Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -1,16 +1,17 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
 defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,57ba4ce9-ee7a-4f27-9928-3c70c489b59d,command_prompt
 defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
-defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
-defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt
-defense-evasion,T1218.011,Rundll32,5,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt
-defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt
-defense-evasion,T1218.011,Rundll32,7,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
-defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt
-defense-evasion,T1218.011,Rundll32,9,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
-defense-evasion,T1218.011,Rundll32,10,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
-defense-evasion,T1218.011,Rundll32,11,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
-defense-evasion,T1218.011,Rundll32,12,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
+defense-evasion,T1218.011,Rundll32,3,Rundll32 execute VBscript command using Ordinal number,32d1cf1b-cbc2-4c09-8d05-07ec5c83a821,command_prompt
+defense-evasion,T1218.011,Rundll32,4,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
+defense-evasion,T1218.011,Rundll32,5,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt
+defense-evasion,T1218.011,Rundll32,6,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt
+defense-evasion,T1218.011,Rundll32,7,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt
+defense-evasion,T1218.011,Rundll32,8,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
+defense-evasion,T1218.011,Rundll32,9,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt
+defense-evasion,T1218.011,Rundll32,10,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
+defense-evasion,T1218.011,Rundll32,11,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
+defense-evasion,T1218.011,Rundll32,12,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
+defense-evasion,T1218.011,Rundll32,13,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
 defense-evasion,T1556.003,Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
 defense-evasion,T1556.003,Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -1,16 +1,17 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
 defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,57ba4ce9-ee7a-4f27-9928-3c70c489b59d,command_prompt
 defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
-defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
-defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt
-defense-evasion,T1218.011,Rundll32,5,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt
-defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt
-defense-evasion,T1218.011,Rundll32,7,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
-defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt
-defense-evasion,T1218.011,Rundll32,9,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
-defense-evasion,T1218.011,Rundll32,10,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
-defense-evasion,T1218.011,Rundll32,11,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
-defense-evasion,T1218.011,Rundll32,12,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
+defense-evasion,T1218.011,Rundll32,3,Rundll32 execute VBscript command using Ordinal number,32d1cf1b-cbc2-4c09-8d05-07ec5c83a821,command_prompt
+defense-evasion,T1218.011,Rundll32,4,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
+defense-evasion,T1218.011,Rundll32,5,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt
+defense-evasion,T1218.011,Rundll32,6,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt
+defense-evasion,T1218.011,Rundll32,7,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt
+defense-evasion,T1218.011,Rundll32,8,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
+defense-evasion,T1218.011,Rundll32,9,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt
+defense-evasion,T1218.011,Rundll32,10,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
+defense-evasion,T1218.011,Rundll32,11,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
+defense-evasion,T1218.011,Rundll32,12,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
+defense-evasion,T1218.011,Rundll32,13,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
 defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
 defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
 defense-evasion,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -5,16 +5,17 @@
 - [T1218.011 Rundll32](../../T1218.011/T1218.011.md)
   - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
   - Atomic Test #2: Rundll32 execute VBscript command [windows]
-  - Atomic Test #3: Rundll32 advpack.dll Execution [windows]
-  - Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows]
-  - Atomic Test #5: Rundll32 syssetup.dll Execution [windows]
-  - Atomic Test #6: Rundll32 setupapi.dll Execution [windows]
-  - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
-  - Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows]
-  - Atomic Test #9: Execution of non-dll using rundll32.exe [windows]
-  - Atomic Test #10: Rundll32 with Ordinal Value [windows]
-  - Atomic Test #11: Rundll32 with Control_RunDLL [windows]
-  - Atomic Test #12: Rundll32 with desk.cpl [windows]
+  - Atomic Test #3: Rundll32 execute VBscript command using Ordinal number [windows]
+  - Atomic Test #4: Rundll32 advpack.dll Execution [windows]
+  - Atomic Test #5: Rundll32 ieadvpack.dll Execution [windows]
+  - Atomic Test #6: Rundll32 syssetup.dll Execution [windows]
+  - Atomic Test #7: Rundll32 setupapi.dll Execution [windows]
+  - Atomic Test #8: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
+  - Atomic Test #9: Launches an executable using Rundll32 and pcwutl.dll [windows]
+  - Atomic Test #10: Execution of non-dll using rundll32.exe [windows]
+  - Atomic Test #11: Rundll32 with Ordinal Value [windows]
+  - Atomic Test #12: Rundll32 with Control_RunDLL [windows]
+  - Atomic Test #13: Rundll32 with desk.cpl [windows]
 - T1143 Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1150 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1556.003 Pluggable Authentication Modules](../../T1556.003/T1556.003.md)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -5,16 +5,17 @@
 - [T1218.011 Rundll32](../../T1218.011/T1218.011.md)
   - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
   - Atomic Test #2: Rundll32 execute VBscript command [windows]
-  - Atomic Test #3: Rundll32 advpack.dll Execution [windows]
-  - Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows]
-  - Atomic Test #5: Rundll32 syssetup.dll Execution [windows]
-  - Atomic Test #6: Rundll32 setupapi.dll Execution [windows]
-  - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
-  - Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows]
-  - Atomic Test #9: Execution of non-dll using rundll32.exe [windows]
-  - Atomic Test #10: Rundll32 with Ordinal Value [windows]
-  - Atomic Test #11: Rundll32 with Control_RunDLL [windows]
-  - Atomic Test #12: Rundll32 with desk.cpl [windows]
+  - Atomic Test #3: Rundll32 execute VBscript command using Ordinal number [windows]
+  - Atomic Test #4: Rundll32 advpack.dll Execution [windows]
+  - Atomic Test #5: Rundll32 ieadvpack.dll Execution [windows]
+  - Atomic Test #6: Rundll32 syssetup.dll Execution [windows]
+  - Atomic Test #7: Rundll32 setupapi.dll Execution [windows]
+  - Atomic Test #8: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
+  - Atomic Test #9: Launches an executable using Rundll32 and pcwutl.dll [windows]
+  - Atomic Test #10: Execution of non-dll using rundll32.exe [windows]
+  - Atomic Test #11: Rundll32 with Ordinal Value [windows]
+  - Atomic Test #12: Rundll32 with Control_RunDLL [windows]
+  - Atomic Test #13: Rundll32 with desk.cpl [windows]
 - T1143 Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1216.001 PubPrn](../../T1216.001/T1216.001.md)
   - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]

atomics/Indexes/index.yaml

@@ -278,6 +278,24 @@ defense-evasion:
       executor:
         command: 'rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
 
+          '
+        name: command_prompt
+    - name: Rundll32 execute VBscript command using Ordinal number
+      auto_generated_guid: 32d1cf1b-cbc2-4c09-8d05-07ec5c83a821
+      description: |
+        Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test.
+        Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/
+        Upon execution calc.exe will be launched
+      supported_platforms:
+      - windows
+      input_arguments:
+        command_to_execute:
+          description: Command for rundll32.exe to execute
+          type: String
+          default: calc.exe
+      executor:
+        command: 'rundll32 vbscript:"\..\mshtml,#135 "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
+
           '
         name: command_prompt
     - name: Rundll32 advpack.dll Execution

atomics/T1218.011/T1218.011.md

@@ -16,25 +16,27 @@ Additionally, adversaries may use [Masquerading](https://attack.mitre.org/techni
 
 - [Atomic Test #2 - Rundll32 execute VBscript command](#atomic-test-2---rundll32-execute-vbscript-command)
 
-- [Atomic Test #3 - Rundll32 advpack.dll Execution](#atomic-test-3---rundll32-advpackdll-execution)
+- [Atomic Test #3 - Rundll32 execute VBscript command using Ordinal number](#atomic-test-3---rundll32-execute-vbscript-command-using-ordinal-number)
 
-- [Atomic Test #4 - Rundll32 ieadvpack.dll Execution](#atomic-test-4---rundll32-ieadvpackdll-execution)
+- [Atomic Test #4 - Rundll32 advpack.dll Execution](#atomic-test-4---rundll32-advpackdll-execution)
 
-- [Atomic Test #5 - Rundll32 syssetup.dll Execution](#atomic-test-5---rundll32-syssetupdll-execution)
+- [Atomic Test #5 - Rundll32 ieadvpack.dll Execution](#atomic-test-5---rundll32-ieadvpackdll-execution)
 
-- [Atomic Test #6 - Rundll32 setupapi.dll Execution](#atomic-test-6---rundll32-setupapidll-execution)
+- [Atomic Test #6 - Rundll32 syssetup.dll Execution](#atomic-test-6---rundll32-syssetupdll-execution)
 
-- [Atomic Test #7 - Execution of HTA and VBS Files using Rundll32 and URL.dll](#atomic-test-7---execution-of-hta-and-vbs-files-using-rundll32-and-urldll)
+- [Atomic Test #7 - Rundll32 setupapi.dll Execution](#atomic-test-7---rundll32-setupapidll-execution)
 
-- [Atomic Test #8 - Launches an executable using Rundll32 and pcwutl.dll](#atomic-test-8---launches-an-executable-using-rundll32-and-pcwutldll)
+- [Atomic Test #8 - Execution of HTA and VBS Files using Rundll32 and URL.dll](#atomic-test-8---execution-of-hta-and-vbs-files-using-rundll32-and-urldll)
 
-- [Atomic Test #9 - Execution of non-dll using rundll32.exe](#atomic-test-9---execution-of-non-dll-using-rundll32exe)
+- [Atomic Test #9 - Launches an executable using Rundll32 and pcwutl.dll](#atomic-test-9---launches-an-executable-using-rundll32-and-pcwutldll)
 
-- [Atomic Test #10 - Rundll32 with Ordinal Value](#atomic-test-10---rundll32-with-ordinal-value)
+- [Atomic Test #10 - Execution of non-dll using rundll32.exe](#atomic-test-10---execution-of-non-dll-using-rundll32exe)
 
-- [Atomic Test #11 - Rundll32 with Control_RunDLL](#atomic-test-11---rundll32-with-control_rundll)
+- [Atomic Test #11 - Rundll32 with Ordinal Value](#atomic-test-11---rundll32-with-ordinal-value)
 
-- [Atomic Test #12 - Rundll32 with desk.cpl](#atomic-test-12---rundll32-with-deskcpl)
+- [Atomic Test #12 - Rundll32 with Control_RunDLL](#atomic-test-12---rundll32-with-control_rundll)
+
+- [Atomic Test #13 - Rundll32 with desk.cpl](#atomic-test-13---rundll32-with-deskcpl)
 
 
 <br/>
@@ -114,7 +116,42 @@ rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.
 <br/>
 <br/>
 
-## Atomic Test #3 - Rundll32 advpack.dll Execution
+## Atomic Test #3 - Rundll32 execute VBscript command using Ordinal number
+Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test.
+Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/
+Upon execution calc.exe will be launched
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 32d1cf1b-cbc2-4c09-8d05-07ec5c83a821
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| command_to_execute | Command for rundll32.exe to execute | String | calc.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+rundll32 vbscript:"\..\mshtml,#135 "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Rundll32 advpack.dll Execution
 Test execution of a command using rundll32.exe with advpack.dll.
 Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Advpack.yml
 Upon execution calc.exe will be launched
@@ -162,7 +199,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 <br/>
 <br/>
 
-## Atomic Test #4 - Rundll32 ieadvpack.dll Execution
+## Atomic Test #5 - Rundll32 ieadvpack.dll Execution
 Test execution of a command using rundll32.exe with ieadvpack.dll.
 Upon execution calc.exe will be launched
 
@@ -211,7 +248,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 <br/>
 <br/>
 
-## Atomic Test #5 - Rundll32 syssetup.dll Execution
+## Atomic Test #6 - Rundll32 syssetup.dll Execution
 Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying "installation failed" will be opened
 
 Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Syssetup.yml
@@ -259,7 +296,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 <br/>
 <br/>
 
-## Atomic Test #6 - Rundll32 setupapi.dll Execution
+## Atomic Test #7 - Rundll32 setupapi.dll Execution
 Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying "installation failed" will be opened
 
 Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml
@@ -307,7 +344,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 <br/>
 <br/>
 
-## Atomic Test #7 - Execution of HTA and VBS Files using Rundll32 and URL.dll
+## Atomic Test #8 - Execution of HTA and VBS Files using Rundll32 and URL.dll
 IcedID uses this TTP as follows:
   rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta
 Trickbot uses this TTP as follows:
@@ -341,7 +378,7 @@ rundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\T1218.011\src\akteu
 <br/>
 <br/>
 
-## Atomic Test #8 - Launches an executable using Rundll32 and pcwutl.dll
+## Atomic Test #9 - Launches an executable using Rundll32 and pcwutl.dll
 Executes the LaunchApplication function in pcwutl.dll to proxy execution of an executable.
 
 **Supported Platforms:** Windows
@@ -374,7 +411,7 @@ rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch}
 <br/>
 <br/>
 
-## Atomic Test #9 - Execution of non-dll using rundll32.exe
+## Atomic Test #10 - Execution of non-dll using rundll32.exe
 Rundll32.exe running non-dll
 
 **Supported Platforms:** Windows
@@ -420,7 +457,7 @@ Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
 <br/>
 <br/>
 
-## Atomic Test #10 - Rundll32 with Ordinal Value
+## Atomic Test #11 - Rundll32 with Ordinal Value
 Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer. 
 Upon successful execution, Calc.exe will spawn.
 
@@ -467,7 +504,7 @@ Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
 <br/>
 <br/>
 
-## Atomic Test #11 - Rundll32 with Control_RunDLL
+## Atomic Test #12 - Rundll32 with Control_RunDLL
 Rundll32.exe loading dll with 'control_rundll' within the command-line, loading a .cpl or another file type related to CVE-2021-40444.
 
 **Supported Platforms:** Windows
@@ -513,7 +550,7 @@ Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
 <br/>
 <br/>
 
-## Atomic Test #12 - Rundll32 with desk.cpl
+## Atomic Test #13 - Rundll32 with desk.cpl
 Rundll32.exe loading an executable renamed as .scr using desk.cpl 
 Reference: 
   - [LOLBAS - Libraries/Desk](https://lolbas-project.github.io/lolbas/Libraries/Desk/)