Update T1218.011.yaml (#2719)

technique utilizing rundll32.exe and the FileProtocolHandler method to execute a command without requiring administrative privileges. By leveraging rundll32.exe in this manner, the test aims to assess the effectiveness of antivirus solutions, including Bitdefender, Windows Defender, and others, in detecting and preventing command execution evasion. The provided command bypasses certain antivirus detections by using the FileProtocolHandler to execute the specified command, in this case, launching 'calc.exe'. This evasion technique is known for its ability to exploit legitimate processes to execute malicious commands while avoiding detection. The test serves as an evaluation of antivirus solutions' capabilities to detect and mitigate such evasion tactics, contributing to the overall assessment of endpoint security posture.

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1218.011/T1218.011.yaml

@@ -323,3 +323,20 @@ atomic_tests:
     command: |
       rundll32.exe #{dll_file},krnl
     name: command_prompt
+name: Rundll32 execute command via FileProtocolHandler
+auto_generated_guid: f3ad3c5b-1db1-45c1-81bf-d3370ebab6c8
+description: |
+  Test execution of a command using rundll32.exe and the FileProtocolHandler technique.
+  Upon execution, calc.exe will be launched.
+  This technique is documented by Levan Abesadze - https://medium.com/@Wolverineisstillalive/system-binary-proxy-execution-rundll32-bypass-method-790871e1f2b7
+supported_platforms:
+- windows
+input_arguments:
+  command_to_execute:
+    description: Command for rundll32.exe to execute
+    type: string
+    default: calc.exe
+executor:
+  command: |
+    rundll32.exe url.dll,FileProtocolHandler #{command_to_execute}
+  name: command_prompt