From e059e698ba7cfc72739f41f8a56a7b0b2ec9ffc4 Mon Sep 17 00:00:00 2001
From: clr2of8 <clr2of8@gmail.com>
Date: Sat, 19 Dec 2020 16:17:38 -0700
Subject: [PATCH 1/2] rundll32 spawning mshta and wscript

---
 atomics/T1218.011/T1218.011.yaml    | 16 ++++++++++++++++
 atomics/T1218.011/src/akteullen.vbs |  1 +
 atomics/T1218.011/src/index.hta     | 12 ++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 atomics/T1218.011/src/akteullen.vbs
 create mode 100644 atomics/T1218.011/src/index.hta

diff --git a/atomics/T1218.011/T1218.011.yaml b/atomics/T1218.011/T1218.011.yaml
index dabd185b..1b8412ac 100644
--- a/atomics/T1218.011/T1218.011.yaml
+++ b/atomics/T1218.011/T1218.011.yaml
@@ -112,6 +112,7 @@ atomic_tests:
     command: |
       rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .\#{inf_to_execute}
     name: command_prompt
+
 - name: Rundll32 setupapi.dll Execution
   auto_generated_guid: 71d771cd-d6b3-4f34-bc76-a63d47a10b19
   description: |
@@ -139,3 +140,18 @@ atomic_tests:
       rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .\#{inf_to_execute}
     name: command_prompt
 
+- name: Execution of HTA and VBS Files using Rundll32 and URL.dll
+  description: |
+    IcedID uses this TTP as follows:
+      rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta
+    Trickbot uses this TTP as follows:
+      rundll32.exe URL.dll,FileProtocolHandler C:\\..\\Detail\\akteullen.vbs
+    
+    In this atomic, the sample hta file opens the calculator and the vbs file show a message dialog with "rundll32 spawned wscript"
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      rundll32.exe url.dll,OpenURL PathToAtomicsFolder\T1218.011\src\index.hta
+      rundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\T1218.011\src\akteullen.vbs
+    name: command_prompt
\ No newline at end of file
diff --git a/atomics/T1218.011/src/akteullen.vbs b/atomics/T1218.011/src/akteullen.vbs
new file mode 100644
index 00000000..de5f1b91
--- /dev/null
+++ b/atomics/T1218.011/src/akteullen.vbs
@@ -0,0 +1 @@
+WScript.Echo "rundll32 spawned wscript"
\ No newline at end of file
diff --git a/atomics/T1218.011/src/index.hta b/atomics/T1218.011/src/index.hta
new file mode 100644
index 00000000..59101b61
--- /dev/null
+++ b/atomics/T1218.011/src/index.hta
@@ -0,0 +1,12 @@
+<html>
+<head>
+<HTA:APPLICATION ID="AtomicRedTeam">
+<script language="jscript">
+        var c = "cmd.exe /c calc.exe"; 
+        new ActiveXObject('WScript.Shell').Run(c);
+</script>
+</head>
+<body>
+<script>self.close();</script>
+</body>
+</html>
\ No newline at end of file

From fd2bbab66b7e101dac102f58f91d4d2be005d13b Mon Sep 17 00:00:00 2001
From: clr2of8 <clr2of8@gmail.com>
Date: Sat, 19 Dec 2020 16:26:33 -0700
Subject: [PATCH 2/2] typo fix

---
 atomics/T1218.011/T1218.011.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/atomics/T1218.011/T1218.011.yaml b/atomics/T1218.011/T1218.011.yaml
index 1b8412ac..2b917385 100644
--- a/atomics/T1218.011/T1218.011.yaml
+++ b/atomics/T1218.011/T1218.011.yaml
@@ -147,7 +147,7 @@ atomic_tests:
     Trickbot uses this TTP as follows:
       rundll32.exe URL.dll,FileProtocolHandler C:\\..\\Detail\\akteullen.vbs
     
-    In this atomic, the sample hta file opens the calculator and the vbs file show a message dialog with "rundll32 spawned wscript"
+    In this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with "rundll32 spawned wscript"
   supported_platforms:
   - windows
   executor: