security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2022-09-09 17:07:44 +00:00
parent 3d2018b41b
commit 4df65234e9
2 changed files with 10 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/index.yaml
+6 -4
View File
@@ -241,10 +241,12 @@ defense-evasion:
atomic_tests:
- name: Rundll32 execute JavaScript Remote Payload With GetObject
auto_generated_guid: 57ba4ce9-ee7a-4f27-9928-3c70c489b59d
description: 'Test execution of a remote script using rundll32.exe. Upon execution
notepad.exe will be opened.
'
description: "Test execution of a remote script using rundll32.exe. Upon execution
notepad.exe will be opened. \nThis has been used by Win32/Poweliks malware
and works as described [here](https://www.stormshield.com/news/poweliks-command-line-confusion/)\n\nNote:
The GetObject function is no longer supported in Internet Explorer v9 (2011)
and later so this technique would only work where very old versions of IE
are installed. \n"
supported_platforms:
- windows
input_arguments:
atomics/T1218.011/T1218.011.md
+4 -1
View File
@@ -40,7 +40,10 @@ Additionally, adversaries may use [Masquerading](https://attack.mitre.org/techni
<br/>
## Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject
Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened.
Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened.
This has been used by Win32/Poweliks malware and works as described [here](https://www.stormshield.com/news/poweliks-command-line-confusion/)
Note: The GetObject function is no longer supported in Internet Explorer v9 (2011) and later so this technique would only work where very old versions of IE are installed.
**Supported Platforms:** Windows