Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

atomics/Indexes/Indexes-CSV/index.csv

@@ -545,6 +545,7 @@ defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6
 defense-evasion,T1218.011,Rundll32,7,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
 defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt
 defense-evasion,T1218.011,Rundll32,9,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
+defense-evasion,T1218.011,Rundll32,10,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
 defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -371,6 +371,7 @@ defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6
 defense-evasion,T1218.011,Rundll32,7,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
 defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt
 defense-evasion,T1218.011,Rundll32,9,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
+defense-evasion,T1218.011,Rundll32,10,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
 defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -860,6 +860,7 @@
   - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
   - Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows]
   - Atomic Test #9: Execution of non-dll using rundll32.exe [windows]
+  - Atomic Test #10: Rundll32 with Ordinal Value [windows]
 - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -612,6 +612,7 @@
   - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
   - Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows]
   - Atomic Test #9: Execution of non-dll using rundll32.exe [windows]
+  - Atomic Test #10: Rundll32 with Ordinal Value [windows]
 - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -36438,7 +36438,38 @@ defense-evasion:
 '
       executor:
         name: powershell
-        command: 'rundll32.exe #{input_file}, StartW'
+        command: 'rundll32.exe #{input_file}, StartW
+
+'
+    - name: Rundll32 with Ordinal Value
+      auto_generated_guid: 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0
+      description: "Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer.
+        \nUpon successful execution, Calc.exe will spawn.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        input_url:
+          description: Url to download the DLL
+          type: Url
+          default: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/bin/AllTheThingsx64.dll
+        input_file:
+          description: DLL File
+          type: String
+          default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx64.dll
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'DLL file must exist on disk at specified location
+
+'
+        prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
+
+'
+      executor:
+        name: command_prompt
+        command: 'rundll32.exe #{input_file},#2'
   T1134.005:
     technique:
       external_references:

atomics/T1218.011/T1218.011.md

@@ -26,6 +26,8 @@ Rundll32 can also be used to execute scripts such as JavaScript. This can be don
 
 - [Atomic Test #9 - Execution of non-dll using rundll32.exe](#atomic-test-9---execution-of-non-dll-using-rundll32exe)
 
+- [Atomic Test #10 - Rundll32 with Ordinal Value](#atomic-test-10---rundll32-with-ordinal-value)
+
 
 <br/>
 
@@ -400,4 +402,51 @@ Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #10 - Rundll32 with Ordinal Value
+Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer. 
+Upon successful execution, Calc.exe will spawn.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| input_url | Url to download the DLL | Url | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/bin/AllTheThingsx64.dll|
+| input_file | DLL File | String | PathToAtomicsFolder&#92;T1218.010&#92;bin&#92;AllTheThingsx64.dll|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+rundll32.exe #{input_file},#2
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: DLL file must exist on disk at specified location
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{input_file}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
+```
+
+
+
+
 <br/>