From 5d6df77a522b64ff23d4f7edc83a711a4ef6ebe6 Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Tue, 10 Jan 2023 05:42:04 -0700 Subject: [PATCH] add dll and prereqs (#2273) Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com> --- atomics/T1137.002/T1137.002.yaml | 43 ++++- atomics/T1137.002/bin/officetest_x64.dll | Bin 0 -> 10752 bytes atomics/T1137.002/bin/officetest_x86.dll | Bin 0 -> 8704 bytes .../T1137.002/src/officetest/officetest.sln | 31 ++++ .../src/officetest/officetest/dllmain.cpp | 27 +++ .../src/officetest/officetest/framework.h | 5 + .../officetest/officetest/officetest.vcxproj | 157 ++++++++++++++++++ .../officetest/officetest.vcxproj.filters | 33 ++++ .../officetest/officetest.vcxproj.user | 4 + .../src/officetest/officetest/pch.cpp | 5 + .../T1137.002/src/officetest/officetest/pch.h | 13 ++ atomics/T1137.006/T1137.006.yaml | 7 + 12 files changed, 316 insertions(+), 9 deletions(-) create mode 100644 atomics/T1137.002/bin/officetest_x64.dll create mode 100644 atomics/T1137.002/bin/officetest_x86.dll create mode 100644 atomics/T1137.002/src/officetest/officetest.sln create mode 100644 atomics/T1137.002/src/officetest/officetest/dllmain.cpp create mode 100644 atomics/T1137.002/src/officetest/officetest/framework.h create mode 100644 atomics/T1137.002/src/officetest/officetest/officetest.vcxproj create mode 100644 atomics/T1137.002/src/officetest/officetest/officetest.vcxproj.filters create mode 100644 atomics/T1137.002/src/officetest/officetest/officetest.vcxproj.user create mode 100644 atomics/T1137.002/src/officetest/officetest/pch.cpp create mode 100644 atomics/T1137.002/src/officetest/officetest/pch.h diff --git a/atomics/T1137.002/T1137.002.yaml b/atomics/T1137.002/T1137.002.yaml index b6f1f5d6..2296cfd0 100644 --- a/atomics/T1137.002/T1137.002.yaml +++ b/atomics/T1137.002/T1137.002.yaml @@ -1,21 +1,46 @@ attack_technique: T1137.002 display_name: 'Office Application Startup: Office Test' atomic_tests: -- name: Office Application Startup Test Persistence +- name: Office Application Startup Test Persistence (HKCU) auto_generated_guid: c3e35b58-fe1c-480b-b540-7600fb612563 description: | Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. Key is used for debugging purposes. Not created by default & exist in HKCU & HKLM hives. supported_platforms: - windows - input_arguments: - thing_to_execute: - description: Thing to Run - type: Path - default: C:\Path\AtomicRedTeam.dll + dependencies: + - description: | + Microsoft Word must be installed + prereq_command: | + try { + New-Object -COMObject "Word.Application" | Out-Null + Stop-Process -Name "winword" + exit 0 + } catch { exit 1 } + get_prereq_command: | + Write-Host "You will need to install Microsoft Word manually to meet this requirement" + - description: DLL files must exist on disk at specified location + prereq_command: | + if ((Test-Path "PathToAtomicsFolder\T1137.002\bin\officetest_x64.dll") -and (Test-Path "PathToAtomicsFolder\T1137.002\bin\officetest_x86.dll")) {exit 0} else {exit 1} + get_prereq_command: |- + New-Item -Type Directory "PathToAtomicsFolder\T1137.002\bin\" -Force | Out-Null + Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.002/bin/officetest_x64.dll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.002\bin\officetest_x64.dll" + Invoke-Webrequest -Uri "htps://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.002/bin/officetest_x86.dll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.002\bin\officetest_x86.dll" executor: + name: powershell command: | - reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /t REG_SZ /d "#{thing_to_execute}" + $wdApp = New-Object -COMObject "Word.Application" + if(-not $wdApp.path.contains("Program Files (x86)")) + { + Write-Host "64-bit Office" + reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /t REG_SZ /d "PathToAtomicsFolder\T1137.002\bin\officetest_x64.dll" /f + } + else{ + Write-Host "32-bit Office" + reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /t REG_SZ /d "PathToAtomicsFolder\T1137.002\bin\officetest_x86.dll" /f + } + Stop-Process -Name "WinWord" + Start-Process "WinWord" cleanup_command: | - reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /f >nul 2>&1 - name: command_prompt + Stop-Process -Name "notepad","WinWord" -ErrorAction Ignore + Remove-Item "HKCU:\Software\Microsoft\Office test\Special\Perf" -ErrorAction Ignore \ No newline at end of file diff --git a/atomics/T1137.002/bin/officetest_x64.dll b/atomics/T1137.002/bin/officetest_x64.dll new file mode 100644 index 0000000000000000000000000000000000000000..725fedd96f4896c945e75b939566a2cf79ff8f1f GIT binary patch literal 10752 zcmeHNeRLbum4C7|{z?=%U}Z&sWs=C)0c;d23(kidIkCgImBA!-ND~uTk;b+_mUN_1 z;^cU@4zg*SS+${u0NbTK#OZF?e$Y@TIDz)aIAA9vC1hFF-fT;{v}KHQIEL;*66ntU z?###^fp-5XXU`ViIdAUAyYIgH?z`{4HzU<=+0U{WV`fxUWo!VDid%dBFAo!A^R7EO zk3F4#YSDnnb81mzdoa#NW0AI)uY>pd!r_R-Zx{JkBFqQFe9avj`Ho0HEVoz+9ER$} zXD;n)ed@unOpUypI~D-F^pyjnI(%R>q|y6F!y0^eR0RCV;DJ#;VCz!{#?}IU_myvH z^51>s-mx}~erS~7hM>QlbpN55G}JN{xIc&Gf8%+7MrM*N=I3P1Tg(csW z#=0?W9nWGchj5e(WKj_0Oq49v0#UtF27H{J;%I%IE`>dWH86I8pqsJ7+JHo$v@muP z0KbH3LlNtf%DF}8Iswp`4~Go7c4Ls z$rqu{C~gd0u8T1@ImU?!U$MogGm4wBba_-4)aD3=CYK2gLl$gzc`P2I1=4&1-)M5z z8v+J!YjR>J0zvW-`AU<6PiGc4V{2#9pJiM~o-a*aG9?xXDcfW78FL+1Z7o=Pp*Nkd z2r0{Vz*B8M180DuM@Swk9Xk23(%Ndhu19mDu*&k}b&Mqng~7qX)(-|%HDMYO29Fnx zKa|bb$&)l*?-^-D@@ES5@x7Um6QAk>yGYafLe8E?58#)55OnDs7 z{a7E(FL%KiPWQfxGS`Iuz3H!5^v-T{ae9Z;kv?uU8kAcxL(MaMvg*VV7@fFP`4VQP z{1$7b{34IBWbu!|XPCxYu+??Oz3&ypgrVLaz4~nOO_Nd&X?bX(UpHb28L|JQARiO@ zHuIi7x4o|c>m%fCx=ULicbz;bU&0dgo=I3&*aog;>?^sh^!Pg%BDGdcUNG&f6=d!l zatp;_!ElYkNvktaq}sNEDUbGngFxu{F}U!W{I77C^4RZHb-L-{nN7B-rle|0+ybQ) z=;k^@-7bElszUGkh$`i!{{|{^ZTi5{yo`)$`?UoQR3$E{W+&WJBbHC8?M+Kd(X-4j zIX|`8gvfMG6lG*p+d-(%&6~(^ouyWJh?cSwtKqKR=G{gcYdW53@%TFVg8XlS{4Q-# zPWgK{!6OgL|13~|Oa%ef-#h+wn2!GLjrs-{qm8@9F?%Z<7gLTw0h(ba*GqoN6aV@rLN<&JiKaKfNtt=QqAgm zk`~XqZEI%j_$EOvWpvS{~hyRnPH)3%IMcP;d7fK`%^w z1mT0zAm(B=a1~Z*?RK zdT3tWXb3}63jm>wF5*7B}xN;H+4q0PC@ z#yp=i=<&ya=zH7x40kJK^W)FaHnP?X?d3`+iSM9Xy$5232Z|I)C-UL1Akc}o_dzYT zJ;kc7tGntvwkMOv5^c$grk(dFzriA4B};qHCLFNxb+js1p)aORR{xUde2tdM;bm8= zHNt(F9FQDQe`oy)_YV+2oIL?RBtekR0=&fS!PBHI15BWaGUXB;S{&f$8yu+L!dUAH zE{IS|bP9gUqd;)5ewje_i9IXmuAcA?%t3N!T~TdMGfRA*L?&zy`g&;?GDKrm4?IGnYUe=jUd>J{kRap*Q2%PeCfx1w}jYFV8dm%uhxm8;XD8g?pT%VT` zvX!4{XY`|v(OJoT!(v^H{IWdhI$oVxXR4iZ+S*^e=iS@HaH7xbsGajF^qA#~aC}~0qhoGjtB|xL z@ouFSPp(m|!Z3F)y=ZkaR+Y{%F{!kwB`1qXi>jgo7IKGikx5?QcRGY4CLFQkX~BAE zFkVz6bJa-v)yWZ4O&@m)(1~2|%76?Y-LsmM@ZqY-uItHc7*ZqC<;0vZ!+P}1{CGj_ zoI&)xbQK-k|BiQI(q7YN83SrP`c{!O`GC$i2F7#nGwZwdr+VAf@m-L(CLV`+(`jMw zKX_rzX#o@D>59NF9$Gn+xJ%}~4(a4b-Z1w!Kq%b%xGrGT?+@`(Wpacc=0uQK1vL19 z4M6I2&63fYRig>Jrpa+`^|^#4X{kZ0yYJeS0JO-Zbmx_DVNM<^^bTn+8c2Yy^a{=i z2^=Am4yTG*d>;l^izV&Zsyzp^=l8VdquTRp+VimX+^s!B+H)J8Cr=(W4MG2qTD(Rh zr*uyv)9*{_xoPe+Hlw}x9w>1);XHu9-riU5ro40acndPd$r)^3xgDJSTI0}kgD(7| ziy2|OHoPs!CK=(1eNKzuNm<(8Q&o>#82KxGoWI?j|})VqkpFX?>G2@L01^iZa{q$ z#_Ts_Fdg1w&|frQg#iy=*6$`me~|$%7;?`W@OuV))PVa9c)tN(H(+LTyhC(TF3Z5~ zYjygu%V0)+tHICEe=6AE)W@APU`DTYy`S-D3QIvLBnJ30{`QC@MtuQYGA{XI5|8h# z#3~m%MMHs`Cif|nyvyvI8e)+?k3s`Z@iWM$WKTx@$Dl*E=W>3YVV~WAya7uM=rkbp z%X}NAm(tCs%??yMwM@6o1x}~)(`bA8vNpW;GXb4P&^B^e8@?C(pB6GFt2?XP4%=v} z)c_LjW=!V$sA<&t1&sMoT{!)($E9I2>Q3BXyHM%NKopZ(5TpP;Xn;=%H`cQ8-)smhI>WgUzC_Z-MI?6Y`Vv~l>EyhdHFbQVvSbAs1n z!uXx~_kH?Zqk-(veOv*QnV0J8Xz*Obvx7HdEtYFMyunmaA(h{$ZD8hU}go&^H{-#oGA4* zL)MCbE=T>T(bo)oJu1D8Q@I29mKp6tZ=KPezc7a_TyA9xV++m|MXzijy;utN0AzOJ z&igiKf|?B*vKma*9A?EFteAtfVoubQZ({k|(Vk~!c`UQ4X_-N z(fp9Z3Mz7s{xKM@4@S$=ciQ3kO1C zjIm!zh>O5Bt=rIadt+UF?Xu-gU1uwc z?}|%e2jyz?4N8(2>tMG|<6e=iVcxjd?rjZ*(C8&o?9A(rgj<7ciJ0gO`(m-kPOmT4 zwgV@X-ZSV61$R$1iQyf=SR~vbhGE0@B^F<}twl0DX0QhzFUE+Bn zk$V%-^@*@w3P!@UVJWr?*@9X&1!Gde7itPaEmHL;*A&*B8>sE{i%}9^uT7q@hq;ZS z^aq=7$hu9G)+J&w%(NjE@ry`_&v1=!X)x@Q#0-mlJG(A!5Ruq=(MPs6#Kbr`C}6%b zA;xw!h_Tj4tiu=fV-}bt7W&4IYp)Bin`dwv+hd|H046hK!;+2K(l)|D)p1NfB#iCJ zuER3x3$)RL01?oIJq(L##O;Z;HZhj5{ zRn7cLL9ZI5m+~x~WBRQ?Lo_mzhc(XUkN^K3C`2wqrTba~U>LO$INj;f2A|;TxVx+d ze-yA8_lR!b1XH+2yat^9A9D)TjCJr1MdPHUWoe!_#=R3{QkHXI6?X?lJFY9NxTz12pr!M*nOyv z1IPCS?Jjs2INb^9Zr2H$3DUieaDsFNTAmA$|wm_HcYvl`JcFmhfWO9|;7*ZB->rjqA%QOL%;| z2nT#29JW;@yTo|OnlD%iR{P>{v15B^7Y_yDcvVRv7G4?mw~HOVcv(l#AB)5ztx}mk z(y`JP?Pi!v>m2r#iXdp@y2;B zzv7LXMyY+p8)v!Ps$g4ybbrxI>b;EB>I|&?JO9*{mKkLkv#0CwZew}iT&HojT@P$V zv2fbV>lut?aq=o=8^9oE;>%z)@DMstzbiOJ5)0qXV#fSbsbTCg;cLHo#+E?K?%9lW zU)wf`K4H0L%|QQm@@1mXBclJ!xd3Dz%{65=YW%Y>wxKNI_lZ8lg%K<;SPn|cC#dnS z21A!=Vr(}BlMMyFVKY%CeKm|F$|BJSIhxNE3@&#o@T9MX^hJcuFa&AttR98*Sx_c@ zHH7-eKr!CCf!PG(<@IXS!3k;#67On-19nlZbI%CNv#Rug@*;^R9SON^+#jb+$eLT%KQNN)$W}f; z)0=R^Tynz$n7}^jJdoI?cO=Gw%l30s>e6`c8FGPg6DGF9I~wnu(7cf$J*d1xGv0v( zQa*%@v10BeE?tR{u*_HlZg6w{OXHV*ar4DFm*Ucy^aO8%jC}N3%jDiOsx+$n7T#)3 z%F-ES7X~4F9o$}1pq}jgTk=V-X+V|oE33)UZP|{*xqpR5zFw+M%!#QPqCsvkkJ$kl z){reDG~zf+7`T|sG3^zydSYjw04XN|wW&u_HxE zSx_7ouX^kAj>4vBl3jbS@Gy;UgzKRN!NB#TLt;GzJ8i#SY(In2kGQ=$)(>HO?1(8P zLfdjK#gSxG3ky&QOw+T3T4+VJUM;i$wIrcx`*|yD?6^TKoC(%ILNs(_G{1Gnev6%% zVg!N|z${aZx|;wsgDl zI5xk0%za$SK6oD*$MV3<$(^y3u|uQg>Bq2(Vcey6TI1Zx^~pdD(vezd#3))_Imb8s z&@%9oL-hoeUy;&f`k2ugU#3^irl|~2G%?w0Y?7CGGLPl|CLAO51Q!YAWD^1woV@1jwD5zIflI>t;&Pybf zdqKRQOCmp?fX@CzGd5jPsRg$`A#sTst)9)bjr|9Nl~S;jxmr(5O*xKCf`M=3JAiMI zx&qqAsU5N!nRKQq6)Epf#%XRzDu2N{h^Bxab5MRt?4C41w!0S-GkB*A#D$YBrQ zQ3H*qga2ES9R_6-UVXE}80e;yx)vLPlIKv}{fxC&LOTxNmVF+e?L$P+C043EI2|dZ zy>bUu*(}|Sz&S{5cOI%=sl13}M~9tQ66>+Dt+P{!{srCGEZKWrW{#2V6;PYVfBcYq zh!R{%VBY7BCt9}~5Ejst-$%}!=13f*ka{%jH*z%-v-)~XOuCNp=6r|~E(30ECVvj? zgv`~1)i60@$#urJ?&!!=K7sMWdh45*`ykIL9f-l_c?veg2XDgUPdv@h;2w^i6ge8`=IF0FIr{qm(B54Gdx2!HK0fd`DuYyc3YB3#E@d&f zW}>4$KCqj&K1-Gq!xHpBjvn?tTZjwmu=nraeirv0Pz&`Ix=IbMRWF?!^gbK+Ue;!C z(@Er_&yrd$AM{>E2BKt+z%k)EVZ@~2A=ZpbK&*Hxc`@10^y-9_nO`B`{y2K$8u@M< zV>$Bi)E0R!c2w{FIC2g*2a?qzT3#XWWwLKx`2yaXnAxwoFffysSk3WHt9cOR&e4XZ zHTx)`A#FNdua66gDqWVn6RF6cNqNWp`>7wTByACOzEY3nQl)};mUfgi1?*;=R-{Jx z1n!9)nThy5tZmKWKAL0fyfv0pzV1{F4u=i9${tx7jAJ`qw zjz6T2-)D4;#MhW)?;bqx-#uXBUPMC>HSE}z|%c*!K zrZC-mdHQfXs*iu&7;i91i=n1?e1V!@oygKLaZdGytPCd3tnMaMSY4l$$;3P`fwIBO zWYP?|x*xX3j_cyQGM1$=VC{$#oMLQf?W&l%!uYVqWZc zMoLGf+%mq891%N~F>D~;P(1A?&ZR@x$SlAAyI{nQ>9tmLzuL--;uex(X7NuPBl)@$ zaqs!~>T%lKb>kgb>*pMGAC=am)EhMgh+s{@#iT`a$BtPvHl-InDpE`4i8=4P-V)NR9bFY{7C*#KspqyIoxH zoF0CWvWLEfY&Md7E<*<=|M7E1Y%DOptuf8GQiFmwNyLI*zf#`NE=~>Y<_O7iB#HU{ z|NpAyGWI=`K9qKpdXyiO;HNgQ9%UT$Qz);Z(6`}s4Syf_X_SXkbQan-qkIJV=O`yo zET9*mtVg+!k`s|`G!0)4>Au*FvN|LN#ZJL*DYdK!i$b^0&sbFSMMMkUmxwGAdW4j^ z#Fwl6VhN1JZqxQ1{cM{eh(P+E`1H{KyYz^Y#!J6N(GG7!*>D?5fz~VCW&%m9186&N zOsCjFNOT>Raa}YlMcRaQ5urOAT^DX|54H)S5Ea+05;_H6RG7pn>-KL%Z;X*D7>fI0 z>Egy(@+`e)@wY8&SBT`8MSBM;3(^CXm7jB1TV_O4na$SLzKO9O&~);aEnd}VUAuT8 zs%-02-u=Yuo5EYp<@%@cxZI8@ym~ITb1IL^?ViGGL^vqqP3khaY~}zY)`Bm#t|%Vw-jOLOwoj8Y$hx zyPuEGiYM_JH96ceuF5rPa(K33{WLx|$l8M{f8VSpp635~#5)B!3dg>#V=KS8)_KabCt(!ApYc! z9(IU6k-}*@GDF+1Y5LmsitDcK=Q~kP%l&MUo`UP~^n*hB)9vq1YS$Gpa{-Dal_N{H7fdB#Vy@JYcSLvZuMi&N5WfLJA+XXvtnIBS5!dF#ae})HlbT= z4fsO-P9frKZ3}mGg+r`q@v7A;8kg63?M|DfHOQh{qN30RFEMBhilPwdVwG3xtpZ!f zTBAaswLRF0##S=sMh1&9+Dq-F+LVS3t3%qn{a)^cU^sLSH=VIZ4Gn_$h0WHCrGmIvibP;%eI(o_V2eCs zXoN$8A)hFuS?tdFTs>#!U}ttGdKqW-GA>p|-F;7}``_vbyn}(uxub zF7qM3uM;VjLpRZ2W^};Z`ye8$QQ&o$Y4ZY@5UOgzb>+ zZQHMG7i_uq>+G}aK6}u<*Zz$Cfc?1rti5*L`gylF?stfe=N$jw_=)3)<2}cRjxoot z9hV%RIx?L(&Kb@k=Pc*#&Qhn->2WS`);iZZea?1gr*pHj&$-+Al=B7WLFfCu8QbV;snxPIgM-u##5pPheGc}@9!Rk67uUa`7Ts@zt&r*dEAGnEG`->Up+<%gBJs#~izR0&mEs~)M^ zRaN0$=w9v~aPM;Oaqn}# +#include + +BOOL APIENTRY DllMain(HMODULE hModule, + DWORD ul_reason_for_call, + LPVOID lpReserved +) +{ + switch (ul_reason_for_call) + { + case DLL_PROCESS_ATTACH: { + LPCSTR app_name = "Untitled - Notepad"; + if (FindWindowA(0, app_name)) { + // Notepad is already running + } + else { + system("start notepad.exe"); + } + } + case DLL_THREAD_ATTACH: + case DLL_THREAD_DETACH: + case DLL_PROCESS_DETACH: { + break; } + } + return TRUE; +} \ No newline at end of file diff --git a/atomics/T1137.002/src/officetest/officetest/framework.h b/atomics/T1137.002/src/officetest/officetest/framework.h new file mode 100644 index 00000000..54b83e94 --- /dev/null +++ b/atomics/T1137.002/src/officetest/officetest/framework.h @@ -0,0 +1,5 @@ +#pragma once + +#define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers +// Windows Header Files +#include diff --git a/atomics/T1137.002/src/officetest/officetest/officetest.vcxproj b/atomics/T1137.002/src/officetest/officetest/officetest.vcxproj new file mode 100644 index 00000000..8bc03109 --- /dev/null +++ b/atomics/T1137.002/src/officetest/officetest/officetest.vcxproj @@ -0,0 +1,157 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {38d47045-36f2-48cd-9523-0104408a650e} + officetest + 10.0 + + + + DynamicLibrary + true + v143 + Unicode + + + DynamicLibrary + false + v143 + true + Unicode + + + DynamicLibrary + true + v143 + Unicode + + + DynamicLibrary + false + v143 + true + Unicode + + + + + + + + + + + + + + + + + + + + + + Level3 + true + WIN32;_DEBUG;OFFICETEST_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) + true + Use + pch.h + + + Windows + true + false + + + + + Level3 + true + true + true + WIN32;NDEBUG;OFFICETEST_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) + true + Use + pch.h + + + Windows + true + true + true + false + + + + + Level3 + true + _DEBUG;OFFICETEST_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) + true + Use + pch.h + + + Windows + true + false + + + + + Level3 + true + true + true + NDEBUG;OFFICETEST_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) + true + Use + pch.h + + + Windows + true + true + true + false + + + + + + + + + + Create + Create + Create + Create + + + + + + \ No newline at end of file diff --git a/atomics/T1137.002/src/officetest/officetest/officetest.vcxproj.filters b/atomics/T1137.002/src/officetest/officetest/officetest.vcxproj.filters new file mode 100644 index 00000000..1e57c7b1 --- /dev/null +++ b/atomics/T1137.002/src/officetest/officetest/officetest.vcxproj.filters @@ -0,0 +1,33 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Header Files + + + Header Files + + + + + Source Files + + + Source Files + + + \ No newline at end of file diff --git a/atomics/T1137.002/src/officetest/officetest/officetest.vcxproj.user b/atomics/T1137.002/src/officetest/officetest/officetest.vcxproj.user new file mode 100644 index 00000000..88a55094 --- /dev/null +++ b/atomics/T1137.002/src/officetest/officetest/officetest.vcxproj.user @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/atomics/T1137.002/src/officetest/officetest/pch.cpp b/atomics/T1137.002/src/officetest/officetest/pch.cpp new file mode 100644 index 00000000..64b7eef6 --- /dev/null +++ b/atomics/T1137.002/src/officetest/officetest/pch.cpp @@ -0,0 +1,5 @@ +// pch.cpp: source file corresponding to the pre-compiled header + +#include "pch.h" + +// When you are using pre-compiled headers, this source file is necessary for compilation to succeed. diff --git a/atomics/T1137.002/src/officetest/officetest/pch.h b/atomics/T1137.002/src/officetest/officetest/pch.h new file mode 100644 index 00000000..885d5d62 --- /dev/null +++ b/atomics/T1137.002/src/officetest/officetest/pch.h @@ -0,0 +1,13 @@ +// pch.h: This is a precompiled header file. +// Files listed below are compiled only once, improving build performance for future builds. +// This also affects IntelliSense performance, including code completion and many code browsing features. +// However, files listed here are ALL re-compiled if any one of them is updated between builds. +// Do not add files here that you will be updating frequently as this negates the performance advantage. + +#ifndef PCH_H +#define PCH_H + +// add headers that you want to pre-compile here +#include "framework.h" + +#endif //PCH_H diff --git a/atomics/T1137.006/T1137.006.yaml b/atomics/T1137.006/T1137.006.yaml index 78e7bae0..2fab69af 100644 --- a/atomics/T1137.006/T1137.006.yaml +++ b/atomics/T1137.006/T1137.006.yaml @@ -23,6 +23,7 @@ atomic_tests: prereq_command: | if ((Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x64.xll") -and (Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x86.xll")) {exit 0} else {exit 1} get_prereq_command: |- + New-Item -Type Directory "PathToAtomicsFolder\T1137.006\bin\Addins\" -Force | Out-Null Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/excelxll_x64.xll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x64.xll" Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/excelxll_x86.xll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x86.xll" executor: @@ -37,6 +38,8 @@ atomic_tests: Write-Host "32-bit Office" $excelApp.RegisterXLL("PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x86.xll") } + cleanup_command: | + Stop-Process -Name "notepad","Excel" -ErrorAction Ignore - name: Persistent Code Execution Via Excel Add-in File (XLL) auto_generated_guid: 9c307886-9fef-41d5-b344-073a0f5b2f5f @@ -60,6 +63,7 @@ atomic_tests: prereq_command: | if ((Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x64.xll") -and (Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x86.xll")) {exit 0} else {exit 1} get_prereq_command: |- + New-Item -Type Directory "PathToAtomicsFolder\T1137.006\bin\Addins\" -Force | Out-Null Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/excelxll_x64.xll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x64.xll" Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/excelxll_x86.xll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x86.xll" executor: @@ -111,6 +115,7 @@ atomic_tests: prereq_command: | if ((Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\wordwll_x64.wll") -and (Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\wordwll_x86.wll")) {exit 0} else {exit 1} get_prereq_command: |- + New-Item -Type Directory "PathToAtomicsFolder\T1137.006\bin\Addins\" -Force | Out-Null Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/wordwll_x64.wll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\wordwll_x64.wll" Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/wordwll_x86.wll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\wordwll_x86.wll" executor: @@ -155,6 +160,7 @@ atomic_tests: prereq_command: | if (Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\ExcelVBAaddin.xlam") {exit 0} else {exit 1} get_prereq_command: |- + New-Item -Type Directory "PathToAtomicsFolder\T1137.006\bin\Addins\" -Force | Out-Null Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/ExcelVBAaddin.xlam" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\ExcelVBAaddin.xlam" executor: name: powershell @@ -188,6 +194,7 @@ atomic_tests: prereq_command: | if (Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\PptVBAaddin.ppam") {exit 0} else {exit 1} get_prereq_command: |- + New-Item -Type Directory "PathToAtomicsFolder\T1137.006\bin\Addins\" -Force | Out-Null Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/PptVBAaddin.ppam" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\PptVBAaddin.ppam" executor: name: powershell