Rundll32 ordinal (#1770)

atomics/T1218.011/T1218.011.yaml

@@ -195,4 +195,31 @@ atomic_tests:
   executor:
     name: powershell
     command: | 
-      rundll32.exe #{input_file}, StartW
+      rundll32.exe #{input_file}, StartW
+- name: Rundll32 with Ordinal Value
+  description: |
+    Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer. 
+    Upon successful execution, Calc.exe will spawn.
+  supported_platforms:
+      - windows
+  input_arguments:
+    input_url:
+      description: Url to download the DLL
+      type: Url
+      default: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/bin/AllTheThingsx64.dll
+    input_file:
+      description: DLL File
+      type: String
+      default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx64.dll
+  dependency_executor_name: powershell 
+  dependencies: 
+  - description: |
+      DLL file must exist on disk at specified location
+    prereq_command: | 
+      if (Test-Path #{input_file}) {exit 0} else {exit 1}
+    get_prereq_command: | 
+      Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
+  executor:
+    name: command_prompt
+    command: | 
+      rundll32.exe #{input_file},#2