From 9bcd1240c27311209ffbb895b0d14c940a3f8a3c Mon Sep 17 00:00:00 2001
From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com>
Date: Mon, 26 Jul 2021 13:05:44 -0700
Subject: [PATCH] Added Mshta example without external file call.

---
 atomics/T1218.005/T1218.005.yaml | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/atomics/T1218.005/T1218.005.yaml b/atomics/T1218.005/T1218.005.yaml
index 84790d0a..cbb24224 100644
--- a/atomics/T1218.005/T1218.005.yaml
+++ b/atomics/T1218.005/T1218.005.yaml
@@ -214,4 +214,24 @@ atomic_tests:
       Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
   executor:
     command: 'Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath #{mshta_file_path}'
-    name: powershell
\ No newline at end of file
+    name: powershell
+
+- name: Mshta used to Execute PowerShell
+  auto_generated_guid: 8707a805-2b76-4f32-b1c0-14e558205772
+  description: |
+    Use Mshta to execute arbitrary PowerShell. Example is from the 2021 Threat Detection Report by Red Canary.
+  supported_platforms:
+  - windows
+  input_arguments:
+    message:
+      description: Encoded message to include
+      type: string
+      default: Hello,%20MSHTA!
+    seconds_to_sleep:
+      description: How many seconds to sleep/wait
+      type: string
+      default: 5
+  executor:
+    command: |
+      mshta.exe "about:<hta:application><script language="VBScript">Close(Execute("CreateObject(""Wscript.Shell"").Run%20""powershell.exe%20-nop%20-Command%20Write-Host%20Hello,%20MSHTA!;Start-Sleep%20-Seconds%205"""))</script>'"
+    name: command_prompt