From 868da3b83918d445c20ffbcef57bd502ff37fa42 Mon Sep 17 00:00:00 2001
From: Ahmed Farouk <ahmed.moh.farou2@gmail.com>
Date: Tue, 5 Nov 2024 23:00:28 +0200
Subject: [PATCH] Added Paste and Run Technique (#2966)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1566.002/T1566.002.yaml | 47 ++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 atomics/T1566.002/T1566.002.yaml

diff --git a/atomics/T1566.002/T1566.002.yaml b/atomics/T1566.002/T1566.002.yaml
new file mode 100644
index 00000000..e63cf5a3
--- /dev/null
+++ b/atomics/T1566.002/T1566.002.yaml
@@ -0,0 +1,47 @@
+attack_technique: T1566.002
+display_name: 'Phishing: Spearphishing Link'
+
+atomic_tests:
+- name: Paste and run technique
+  auto_generated_guid:
+  description: |
+    Tests the **Paste and Run** technique, where users are tricked into running
+    malicious PowerShell commands by automating the Win+R command to open the
+    Run dialog and input `encoded PowerShell to execute calc.exe.`
+
+    - [Fake CAPTCHA Campaign](https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf)
+    - [From Clipboard to Compromise](https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn)
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    execution_command:
+      description: The command to execute in the run
+      type: String
+      default: 'calc.exe'
+  executor:
+    name: powershell
+    command: |
+      # Add user32.dll for keybd_event
+      Add-Type @"
+          using System;
+          using System.Runtime.InteropServices;
+          public class K {
+              [DllImport("user32.dll")]
+              public static extern void keybd_event(byte bVk, byte bScan, uint dwFlags, UIntPtr dwExtraInfo);
+          }
+      "@
+
+      # Virtual key codes
+      $VK_LWIN, $VK_R, $KEYDOWN, $KEYUP = 0x5B, 0x52, 0x0000, 0x0002
+
+      # Open Run dialog (Win+R)
+      [K]::keybd_event($VK_LWIN, 0, $KEYDOWN, [UIntPtr]::Zero)
+      [K]::keybd_event($VK_R, 0, $KEYDOWN, [UIntPtr]::Zero)
+      [K]::keybd_event($VK_R, 0, $KEYUP, [UIntPtr]::Zero)
+      [K]::keybd_event($VK_LWIN, 0, $KEYUP, [UIntPtr]::Zero)
+
+      # Short delay for Run dialog
+      Start-Sleep -Milliseconds 500
+      Add-Type -AssemblyName System.Windows.Forms
+      [System.Windows.Forms.SendKeys]::SendWait("cmd /c powershell -ec " + [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('#{execution_command}')) + "{ENTER}")