security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added test for T1193 that downloads an macro-enabled excel sheet and opens your default web-browser

Browse Source
This commit is contained in:
Josh Rickard
2018-09-05 21:49:22 -04:00
parent 7073f4274e
commit aa7e700a93
3 changed files with 35 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1193/PhishingAttachment.xlsm
Executable
BIN
View File
Binary file not shown.
atomics/T1193/T1193.md
+18 -2
View File
@@ -15,7 +15,7 @@ Data Sources: File monitoring, Packet capture, Mail server, Network intrusion de
## Atomic Tests
- [Atomic Test #1 - Download Spearphishing Attachment](#atomic-test-1---download-spearphishing-attachment)
- [Atomic Test #2 - Download Spearphishing Attachment - VBScript](PhishingAttachment.xlsm)
<br/>
@@ -26,10 +26,26 @@ this error is happening, but I wanted to at least get the Excel file for anyone
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingInvoice.xlsm?raw=true -OutFile PhishingInvoice.xlsm
```
<br/>
## Atomic Test #2 - Download Spearphishing Attachment - VBScript
The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com). The below will successfully download the macro-enabled Excel file to the current location.
**Supported Platforms:** Windows
#### Run it with `powershell`!
```powershell
$url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingAttachment.xlsm'
$fileName = 'PhishingAttachment.xlsm'
New-Item -Type File -Force -Path $fileName | out-null
$wc = New-Object System.Net.WebClient
$wc.Encoding = [System.Text.Encoding]::UTF8
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
($wc.DownloadString("$url")) | Out-File $fileName
```
<br/>
atomics/T1193/T1193.yaml
+17
View File
@@ -17,3 +17,20 @@ atomic_tests:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingInvoice.xlsm?raw=true -OutFile PhishingInvoice.xlsm
- name: Download Phishing Attachment - VBScript
description: |
The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com).
The below will successfully download the macro-enabled Excel file to the current location.
supported_platforms:
- windows
executor:
name: powershell
command: |
$url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingAttachment.xlsm'
$fileName = 'PhishingAttachment.xlsm'
New-Item -Type File -Force -Path $fileName | out-null
$wc = New-Object System.Net.WebClient
$wc.Encoding = [System.Text.Encoding]::UTF8
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
($wc.DownloadString("$url")) | Out-File $fileName