Generate docs from job=validate_atomics_generate_docs branch=master

atomics/T1193/T1193.md

@@ -8,11 +8,13 @@ There are many options for the attachment such as Microsoft Office documents, ex
 
 - [Atomic Test #1 - Download Phishing Attachment - VBScript](#atomic-test-1---download-phishing-attachment---vbscript)
 
+- [Atomic Test #2 - Word spawned a command shell and used an IP address in the command line](#atomic-test-2---word-spawned-a-command-shell-and-used-an-ip-address-in-the-command-line)
+
 
 <br/>
 
 ## Atomic Test #1 - Download Phishing Attachment - VBScript
-The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com). 
+The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com).
 The below will successfully download the macro-enabled Excel file to the current location.
 
 **Supported Platforms:** Windows
@@ -24,7 +26,7 @@ if (-not(Test-Path HKLM:SOFTWARE\Classes\Excel.Application)){
   return 'Please install Microsoft Excel before running this test.'
 }
 else{
-  $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingAttachment.xlsm'
+  $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/bin/PhishingAttachment.xlsm'
   $fileName = 'PhishingAttachment.xlsm'
   New-Item -Type File -Force -Path $fileName | out-null
   $wc = New-Object System.Net.WebClient
@@ -36,4 +38,20 @@ else{
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Word spawned a command shell and used an IP address in the command line
+Opens a word document that will run powershell and perform an nslookup on the IP 192.168.1.1 and a sleep command
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`! 
+```
+Start-Process PathToAtomicsFolder\T1193\src\PowerShell_IP_Doc.doc
+```
+
+
+
 <br/>

atomics/index.md

@@ -964,6 +964,7 @@
 - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1193 Spearphishing Attachment](./T1193/T1193.md)
   - Atomic Test #1: Download Phishing Attachment - VBScript [windows]
+  - Atomic Test #2: Word spawned a command shell and used an IP address in the command line [windows]
 - T1192 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1194 Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/index.yaml

@@ -26606,21 +26606,20 @@ initial-access:
       identifier: T1193
     atomic_tests:
     - name: Download Phishing Attachment - VBScript
-      description: "The macro-enabled Excel file contains VBScript which opens your
-        default web browser and opens it to [google.com](http://google.com). \nThe
-        below will successfully download the macro-enabled Excel file to the current
-        location.\n"
+      description: |
+        The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com).
+        The below will successfully download the macro-enabled Excel file to the current location.
       supported_platforms:
       - windows
       executor:
         name: powershell
         elevation_required: false
-        command: |-
+        command: |
           if (-not(Test-Path HKLM:SOFTWARE\Classes\Excel.Application)){
             return 'Please install Microsoft Excel before running this test.'
           }
           else{
-            $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingAttachment.xlsm'
+            $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/bin/PhishingAttachment.xlsm'
             $fileName = 'PhishingAttachment.xlsm'
             New-Item -Type File -Force -Path $fileName | out-null
             $wc = New-Object System.Net.WebClient
@@ -26628,3 +26627,15 @@ initial-access:
             [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
             ($wc.DownloadString("$url")) | Out-File $fileName
           }
+    - name: Word spawned a command shell and used an IP address in the command line
+      description: 'Opens a word document that will run powershell and perform an
+        nslookup on the IP 192.168.1.1 and a sleep command
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: 'Start-Process PathToAtomicsFolder\T1193\src\PowerShell_IP_Doc.doc
+
+'

atomics/windows-index.md

@@ -711,6 +711,7 @@
 - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1193 Spearphishing Attachment](./T1193/T1193.md)
   - Atomic Test #1: Download Phishing Attachment - VBScript [windows]
+  - Atomic Test #2: Word spawned a command shell and used an IP address in the command line [windows]
 - T1192 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1194 Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)