From c600d56cedb37ca5aafd9dc1a77725d218b84ec9 Mon Sep 17 00:00:00 2001
From: Michael Haag <5632822+MHaggis@users.noreply.github.com>
Date: Tue, 8 Feb 2022 10:38:36 -0700
Subject: [PATCH] Rundll32 ordinal (#1770)

---
 atomics/T1218.011/T1218.011.yaml | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/atomics/T1218.011/T1218.011.yaml b/atomics/T1218.011/T1218.011.yaml
index b53d3fe0..49d6f212 100644
--- a/atomics/T1218.011/T1218.011.yaml
+++ b/atomics/T1218.011/T1218.011.yaml
@@ -195,4 +195,31 @@ atomic_tests:
   executor:
     name: powershell
     command: | 
-      rundll32.exe #{input_file}, StartW
\ No newline at end of file
+      rundll32.exe #{input_file}, StartW
+- name: Rundll32 with Ordinal Value
+  description: |
+    Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer. 
+    Upon successful execution, Calc.exe will spawn.
+  supported_platforms:
+      - windows
+  input_arguments:
+    input_url:
+      description: Url to download the DLL
+      type: Url
+      default: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/bin/AllTheThingsx64.dll
+    input_file:
+      description: DLL File
+      type: String
+      default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx64.dll
+  dependency_executor_name: powershell 
+  dependencies: 
+  - description: |
+      DLL file must exist on disk at specified location
+    prereq_command: | 
+      if (Test-Path #{input_file}) {exit 0} else {exit 1}
+    get_prereq_command: | 
+      Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
+  executor:
+    name: command_prompt
+    command: | 
+      rundll32.exe #{input_file},#2
\ No newline at end of file