Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -281,6 +281,7 @@ defense-evasion,T1218.001,Compiled HTML File,4,Invoke CHM with InfoTech Storage
 defense-evasion,T1218.001,Compiled HTML File,5,Invoke CHM Simulate Double click,5decef42-92b8-4a93-9eb2-877ddcb9401a,powershell
 defense-evasion,T1218.001,Compiled HTML File,6,Invoke CHM with Script Engine and Help Topic,4f83adda-f5ec-406d-b318-9773c9ca92e5,powershell
 defense-evasion,T1218.001,Compiled HTML File,7,Invoke CHM Shortcut Command with ITS and Help Topic,15756147-7470-4a83-87fb-bb5662526247,powershell
+defense-evasion,T1218.001,Compiled HTML File,8,Decompile Local CHM File,20cb05e0-1fa5-406d-92c1-84da4ba01813,command_prompt
 defense-evasion,T1070.005,Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
 defense-evasion,T1070.005,Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
 defense-evasion,T1070.005,Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -211,6 +211,7 @@ defense-evasion,T1218.001,Compiled HTML File,4,Invoke CHM with InfoTech Storage
 defense-evasion,T1218.001,Compiled HTML File,5,Invoke CHM Simulate Double click,5decef42-92b8-4a93-9eb2-877ddcb9401a,powershell
 defense-evasion,T1218.001,Compiled HTML File,6,Invoke CHM with Script Engine and Help Topic,4f83adda-f5ec-406d-b318-9773c9ca92e5,powershell
 defense-evasion,T1218.001,Compiled HTML File,7,Invoke CHM Shortcut Command with ITS and Help Topic,15756147-7470-4a83-87fb-bb5662526247,powershell
+defense-evasion,T1218.001,Compiled HTML File,8,Decompile Local CHM File,20cb05e0-1fa5-406d-92c1-84da4ba01813,command_prompt
 defense-evasion,T1070.005,Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
 defense-evasion,T1070.005,Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
 defense-evasion,T1070.005,Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -417,6 +417,7 @@
   - Atomic Test #5: Invoke CHM Simulate Double click [windows]
   - Atomic Test #6: Invoke CHM with Script Engine and Help Topic [windows]
   - Atomic Test #7: Invoke CHM Shortcut Command with ITS and Help Topic [windows]
+  - Atomic Test #8: Decompile Local CHM File [windows]
 - [T1070.005 Network Share Connection Removal](../../T1070.005/T1070.005.md)
   - Atomic Test #1: Add Network Share [windows]
   - Atomic Test #2: Remove Network Share [windows]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -318,6 +318,7 @@
   - Atomic Test #5: Invoke CHM Simulate Double click [windows]
   - Atomic Test #6: Invoke CHM with Script Engine and Help Topic [windows]
   - Atomic Test #7: Invoke CHM Shortcut Command with ITS and Help Topic [windows]
+  - Atomic Test #8: Decompile Local CHM File [windows]
 - [T1070.005 Network Share Connection Removal](../../T1070.005/T1070.005.md)
   - Atomic Test #1: Add Network Share [windows]
   - Atomic Test #2: Remove Network Share [windows]

atomics/Indexes/index.yaml

@@ -16984,6 +16984,35 @@ defense-evasion:
           #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath
           #{hh_file_path} -CHMFilePath #{chm_file_path}'
         name: powershell
+    - name: Decompile Local CHM File
+      auto_generated_guid: 20cb05e0-1fa5-406d-92c1-84da4ba01813
+      description: |
+        Uses hh.exe to decompile a local compiled HTML Help file.
+        Upon successful execution the chm file will decompile to disk.
+        Reference:https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
+      supported_platforms:
+      - windows
+      input_arguments:
+        local_chm_file:
+          description: Local .chm payload
+          type: Path
+          default: PathToAtomicsFolder\T1218.001\src\T1218.001.chm
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The payload must exist on disk at specified location (#{local_chm_file})
+
+          '
+        prereq_command: 'if (Test-Path #{local_chm_file}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{local_chm_file}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.001/src/T1218.001.chm" -OutFile "#{local_chm_file}"
+      executor:
+        command: 'hh.exe -decompile #{local_chm_file} PathToAtomicsFolder\T1218.001\src
+
+          '
+        name: command_prompt
   T1070.005:
     technique:
       x_mitre_platforms:

atomics/T1218.001/T1218.001.md

@@ -20,6 +20,8 @@ A custom CHM file containing embedded payloads could be delivered to a victim th
 
 - [Atomic Test #7 - Invoke CHM Shortcut Command with ITS and Help Topic](#atomic-test-7---invoke-chm-shortcut-command-with-its-and-help-topic)
 
+- [Atomic Test #8 - Decompile Local CHM File](#atomic-test-8---decompile-local-chm-file)
+
 
 <br/>
 
@@ -346,4 +348,52 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - Decompile Local CHM File
+Uses hh.exe to decompile a local compiled HTML Help file.
+Upon successful execution the chm file will decompile to disk.
+Reference:https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 20cb05e0-1fa5-406d-92c1-84da4ba01813
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| local_chm_file | Local .chm payload | Path | PathToAtomicsFolder&#92;T1218.001&#92;src&#92;T1218.001.chm|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+hh.exe -decompile #{local_chm_file} PathToAtomicsFolder\T1218.001\src
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The payload must exist on disk at specified location (#{local_chm_file})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{local_chm_file}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{local_chm_file}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.001/src/T1218.001.chm" -OutFile "#{local_chm_file}"
+```
+
+
+
+
 <br/>