From 088081e033244aef782dea21d655235f85d04d23 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 25 Nov 2019 16:55:57 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1193/T1193.md | 22 ++++++++++++++++++++-- atomics/index.md | 1 + atomics/index.yaml | 23 +++++++++++++++++------ atomics/windows-index.md | 1 + 4 files changed, 39 insertions(+), 8 deletions(-) diff --git a/atomics/T1193/T1193.md b/atomics/T1193/T1193.md index 22d7ba19..489e3b08 100644 --- a/atomics/T1193/T1193.md +++ b/atomics/T1193/T1193.md @@ -8,11 +8,13 @@ There are many options for the attachment such as Microsoft Office documents, ex - [Atomic Test #1 - Download Phishing Attachment - VBScript](#atomic-test-1---download-phishing-attachment---vbscript) +- [Atomic Test #2 - Word spawned a command shell and used an IP address in the command line](#atomic-test-2---word-spawned-a-command-shell-and-used-an-ip-address-in-the-command-line) +
## Atomic Test #1 - Download Phishing Attachment - VBScript -The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com). +The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com). The below will successfully download the macro-enabled Excel file to the current location. **Supported Platforms:** Windows @@ -24,7 +26,7 @@ if (-not(Test-Path HKLM:SOFTWARE\Classes\Excel.Application)){ return 'Please install Microsoft Excel before running this test.' } else{ - $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingAttachment.xlsm' + $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/bin/PhishingAttachment.xlsm' $fileName = 'PhishingAttachment.xlsm' New-Item -Type File -Force -Path $fileName | out-null $wc = New-Object System.Net.WebClient @@ -36,4 +38,20 @@ else{ +
+
+ +## Atomic Test #2 - Word spawned a command shell and used an IP address in the command line +Opens a word document that will run powershell and perform an nslookup on the IP 192.168.1.1 and a sleep command + +**Supported Platforms:** Windows + + +#### Run it with `powershell`! +``` +Start-Process PathToAtomicsFolder\T1193\src\PowerShell_IP_Doc.doc +``` + + +
diff --git a/atomics/index.md b/atomics/index.md index 7aac073b..bb0ca6ef 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -964,6 +964,7 @@ - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1193 Spearphishing Attachment](./T1193/T1193.md) - Atomic Test #1: Download Phishing Attachment - VBScript [windows] + - Atomic Test #2: Word spawned a command shell and used an IP address in the command line [windows] - T1192 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1194 Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/index.yaml b/atomics/index.yaml index fafb2bdd..7e21c885 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -26606,21 +26606,20 @@ initial-access: identifier: T1193 atomic_tests: - name: Download Phishing Attachment - VBScript - description: "The macro-enabled Excel file contains VBScript which opens your - default web browser and opens it to [google.com](http://google.com). \nThe - below will successfully download the macro-enabled Excel file to the current - location.\n" + description: | + The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com). + The below will successfully download the macro-enabled Excel file to the current location. supported_platforms: - windows executor: name: powershell elevation_required: false - command: |- + command: | if (-not(Test-Path HKLM:SOFTWARE\Classes\Excel.Application)){ return 'Please install Microsoft Excel before running this test.' } else{ - $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingAttachment.xlsm' + $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/bin/PhishingAttachment.xlsm' $fileName = 'PhishingAttachment.xlsm' New-Item -Type File -Force -Path $fileName | out-null $wc = New-Object System.Net.WebClient @@ -26628,3 +26627,15 @@ initial-access: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ($wc.DownloadString("$url")) | Out-File $fileName } + - name: Word spawned a command shell and used an IP address in the command line + description: 'Opens a word document that will run powershell and perform an + nslookup on the IP 192.168.1.1 and a sleep command + +' + supported_platforms: + - windows + executor: + name: powershell + command: 'Start-Process PathToAtomicsFolder\T1193\src\PowerShell_IP_Doc.doc + +' diff --git a/atomics/windows-index.md b/atomics/windows-index.md index cd84e413..12463482 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -711,6 +711,7 @@ - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1193 Spearphishing Attachment](./T1193/T1193.md) - Atomic Test #1: Download Phishing Attachment - VBScript [windows] + - Atomic Test #2: Word spawned a command shell and used an IP address in the command line [windows] - T1192 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1194 Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)