw+WD$Q
zkB<T|=eG0b!eSWrA9;@Ek+WfVhj1P(;?L7k{V3F|2$X6Mm_z~Ml>$2P{s7!!+MDwO
zCHVU4j$_I)^@Ov3A7JvV&H2551fu;8I|6#NqW`Ug8?`+MEv*th5CW?GA)*%;v=T?O
zd%5cRJ1iateB|v=^5n`ZM|pBo=dX=&?;(!WTBJ{fv&6zYr=2C3UCwzzz*sZRr7*9!
z6|yPCn+;-K@jAfg1rcAH(Wk!k!v|0k)EOTdQ`kO-2Al6-taF)AfMJ{1!b8FeAlRVK
zV)XL#oRV$J=u(gf3>IOj>0DM{mT2=|dC2*T`cj_0wT$N;1L}ZcpFch41)eH(H!Xiv
zDN}En<6k}`7pklBbBFxPGcs1qLlqP6;QWN0jD}rl@?JN)kFY`vatC0JG3LvrVlEDx
z(Eb)(<sCzOi?+X&$m8F0-Go)r>>9I=`|4JL!v;<$_U&Vdxi~qD!USLlz-Tq~BIf6}
zp*Eac(nQ+B#{R#Sr=N8DK1DOPoys6C>IrjI-v&#RXjfl6dieq1O#4?%WIFjZPu33}
zLw{=(U=yjkR$*>%^+$A>;OPgCLx^nz3#aZ9NdiABvI}PVq#-qwrWZ}D9chgOv}}@3
zLPXk=-awtW+CNG{EUYa&)lbDxMGR*B;4UiF*jM^@P(8noF3MV95Vhkp(Bi^u0BoZv
zpu4VwPaGO(M}j{b?s&R!()j=a(%|M)=o%^%rTKK%EkH4f=OFU=X`ZY73-(Q}KH@$`
zD%%cI$nHdE8L>3BV4hyEnwIKx-3ow-`8bhL035pO5i&^*=kw+7$m8bB$Mg!A{gAc&
zhG|>!IotLxu{}g%7@N%WGF0Nlw)t&bzi3nR9vKmufE!bPPlGz-)f?0o>$got6sfy@
z+XpvFkwk+!rcQc~q;Iq}7L7Xh)NeZ-jz~=@ySuUI1$eeMs3*`F`KdPdoJ0#x7Te(u
z7lM_#vo7PXF{Pre-I2qTg>^9k7Yh5%eug8Nc#oSOu%TconmZpGikCL1!t2;j>XW0k
zhLrFE(1|?ohJXxW8)3^Qw_fHw;@pFx)laG9Y_ZOR|6UL;f?W>men2k3DUHWQgdSYM
zshuOjCSVwAhUlXBTGF^Uely(Jj`5-QL|$}^qXi<JNJO_|g(Fd|3fICWIhsErTn2>3
zcuH^s^L;cTD(59f#Sx(xBq9$%5ishr3OW}nxGN+Nmjs4iGA<_Qe{W`)@Y#H<uMcKu
z>KaL3avhxNOB#&tHO9Bg_}*cB{l@ot<J)e0ub9DKXW;wLx_!1`_|LkXzE9~VeQU9P
zp-t}(H2Y{hxO03IGx?<{w)UH|x<1g1V;9MuoRZ<D^FCK?Dn<?F8^y(+F5Y&U&b5s(
zbuErG&F$I+u-yqu55_k<8W!Fo+iDSyjPrpZbqIWf=Iivw8iBqFvt{pJVZvWp@Sp|v
zTJSF|s95lJ3pQBLW5M|r{OEGi-+LAuwcs-r%*Jz<RsJyx?z3Q4-e&2SS<qp@GnU>d
z3&t#dwFP%rFzaXUMdth6?giF6URLmb1Y10&-$@IGg59C4>+BmNEn+t#A6tZczA4Sh
za91&&)5OJ$iFD;c%F1v<WIh<zKvwfP8SbRB6D`GmfRt~w>+`NP(Q3B^KQA}7hA%Mx
zaEvvr4XqD7vi{VwKl|{Oe{Q+&-!6LiwJM7H>gzVFjZ1QT!zNkUq-=;s6LLt}AWN}m
zd;|5>hTdyxHms4lrC?k#7<i!EXjKzSKBG*b#e*2Tadn%Y-br_&V~qDxcTWUtwiD-1
z(#!JP9uM0C-nJ=TFFF^e7ox-T{^`CNC_@a5XV)r^C)BwKZ=Im?!LM4q23LsH^*|Y0
zIE#mqEa+LhCPS}eHqX#2o5gD}^u*abL$6{Mug%c&fQP19b!jv7eBkZ0foHu5(|CRY
zK{jdkz4zYRu@TK+y-Tb*%Sy=IRB!m}o5j1s@V8?oug%okIg4lN?E<fh%I&otnaj<$
z^D4=t=?#4a)zyq`HBi<E9=!=$JTLKffj6TMYKTYc;Ga<&OxtUSNAK4@fb5&L5A+!U
z^u~Cc#3ZEm>+D-Lz1_EiZM<2#JxhVIcJS!%YVnLZ5&wTnHoJ}4S6O4umCsyC0dsZa
zF;|U)xvJ-#^kH0~x~v2P@_u9*XOvzA{`L&ohVz=EI;Ulx)4`k_`OFD>XLV65YwyN@
zU4?wWvfl{2X9itxp@Usm<75}g=btQ%o!3rwXfk^oI%yo2UI$IkC}&Mhi_It}Z>k(y
zfsGYxggoEQ@@0E0w>`&W)yZQkwzJ}z0#;n@XeprfE<#8x{}br6%{T=X;TlWOmSbZ%
zh^1jG!$)a8D@A)s+wxc`+EiLy60^Ak#OEM$*#?<|bPMgQ5VFE*N6f4j+Fm0t=lr4=
zwIQ2u=g|qT#<(DUHdlbY3fY59lVCYPMyo|tM|U@CRf4i|8#pwcvS|S0h=~|;1g-QY
z@IH~T+8MkbV1L>T-j}7X%Dz0;aa%aj*eiwDw;I>n-01gK8?nXu7YM8l#A8w@+!+o9
zx`L68Zb@cr3HWiPBcN=FNr7;rGaBfS;))#I66g-c6~?Y-JyK6x0=91Tnzc8#H8nRb
zt?`&XuVJtVD~crduxqFBfW%g^KwRnybcVYj3{dBmu|Oyq=?rg5$WkB@l;!9>fuOu;
zGp<{vWjNR!zIRF_MK*`!XrxDqpyZla8qtW<8&(2JaAUW`*di8?(AtC|1!f7(M|q^j
zSTGi@?1@+26OL4dWTg`SPL*(vRN1|>a%rX6kk{;Ml<w8Rn1Z^kj^dVwKX`8v&mWE6
zorv9#h=i1IG}0JR<SmT7OOkbASxE%D*GAyBgRy@S)<(>bb~N^eq!_8+U^Jew?+C4u
z@}=ShIX6nm>Vzz#r7dzaBw;ChSZG5?!;zpOWmznh+Z4BmsC<JIq`J1qQk(+RV!t&Z
z$y-_^xic#F1S27|0<A>%Uh+lnO&x5}3~pPOECoBjWRt{g-4a)%o;C!iK8^-Rgt6}2
zCUmpeL9Koa3l0<Z=crMGv@x-1lO$(r@@2E{tHVEfr#RO6OI^>tNN3kVS_5f+`KCBK
z7R3KL{qaPg1p8VwGM%kj0RI$uH*f{;u*E0%E1W6zf`1Y)g1uh@9s_&~d%t)YWPtA?
zw*db&U|A`A04F$(+z$K{;GKA->jK^mI0tv2t-xymTal>_ZGdSD-wAlw!U>+R@V5c&
zxCfCw!3!+>V!*A)gYZf4NsCV~W8nk~aJHbj%>n#1@;=}M@54D`2k<_?y~w0P@D&R`
z33vs5Fuer+Re)W{Zv!WY`=x<D0k{}v7!Ca0fOIZ91Dqh8u}-4S1nJyFI6*q&aOe=E
zXZ$CC|NkVLaaKks`ev7pvlkeibMWy8k8#N8ocsORMh3NFWp7WnxEVJuY%z7^ORGHP
zq7(^5JHnAob>(Z@Zm6s+7vl=H_h2_R#Jch=QoMZS^~HrNg7LW2v$1=N2nUgPU3o%|
zTo(^@Nj<@MWluOHN8`~>r7{%lxh@#*soK1>T*Ouq?!;+e-OSR+)i<-gK%AqFUul+T
c-jB51le_t&Ess|0@$KPzzS0r-N;Uq!0ZzO0NdN!<

literal 0
HcmV?d00001