From 672bd86fff14549f93e44d638a67ab63d643aacc Mon Sep 17 00:00:00 2001 From: Andrew Beers Date: Fri, 15 May 2020 15:18:08 -0500 Subject: [PATCH] T1036 file extension masquerading (#997) * write test * add files and test cases * improve naming for exe files --- atomics/T1036/T1036.yaml | 56 ++++++++++++++++++++++++ atomics/T1036/src/T1036_masquerading.ps1 | 1 + atomics/T1036/src/T1036_masquerading.vbs | 2 + 3 files changed, 59 insertions(+) create mode 100644 atomics/T1036/src/T1036_masquerading.ps1 create mode 100644 atomics/T1036/src/T1036_masquerading.vbs diff --git a/atomics/T1036/T1036.yaml b/atomics/T1036/T1036.yaml index e51fd22b..942146b6 100644 --- a/atomics/T1036/T1036.yaml +++ b/atomics/T1036/T1036.yaml @@ -180,3 +180,59 @@ atomic_tests: cleanup_command: | del C:\T1036.txt >nul 2>&1 del C:\lsm.exe >nul 2>&1 + +- name: File Extension Masquerading + description: | + download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched. + + e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe) + supported_platforms: + - windows + + input_arguments: + exe_path: + description: path to exe to use when creating masquerading files + type: path + default: C:\Windows\System32\calc.exe + vbs_path: + description: path of vbs to use when creating masquerading files + type: path + default: PathToAtomicsFolder\T1036\src\T1036_masquerading.vbs + ps1_path: + description: path of powershell script to use when creating masquerading files + type: path + default: PathToAtomicsFolder\T1036\src\T1036_masquerading.ps1 + + executor: + name: powershell + elevation_required: false + command: | + Copy-Item #{exe_path} -Destination $env:TEMP\T1036_masquerading.docx.exe -Force + Copy-Item #{exe_path} -Destination $env:TEMP\T1036_masquerading.pdf.exe -Force + Copy-Item #{exe_path} -Destination $env:TEMP\T1036_masquerading.ps1.exe -Force + Copy-Item #{vbs_path} -Destination $env:TEMP\T1036_masquerading.xls.vbs -Force + Copy-Item #{vbs_path} -Destination $env:TEMP\T1036_masquerading.xlsx.vbs -Force + Copy-Item #{vbs_path} -Destination $env:TEMP\T1036_masquerading.png.vbs -Force + Copy-Item #{ps1_path} -Destination $env:TEMP\T1036_masquerading.vbs.ps1 -Force + Copy-Item #{ps1_path} -Destination $env:TEMP\T1036_masquerading.exe.ps1 -Force + Copy-Item #{ps1_path} -Destination $env:TEMP\T1036_masquerading.js.ps1 -Force + Invoke-Expression $env:TEMP\T1036_masquerading.docx.exe + Invoke-Expression $env:TEMP\T1036_masquerading.pdf.exe + Invoke-Expression $env:TEMP\T1036_masquerading.ps1.exe + Invoke-Expression $env:TEMP\T1036_masquerading.xls.vbs + Invoke-Expression $env:TEMP\T1036_masquerading.xlsx.vbs + Invoke-Expression $env:TEMP\T1036_masquerading.png.vbs + Invoke-Expression $env:TEMP\T1036_masquerading.vbs.ps1 + Invoke-Expression $env:TEMP\T1036_masquerading.exe.ps1 + Invoke-Expression $env:TEMP\T1036_masquerading.js.ps1 + + cleanup_command: | + Remove-Item $env:TEMP\T1036_masquerading.docx.exe -Force -ErrorAction Ignore | Out-Null + Remove-Item $env:TEMP\T1036_masquerading.pdf.exe -Force -ErrorAction Ignore | Out-Null + Remove-Item $env:TEMP\T1036_masquerading.ps1.exe -Force -ErrorAction Ignore | Out-Null + Remove-Item $env:TEMP\T1036_masquerading.xls.vbs -Force -ErrorAction Ignore | Out-Null + Remove-Item $env:TEMP\T1036_masquerading.xlsx.vbs -Force -ErrorAction Ignore | Out-Null + Remove-Item $env:TEMP\T1036_masquerading.png.vbs -Force -ErrorAction Ignore | Out-Null + Remove-Item $env:TEMP\T1036_masquerading.vbs.ps1 -Force -ErrorAction Ignore | Out-Null + Remove-Item $env:TEMP\T1036_masquerading.exe.ps1 -Force -ErrorAction Ignore | Out-Null + Remove-Item $env:TEMP\T1036_masquerading.js.ps1 -Force -ErrorAction Ignore | Out-Null diff --git a/atomics/T1036/src/T1036_masquerading.ps1 b/atomics/T1036/src/T1036_masquerading.ps1 new file mode 100644 index 00000000..ae3bc0a9 --- /dev/null +++ b/atomics/T1036/src/T1036_masquerading.ps1 @@ -0,0 +1 @@ +exit \ No newline at end of file diff --git a/atomics/T1036/src/T1036_masquerading.vbs b/atomics/T1036/src/T1036_masquerading.vbs new file mode 100644 index 00000000..03cfd6a6 --- /dev/null +++ b/atomics/T1036/src/T1036_masquerading.vbs @@ -0,0 +1,2 @@ +Wscript.Echo "T1036_maquerading" +Wscript.Quit 1 \ No newline at end of file