New test: T1218.011 Gamarue tradecraft commandline with rundll32 exec…

…ution
redcanaryco · Feb 2, 2024 · b94aebe · b94aebe
1 parent 0e202df
commit b94aebe
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 0 deletions.
diff --git a/atomics/T1218.011/T1218.011.yaml b/atomics/T1218.011/T1218.011.yaml
@@ -295,3 +295,42 @@ atomic_tests:
       copy #{exe_to_launch} not_an_scr.scr
       rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
     cleanup_command: del not_an_scr.scr
+- name: Running DLL with .init extension and function
+
+  description: This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up.
+  supported_platforms:
+  - windows
+  input_arguments:
+    input_file:
+
+      description: The DLL file to be called
+
+      type: string
+
+      default: PathToAtomicsFolder\T1218.011\bin\_WT.init
+
+    input_url:
+
+      description: The URL to the DLL file that must be downloaded
+
+      type: url
+
+      default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init
+
+  dependency_executor_name: powershell
+
+  dependencies:
+
+  - description: Pull file
+
+    prereq_command: if (Test-Path "#{input_file}") {exit 0} else {exit 1}
+
+    get_prereq_command: Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
+
+  executor:
+
+    command: rundll32.exe _WT.init,krnl
+
+    cleanup_command: del _WT.init
+
+    name: powershell
diff --git a/atomics/T1218.011/bin/_WT.init b/atomics/T1218.011/bin/_WT.init