security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2019-11-18 15:19:08 +00:00
parent 942ca94244
commit 232fb47eda
4 changed files with 34 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1173/T1173.md
+18
View File
@@ -10,6 +10,8 @@ Adversaries may use DDE to execute arbitrary commands. Microsoft Office document
- [Atomic Test #1 - Execute Commands](#atomic-test-1---execute-commands)
- [Atomic Test #2 - Execute PowerShell script via Word DDE](#atomic-test-2---execute-powershell-script-via-word-dde)
<br/>
@@ -36,4 +38,20 @@ The Field Code should now be displayed, change it to Contain the following:
<br/>
<br/>
## Atomic Test #2 - Execute PowerShell script via Word DDE
When the word document opens it will prompt the user to click ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download and execute a powershell script
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
start $PathToAtomicsFolder\T1173\bin\DDE_Document.docx
```
<br/>
atomics/index.md
+1
View File
@@ -686,6 +686,7 @@
- Atomic Test #1: Control Panel Items [windows]
- [T1173 Dynamic Data Exchange](./T1173/T1173.md)
- Atomic Test #1: Execute Commands [windows]
- Atomic Test #2: Execute PowerShell script via Word DDE [windows]
- T1106 Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1129 Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/index.yaml
+14
View File
@@ -19523,6 +19523,20 @@ execution:
The Field Code should now be displayed, change it to Contain the following:
{DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe" }
- name: Execute PowerShell script via Word DDE
description: 'When the word document opens it will prompt the user to click
ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download
and execute a powershell script
'
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: 'start $PathToAtomicsFolder\T1173\bin\DDE_Document.docx
'
T1118:
technique:
x_mitre_data_sources:
atomics/windows-index.md
+1
View File
@@ -555,6 +555,7 @@
- Atomic Test #1: Control Panel Items [windows]
- [T1173 Dynamic Data Exchange](./T1173/T1173.md)
- Atomic Test #1: Execute Commands [windows]
- Atomic Test #2: Execute PowerShell script via Word DDE [windows]
- T1106 Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1129 Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)