From a6f376324999ea65df89a2fb086fcd5e8ab2a170 Mon Sep 17 00:00:00 2001
From: Atomic Red Team doc generator <opensource@redcanary.com>
Date: Sat, 30 Apr 2022 01:44:53 +0000
Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 19 ++++++++
 atomics/T1218.011/T1218.011.md                | 45 +++++++++++++++++++
 6 files changed, 68 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 2beb98f2..bcd6e32d 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -617,6 +617,7 @@ defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and p
 defense-evasion,T1218.011,Rundll32,9,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
 defense-evasion,T1218.011,Rundll32,10,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
 defense-evasion,T1218.011,Rundll32,11,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
+defense-evasion,T1218.011,Rundll32,12,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
 defense-evasion,T1134.005,SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
 defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 59adf8ab..0db5d339 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -438,6 +438,7 @@ defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and p
 defense-evasion,T1218.011,Rundll32,9,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
 defense-evasion,T1218.011,Rundll32,10,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
 defense-evasion,T1218.011,Rundll32,11,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
+defense-evasion,T1218.011,Rundll32,12,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
 defense-evasion,T1134.005,SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
 defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 9399c961..52a87503 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -942,6 +942,7 @@
   - Atomic Test #9: Execution of non-dll using rundll32.exe [windows]
   - Atomic Test #10: Rundll32 with Ordinal Value [windows]
   - Atomic Test #11: Rundll32 with Control_RunDLL [windows]
+  - Atomic Test #12: Rundll32 with desk.cpl [windows]
 - [T1134.005 SID-History Injection](../../T1134.005/T1134.005.md)
   - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index f9defc97..c93943b8 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -687,6 +687,7 @@
   - Atomic Test #9: Execution of non-dll using rundll32.exe [windows]
   - Atomic Test #10: Rundll32 with Ordinal Value [windows]
   - Atomic Test #11: Rundll32 with Control_RunDLL [windows]
+  - Atomic Test #12: Rundll32 with desk.cpl [windows]
 - [T1134.005 SID-History Injection](../../T1134.005/T1134.005.md)
   - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 3c709774..05f2f51c 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -39594,6 +39594,25 @@ defense-evasion:
         command: 'rundll32.exe shell32.dll,Control_RunDLL #{input_file}
 
           '
+    - name: Rundll32 with desk.cpl
+      auto_generated_guid: 83a95136-a496-423c-81d3-1c6750133917
+      description: "Rundll32.exe loading an executable renamed as .scr using desk.cpl
+        \nReference: \n  - [LOLBAS - Libraries/Desk](https://lolbas-project.github.io/lolbas/Libraries/Desk/)\nSIGMA
+        rules:\n  - [SCR File Write Event](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_new_src_file.yml)\n
+        \ - [Rundll32 InstallScreenSaver Execution](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml)\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_to_launch:
+          description: Path of the executable to launch
+          type: Path
+          default: "%windir%\\System32\\calc.exe"
+      executor:
+        name: command_prompt
+        command: |
+          copy #{exe_to_launch} not_an_scr.scr
+          rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
+        cleanup_command: del not_an_scr.scr
   T1134.005:
     technique:
       object_marking_refs:
diff --git a/atomics/T1218.011/T1218.011.md b/atomics/T1218.011/T1218.011.md
index 5f85b50e..2dda87d1 100644
--- a/atomics/T1218.011/T1218.011.md
+++ b/atomics/T1218.011/T1218.011.md
@@ -32,6 +32,8 @@ Adversaries may also attempt to obscure malicious code from analysis by abusing
 
 - [Atomic Test #11 - Rundll32 with Control_RunDLL](#atomic-test-11---rundll32-with-control_rundll)
 
+- [Atomic Test #12 - Rundll32 with desk.cpl](#atomic-test-12---rundll32-with-deskcpl)
+
 
 <br/>
 
@@ -499,4 +501,47 @@ Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #12 - Rundll32 with desk.cpl
+Rundll32.exe loading an executable renamed as .scr using desk.cpl 
+Reference: 
+  - [LOLBAS - Libraries/Desk](https://lolbas-project.github.io/lolbas/Libraries/Desk/)
+SIGMA rules:
+  - [SCR File Write Event](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_new_src_file.yml)
+  - [Rundll32 InstallScreenSaver Execution](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 83a95136-a496-423c-81d3-1c6750133917
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| exe_to_launch | Path of the executable to launch | Path | %windir%&#92;System32&#92;calc.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+copy #{exe_to_launch} not_an_scr.scr
+rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
+```
+
+#### Cleanup Commands:
+```cmd
+del not_an_scr.scr
+```
+
+
+
+
+
 <br/>