security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add link to blog post for more info (#2129)

Browse Source 
* add link to blog post for more info

* Update T1218.011.yaml

Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com>
This commit is contained in:
Carrie Roberts
2022-09-09 11:07:11 -06:00
committed by GitHub
parent 8c5f8b55c2
commit 3d2018b41b
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1218.011/T1218.011.yaml
+5 -2
View File
@@ -4,7 +4,10 @@ atomic_tests:
- name: Rundll32 execute JavaScript Remote Payload With GetObject
auto_generated_guid: 57ba4ce9-ee7a-4f27-9928-3c70c489b59d
description: |
Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened.
Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened.
This has been used by Win32/Poweliks malware and works as described [here](https://www.stormshield.com/news/poweliks-command-line-confusion/)
Note: The GetObject function is no longer supported in Internet Explorer v9 (2011) and later so this technique would only work where very old versions of IE are installed.
supported_platforms:
- windows
input_arguments:
@@ -275,4 +278,4 @@ atomic_tests:
copy #{exe_to_launch} not_an_scr.scr
rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
cleanup_command:
del not_an_scr.scr
del not_an_scr.scr