From 10814fa2e8184ecaff445853fd36d20c85f3abc7 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Tue, 27 Jul 2021 16:55:23 +0000
Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs
 branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 22 ++++++++++++
 atomics/T1218.005/T1218.005.md                | 36 +++++++++++++++++++
 6 files changed, 62 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 2cd988cb..910ab46c 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -385,6 +385,7 @@ defense-evasion,T1218.005,Mshta,6,Invoke HTML Application - Direct download from
 defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell
 defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
 defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
+defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt
 defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt
 defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt
 defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index b77c5810..6a11056d 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -257,6 +257,7 @@ defense-evasion,T1218.005,Mshta,6,Invoke HTML Application - Direct download from
 defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell
 defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
 defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
+defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt
 defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt
 defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt
 defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 79e995e2..271dc6af 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -662,6 +662,7 @@
   - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows]
   - Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows]
   - Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
+  - Atomic Test #10: Mshta used to Execute PowerShell [windows]
 - [T1218.007 Msiexec](../../T1218.007/T1218.007.md)
   - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows]
   - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 222179ca..672d6010 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -470,6 +470,7 @@
   - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows]
   - Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows]
   - Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
+  - Atomic Test #10: Mshta used to Execute PowerShell [windows]
 - [T1218.007 Msiexec](../../T1218.007/T1218.007.md)
   - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows]
   - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 33e3f3bd..3bf345c7 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -28655,6 +28655,28 @@ defense-evasion:
         command: 'Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath
           #{mshta_file_path}'
         name: powershell
+    - name: Mshta used to Execute PowerShell
+      auto_generated_guid: 8707a805-2b76-4f32-b1c0-14e558205772
+      description: 'Use Mshta to execute arbitrary PowerShell. Example is from the
+        2021 Threat Detection Report by Red Canary.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        message:
+          description: Encoded message to include
+          type: string
+          default: Hello,%20MSHTA!
+        seconds_to_sleep:
+          description: How many seconds to sleep/wait
+          type: string
+          default: 5
+      executor:
+        command: 'mshta.exe "about:<hta:application><script language="VBScript">Close(Execute("CreateObject(""Wscript.Shell"").Run%20""powershell.exe%20-nop%20-Command%20Write-Host%20#{message};Start-Sleep%20-Seconds%20#{seconds_to_sleep}"""))</script>''"
+
+'
+        name: command_prompt
   T1218.007:
     technique:
       id: attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336
diff --git a/atomics/T1218.005/T1218.005.md b/atomics/T1218.005/T1218.005.md
index 8682f1e1..fe099523 100644
--- a/atomics/T1218.005/T1218.005.md
+++ b/atomics/T1218.005/T1218.005.md
@@ -30,6 +30,8 @@ Mshta.exe can be used to bypass application control solutions that do not accoun
 
 - [Atomic Test #9 - Invoke HTML Application - Simulate Lateral Movement over UNC Path](#atomic-test-9---invoke-html-application---simulate-lateral-movement-over-unc-path)
 
+- [Atomic Test #10 - Mshta used to Execute PowerShell](#atomic-test-10---mshta-used-to-execute-powershell)
+
 
 <br/>
 
@@ -423,4 +425,38 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #10 - Mshta used to Execute PowerShell
+Use Mshta to execute arbitrary PowerShell. Example is from the 2021 Threat Detection Report by Red Canary.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8707a805-2b76-4f32-b1c0-14e558205772
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| message | Encoded message to include | string | Hello,%20MSHTA!|
+| seconds_to_sleep | How many seconds to sleep/wait | string | 5|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+mshta.exe "about:<hta:application><script language="VBScript">Close(Execute("CreateObject(""Wscript.Shell"").Run%20""powershell.exe%20-nop%20-Command%20Write-Host%20#{message};Start-Sleep%20-Seconds%20#{seconds_to_sleep}"""))</script>'"
+```
+
+
+
+
+
+
 <br/>