Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

atomics/Indexes/Indexes-CSV/index.csv

@@ -479,6 +479,7 @@ defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc
 defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt
 defense-evasion,T1218.011,Rundll32,5,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt
 defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt
+defense-evasion,T1218.011,Rundll32,7,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
 defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -282,6 +282,7 @@ defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc
 defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt
 defense-evasion,T1218.011,Rundll32,5,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt
 defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt
+defense-evasion,T1218.011,Rundll32,7,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
 defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -878,6 +878,7 @@
   - Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows]
   - Atomic Test #5: Rundll32 syssetup.dll Execution [windows]
   - Atomic Test #6: Rundll32 setupapi.dll Execution [windows]
+  - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
 - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -510,6 +510,7 @@
   - Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows]
   - Atomic Test #5: Rundll32 syssetup.dll Execution [windows]
   - Atomic Test #6: Rundll32 setupapi.dll Execution [windows]
+  - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
 - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/index.yaml

@@ -38247,6 +38247,22 @@ defense-evasion:
 
 '
         name: command_prompt
+    - name: Execution of HTA and VBS Files using Rundll32 and URL.dll
+      auto_generated_guid: 22cfde89-befe-4e15-9753-47306b37a6e3
+      description: |
+        IcedID uses this TTP as follows:
+          rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta
+        Trickbot uses this TTP as follows:
+          rundll32.exe URL.dll,FileProtocolHandler C:\\..\\Detail\\akteullen.vbs
+
+        In this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with "rundll32 spawned wscript"
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          rundll32.exe url.dll,OpenURL PathToAtomicsFolder\T1218.011\src\index.hta
+          rundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\T1218.011\src\akteullen.vbs
+        name: command_prompt
   T1134.005:
     technique:
       external_references:

atomics/T1218.011/T1218.011.md

@@ -20,6 +20,8 @@ Rundll32 can also be used to execute scripts such as JavaScript. This can be don
 
 - [Atomic Test #6 - Rundll32 setupapi.dll Execution](#atomic-test-6---rundll32-setupapidll-execution)
 
+- [Atomic Test #7 - Execution of HTA and VBS Files using Rundll32 and URL.dll](#atomic-test-7---execution-of-hta-and-vbs-files-using-rundll32-and-urldll)
+
 
 <br/>
 
@@ -257,4 +259,34 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #7 - Execution of HTA and VBS Files using Rundll32 and URL.dll
+IcedID uses this TTP as follows:
+  rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta
+Trickbot uses this TTP as follows:
+  rundll32.exe URL.dll,FileProtocolHandler C:\\..\\Detail\\akteullen.vbs
+
+In this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with "rundll32 spawned wscript"
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+rundll32.exe url.dll,OpenURL PathToAtomicsFolder\T1218.011\src\index.hta
+rundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\T1218.011\src\akteullen.vbs
+```
+
+
+
+
+
+
 <br/>