Replaced the ${atomics_path} input variable with the (#761)
$PathToAtomicsFolder global variable. Removed the input variable block for simplicity. Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
dwhite9
@@ -43,15 +43,10 @@ atomic_tests:
|
||||
This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems.
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
atomics_path:
|
||||
description: path to atomics folder
|
||||
type: path
|
||||
default: ..\..\atomics
|
||||
executor:
|
||||
name: command_prompt
|
||||
command: |
|
||||
mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")
|
||||
mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file $PathToAtomicsFolder\T1170\src\powershell.ps1"":close")
|
||||
|
||||
- name: Mshta Executes Remote HTML Application (HTA)
|
||||
description: |
|
||||
|
||||
Reference in New Issue
Block a user