From aa7e700a93cbee0990c7d35f9b593232e814d231 Mon Sep 17 00:00:00 2001 From: Josh Rickard Date: Wed, 5 Sep 2018 21:49:22 -0400 Subject: [PATCH] Added test for T1193 that downloads an macro-enabled excel sheet and opens your default web-browser --- atomics/T1193/PhishingAttachment.xlsm | Bin 0 -> 13498 bytes atomics/T1193/T1193.md | 20 ++++++++++++++++++-- atomics/T1193/T1193.yaml | 17 +++++++++++++++++ 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100755 atomics/T1193/PhishingAttachment.xlsm diff --git a/atomics/T1193/PhishingAttachment.xlsm b/atomics/T1193/PhishingAttachment.xlsm new file mode 100755 index 0000000000000000000000000000000000000000..ee236ea0855333476c65f2773e2e0736faf3673c GIT binary patch literal 13498 zcmeHu1#=urw)BXZSr%E07Be$5Gcz-j#cVOlk|m27Ert;@TFlJM^y%)t{qFAFeZSys zO+;5rROgB5smyaKsh-A&^t39@Kf~0v@Q&y4ILDCsG(i} zy7vajm9|f?vG(WMP^7rv2ztM5PtVtnz4IlP(`>*%8tNcEU4e{rQL9_F(k?8&aCVyG zh*{EDW`%sU1z9xl@ny}h=QR+sh=M3HzCjYoEzOG`%!ZQYhQq?eIb@~{Nwp$NC9;DG z;?B#8F)$|JMr0%4?G~z(9WA7LJwnpsqhGD)~2lo?V#GF z{pGF@ACYeY0-s~}Y{j|0xEm}JsbL+*o^%KmVz+PJ%DqA}$9Vu-n+|^|%7!jgFXr>B znmSwia)z{Zbds6@&pKf6Q_0s%Elu29FA3XwM0rXw(#U#v|Id#V48B7&MZXbNiNpy7 z)FR3m+oTiLCLY3P$%&?~o!}z&qKWz|KwkFic@L>fsnJ*q#jPFy{_5-OhGFBpD1za* zh_)Ul2}qGFbXWr+c6c7a+NU)DV+T`f0V3 z0uNaQHwaAJzuoU;czKm4=4kNq-4;uE6e>D5Nuzs3XzG)rD-<=kQ;L{l`DQPQ+uZHk zUAnlGC#73^9Cg{R;ymf0brP|eOOYDni7)E7FlayVLNR&M1GV~PHP?(DDnaIilus){ ztDD$!j}j*`{pV8(4-xpoIb}|!(=i5}jm#G-eFkkl-#+51DqC<`RvYCwaS?m!o7i++ zi)419z539}WeqA3v!FgOO^6SW<=*;h)w5iVWPA3q!vM<$FNVHG5f-m~l&pUjN#G4E z4fw}M(T7NI0ni{GHuQhjiMzd%wUNEO^&jQzADRLAsA(Vf{@-rp3Egsk=S-XM4!0~f zvXI5$7idfN;9)S6lI2iVM~pDR^_)pbm&E>GC#XY>SMT4i&6}T`+7}EBr1b>jcZnuH zl~&kew5d+8BN1^}=^y9tP-Dj%s_N;}>DSCN>TZoA(k4WjL+C~W^OJ12Tr!w(CyOM7 zyARWbCx-Z-9@E zh#Frj8urdL1zRwuQD0}8uh6`E(U*GH1#=%eQkuy}X~8KB+dOt1bHvgKbMFiZ+gz5Y zklZXZYen3V`s=D#C%BimGl1c~Hs+RJaWMZ})er1HafqLt=sU^B2pSXsfb>C*4-Wk^ zd&*UH?K2tBeZSYg2fWC28$johD}#z0&&tmIuAomQ$I3E-V5pN#EM4+nXASl{%XZ0c~Hq4pPt#GoC2(##3mNRc~tFsRG4dSc$_EoFtNfF=Y_*00w!SR}=+8H7#!?dbY zoN*tStM7xFD_C9WKJ_ncTSr?8ID^!Sp?3{@VF_vBLNOtR@ZO-H5;mIFbKC|+$pKn5e07Apsqj+hNwA7RDVQ+rO6Dr+YV^mPQi&r~u%Mogg2hKn##Uvb z?vD~1H>RwwfxVW7ZLVFb@zW1)E3O9QiIV;1T3Q!=3E4u_os*v=Xa|dUW?x}U5TDnV zg~%VC@yQoREb$f%v&`9GYG-5fT}-_lTSl*Fo$DB0V8#a-sK8HMT_>Xhb4b3w^xwpv zQNXz+=AOVW?^hXoyQOsly?f&X z(zaK;`>SYxu3|pG-^@vS2X?!ndGcx<_@h_pveS66)>{>}{3G*=PT6L4S@0@Z;yR&V z*c=G$bBLnXeR#vza$Yk?Q=%y{qXbt4y~1~erVtfyB%TMMNai)i2>R9Se5ziK@Vv#5 zV7xLbyQ47?r+a<|iIjH%Ip>R1Lv47J=8x125sX+8SNyS4f-6HV%s43+$xk}dMsW9w z=8c+)5K_4KpgBan5e>{0S}z}2_uq4J0{%=UEc%C#xBvi@zw61($WXz_-pbV2<%^M} z-HEoZgYtZG=ecBmZFP(d{3ejJ2NJf|EyrY0qFc^Zastwbgx>AJLZ+IQzgnOXPZDwl z5RYJ)V3#mWI<{v#L%wXXY}+a;Ng>0vyy}|vGGmuuMm}oOH1@?X(QSJ1kY$AbC%1Ba zr}KJyBdrZXVI3*AZ^rj?-}}`#=Lz2X73Ya|zk72s!Zr`9MbDJ$m2TP-rNV%*5h-;Kf`Ju)d#Nac|i*68vEIP%yk}WfnBci^Tup3TMOBttq z{zHgqkh<*m0vd_9Zv=xm?*(WQP)T4kfN8KMA{S7aK-gSV4Ty5c-+=FEkG~@>)Phw7 zSQWrlAT0vmh&tv#333sOq1XU=T@=IiA`1W(PZ!vTJzO0 z4Bdm_iSTnboF%r{3&*#-xd0{*V2#@7xlAD{J<{eY%NA@CWWjoUut`pdPY%BG7hG9SHDuYoM7{9ZJxRW{6yjaW!b z=)1*WY8)juwgRF~K{e$05S#fWx2q7<;hG3+^RvHsF*^IC$(lv7kzpd2B%WtrcH#0!b-F*OuCcYhOSCe3lGL*6jln^3d@w*tyW=*W=)x1hFazxhTP;-mz-q1!?g z=MXZbkW8Ak-!e0KI*VtuzcbN8ZYZd>-oSFEV5UdJX!u*$Fv9Lm4Y6)Wj?+$o@&x)W zM1fLt;gGT#F09frGIqS&Pq#WaHLJiLg5V-U9YQXbVl#c74tld$ku9+A#+kW%{!#Q~ z<#p@feO4J^p+-{@92hZ3MnmQ57_{Nqy-t3(QLY92D1;1F(I~)(+9J=2XkR4aZ4o|y z20ZGs&BS zk|N>M*$m5Ag{y~dht=LBZKD7mjk0vIYQ|m(KbMwE0W0P?!a$Ncezx#t_?3q=hnXyH zh;LvpirivPdyQz53u$ymq8KTr*)`jJjdEjUuS2{(AxQoSB z!;Ry+0}}>exZh#a@7%ss&Xr@I4aG(Z78CeNUG<%6ti^1No_sJ%^P5UrThTj3nyCA; zecBO1I)Vn8_3dcWgt{Yvrzv9ZqIjpheL5pDWASK(b3Y)8WJQHSwgFS3P9<)+!7UPP zB@WGR@p3T{PIW;%Gx8{!Qn`{qYID&guF_v(nXJCm6GLZ;y*-k`e!CQoSO{Re=))YE z7KPX&lSZ(V)0Ss5h_-drMC-`fH@Z4chKk`gVWJvD(?7=_;&V^ipy5P3QRk{6Sw5Lj z$;zfaVD6z)+o-GQm3%^X%W5(?q}m|nn=`DYq&uu?og2L^wC#ZCoR$WgRML-J|e+7i7C>;9KygBt$hU!wIh~uC3bp&&8r7kO+Mk?%1l;MfSX#uf zEWfSCwmljZo_5;>x^;Ooye(@$!xhK2OU#$!1itQzteY?UK{q@P<^`F1y>545DZk77 zmTS%g&|u=vTof@j-5A6fk+shFkZu-qUl^1*nbs7%hF!rpb;K==E1?9d%!NU-hYS9A zWW#H9IG?*CtTPQDbz*WM;);6h--ReD9QErI{CybXYk{d}+nL9fM%zBk_tg!}d0qV5 zSuPv;&!B_mSYPlM@Hr7o>X4=0NtvagMZDBUXYoy`!^L&8;Q?=;d88%9_tuO_okQ-$ zrUXHyv3Oof#Hg!N!cmi^?lVg!r7uhie0SPFN!C7uM#rW-SL?Y^%LWW6gR11ry9_Ut zC2N{w_Mh!$QIg(c@ddoR3bw@j>?YesmoN_u}c|W$f7BKDmP%dm9WjtuEj}wKGD%N zyvs7n|Dl5(G%Ss$54`VE3F>E-MGQS5B$L+frU>`{G`QB9C?7B_52|7|tuEmGI^qjJ z+{u681#oImcA{M(<_>vL39n1e4Y_!w9;#{{s)Qcp(c#UBJ|5_%Erh4vD0o3V$!K$X zQJ%jjbxN%uSD`)Wn{1w|rWZ!IY}xbO*QIqJ9PQ8icq8wYf0SDUOF-Rwu{3o zAt?_mS|n@7@C%tWD+H7#T*SLNHIPhH4ws@k&D6_XzIhs$HtGzN>PFy;BfOj?J6x&s z=(Xe1xpX1nhv|L~m@yCFRP;~Mo|EjI@4-3^(YC<9g7{_)=;Vk7p6IMr_vJg_Dbh(A z(DNt%cooF9geEtyS#rIgA9_qZqUeW$#yjg(4QMT1=Tz23)vU`UjJ^WcTv;1{SO(IcK zR{9y}ekB7=Hk1`2a5DZ z(1Bjr(p?PG5||VN{N6XbX!+-%It>DTK`YPrT?g}mg<3?ya~t0vA5gBhTVv@9=~kkv z3Y%6)rdKaAGI=k@EpMvK*MbFX;l^t%USusTpaz6AnfI(}S+O*$1)hsnv{j+4i?L&+ zpn8;Y;V=6HnlFx|J2ID^oMI|>PMl0*4;$VKAhYl$Hq#)=?qrJEO=nsvnbVVxMopP; zxRAGz7QH+dhQ5KspHAjlY1i>==|LAjHLH~=Uz;-3H~ln+QJsT6W=f<#BPeV&%SwA>&W8f}*6i*ZDPLXy%k*G(I;{5sb8E)O+QcNUJ= za4e%bNPLmt;@>PsBUd>RRVGf5KVJI5FE>2X>-2oJ^#_&WZ z_2m;r_ir5T{kT+44ZqJaEVYwf(&1bk5wvd=K^U4)%lS1LES4f$LB2!U@+h)U(Y?7S zWv=I*=~rvXENsUqKnEl(_T%-Xn3nPqzkHImiG^!a)o(InEz$8R7W8DVm4rKteoQ?` zpNUJN^u>~G7&y^-*cz4p`)9ahTfBl>Y|QmGwzcAx>$$PD#1PsKK;S zIC!(~!9`~a51owzhw#TIW4+{?`W%3z5w~igOD@>;K#otqJOfTS2=6o}ov`?8Tl2!#CZrQaer;xNC<17VXE;Ldxt+7T9-*yT>3l zD6YYGzlu}-05`qNi%$8qPN%U7-w>YN9b{rIGvz*g613ILJoD1|cjV4>XF8LlvAlPE zaWEJ0h#W-&cn-v_iLP^KUzp9HF5xanjl%M-;N-CH+{wE+?$Ha~*xVPo(<}Ao zATM1l{^gY{M2~6Dv#^_+85@0Ko(-D_A#1X1Yw@<*@C5|+B;?LK+E4VxFcT>-|2Ux8WUdEtgESi*?e!jc$>ZcQn=CM69IGa2S zy8TSQ>5i@2yX3<@4Rlbx0URYm`IY83j1y~Q=KYRlPnP2cGyAo`P!V>no|fw>?9= z!)54Eruy*3k?r8P?dB=QpY=w$w$&FlBiQ@>OfZe8S5%uns>g$vhzz^_!8M@>0S(PJ z`1qe9zvR5`ou?!A4hh!b?`gl`Ytya_j@CX*7D#0?j&XbCTf_Bq3AfIcMI`ej2w|kG zYszvBj5TUw63>(O)(`*(lbnU+5Ez*)TCgQKId@hLjzdud7ZkRIa_x&@8XF9=48|_h zrhcuG^~XGj=WyfB>k^+L5uc>@KoUC{j^9c_QNO;7ibP7nwaCo;^48|bIbz#RYkV3H zSX0YCpN$ag)wOFwb2Vf%D}1ycUI7wUh(s?>n$B8s(gu4JH>J(SOOnvx+D)eICA31a z#o*C0M`RFU$SPbbdA-RMyf#74q_VExo%J2PH+wg46Z-dc0KdN1RG^O?JL3x~H%qSm z{!Jdil0M)`x-&~UeWSroJFNz*$?J&|-#LgQhES)P>Q9iKAoWZ$KvW$945kl=tu zH+@&MDEL0WXi6U-BkD3&ZTXc4dfJD6jqTbWp22_|@hS>;hlq5Zic^WI!3@%zI(#D) zelknwoymyHbjVRcjDc@VKV;UAV^gV^9){w|_Th9J>*D^Bht+{SAqcU473qvB7n&v5 zv70l}XQz?*;L~|lmhyo{hkO>sBtzTJadY}`zRhXLGh6WMH(^{HQi)-f&RLM7JEN0TDw$^N$;+OD&3&OAus?1EhloDKX)ryC(d?|A-egI_9)k1Ya=+Qac{&XYj<$ax^u38F=C z3lSgY;`ti7d|}p;#4z>=GwS$QkoR_L)Ct$YJU)a{UJvMf1Pi?AlUq`k}%ACA>AA+# z_}fOji-oDJDgEEBjDH;EoM?_kePT!N#Cqa~cXoea-Hsz$+nBIPTqQNhPQq(wJW*6* zW=d%Lga%5+d8BD{I4!Ej=**D=mCiylJA%Uc=$nUX_z!Wl`61F5+3xv z8Yy`DesJpqAz8}byQEEilQCWhA)0bsy|jibuVx!qD-<4bpmc`+dFje9hmo6L%X|8s z5*5|Y;*soiAFGKTb4ra|WEWCX*e>^-saeLrM`OzQ>ag2tng}{b%loH3Sh3E)?eVKt zXXA7chy}~ngTE>m}`^zx^>O?rEwwixhnqEp@i@)8=`Pk zf>eAuz_4tyBJ<<F-EwW80M_y7T*N~DroLw)e_lhC!lq9{2xdY8#&pi%8ZQOON{sZb$E zsXkQk1-=!ML^d)o6(s8#L}+|cy7MsV9g=B$p~;t?75ZT^wDqAI?%-_VjkXJdUJxzF%_PR&T9f(0BM=T^%N3 zt^3~Y%g5m_E#u**U3`wHxv1PUJ|~Yd3`Bgs1mVx_Wf1C35I{L_D?S?;1l7|fI_hz) zKJ8h?)98n2)@ z{JX`;E9pr^ydtTtpNwgPrT4hPZgB-WVd1wCp9yq(*%G9k4yK!H z)jY%jLqcn(^;aIlP-s|q ztktjK7;icv*=1TbXGxh0nQTa4=wfQ^Xo)*9eG?J26ff?>1nwZtkPva&m(NLDnUtpc zB7t=<_k^_8UKTkkT@DH5&c8iXo%QA(-k(d&X7u=~OvkO$ueJJb?`{RH(%XCjhsn>c z4szt%YId1FC!LKz^tB4P`+~PkMME(ZFDtfCG+Tj;6F+3IrqQk>k8Q zJzuMsJ@z|Lao0?Rq+FcAHk2{@r09yRsE;Uwu4f*sx0tRm<)SgAaFm*-CFZyb%V3Lv z;jw$SA=3vmPx+ZsQHr<^HB^EinS;)#jikea^=ZhZo9_@ zE9fR_5*F)6v;%D5ya!}6$*eZk59MEOIFdPb5AKF3I9Rn|B1v32iE_h`jPYsSNxgLX zbpFW*EK_(tY-!X3komN>GX!V|GaZp#xCcF$x=AcUSFsgyFYKc}nsrG$4CCHGD7zA# zt)>2H_bNx{RB8RC84-2PQ>txq);9{Qn}P28D3h#an;bB*u1;~eo|zUJUVfJC!PZrb zgZHwMf`2f3RLfO>_E;+W;c0lKZO#nJJ&?!C!Jnf@=|DlqK9z*>Y5LP(5}QHPN}^^A z^m-d71>L(Jl?~LY)B;@+u3;y#N{~_>N@H1w8@AfWYqidiD>c%FLA;_4;>__Ah>qc; zsGDWg!2Fl9?OnRD5R|AW8U0bLhRvs~4xL3G$8!{-?B|BzTuoays}QpWUP|zGx%|nK z-&`Sj724+rUaQqpcsv*FBnXI0b9M^H?63_^P1?{_WTt-kn#EAbQryK&pI&ociD--s zcBy<#Iso@pt&Q*hvHW`G1=tjPoaiY*0sshqFTc(%o;Ie=e-z#VRa@(22IRMoT~Xwx zvthSwTA0R>=~;z?{#^W%GNX}*V!dcm^YQ+-XE`@LJg&wmzX-Yg8Rv;rXQk;(IoNvR zey0j1Jlzm%M%AOpGTG2hK8$X7lH=mi;>k!;j|tk2q4iGbie6sy%)u}@-ip$o9WlC_9vv9L0lO*c+hdnS(C`8lOFe+KIiQE9DLo9eP}B4^<# z2D&rBaXp=kQ_WXRy;^ zfPAoIPKuUA5S|27_Azgy6r0G3Qulo5b9IK)m%AYDyI8$b;jEoW?{m_e0mB-Ha5zUJ z3~$hlLFI1~jQOw&xk0b>_C)PpB|jNF{qh&FhhG(UWa1Kd3ifRIUHEl~?|%DWSh?E@ zN(5ou=Jm)0tke1wulRcrM$xB=;)|c~L=<4dRO!fZeoviqSPQx_Dl~A1XJzm}-YZ#- z428jNyo=D70m6KQ1^ZA@UEc_#aFQjg0{O%Ed2ZnMS62)MPAKSlyJiQS*FXjXwbf>b zJoT=}vU&FXBnU3WnvBLC-fTXz2OEDQ40}_b$fq9nrCVeizGWo65{o0}>TzBTYH9G!Lb$3y`(Vkt}G@UxqG>VartrEM`GF3*T?Tfql0}v13?fH5cPe@clH7Eg$ zGv%Ga*7joR=9F3P`UK@9f%Er)nG0jo5J5+Lv2GJ7^KKijY;aN3zOq9T&s6lGaPO;O zb7E3O79NfqpIQeUrtUe#vV0+9`f%{&PISRosc+Zc1>ZjXr(@{ciXZi}A4CU!SUa%) zPUk;t9nKb}rY_F(f9w9Xq|8c`wO{_jL)9){4@a#}f9PuH6O zFKLMi|9qaGMaH{>ie3$fXCh44D(eF(BJLnWV`$B>z!*yjIIcp^&E3pT$XK1uCXmh5E zoRY~eeQr~~U?s}w!3#3>xRX0VR_WQn#H2)tZQS?{^a^Ot%`oVE5ym$M_<1Kge z09HWA8i_TU0{gJa|fFkW*7_Wp{P1*1?^Ib zl7?uW8KPN_;Q?OSy%H$o6C+g;%(FpB7N#wNJBBu*wDoKq(_RdXKFe z+^~RHKE8e<{vY%F?}mi@2ZK!h4<=}SBsY`~lbDIU@rN71!I|FJ-pTZT{LUc%^@afe z(FwZJKnC>CbBK50A>T}wnEuSE$nHy0d%&5q8pD^MQ;-ShbYqwtm^~c3z#5zg3jtU@ z;<2I%?tl$!t8ck&K+A+J!YU}5)$a(|Ope3D-(?mo!?{i2)}r#C4@##NSY)S7bfdrV z_t|F-?Ay)#QaY{R$YsLHa)KMR*5B&aeQx9`bz#|U4Z*=R0@lEZ2Z3k(-R zUK-$|sajlpb&DCsk;G!u>^JEkqmoT!$?R-0_P=fFe)@_R`ktA#s*oTXZZ43%9W|lw zpKWD^k}${-AFM<9$Un&c%sN8{hyRl9L#Y4LvJwRU$iE@yU{8ebtDiVm72pHQjU?1> zstrLB8qH-3jq_?r!^`7O=HnWtW*5DVVs^Yeobngnz7TdY0 z4X*hn+fphb=ula0TZ#h_H0x~YAv$GYuc|yDLPb9Q!-b=}41D=qQ&L-9=tIg=Q5~m| zP4Rcz7 z9=7T~9&C{zv!rgwxzWOFAeU#O8{{Q4`TJg?=>T~NHff>8ocH6__oDRTU|9S8pAA3_ zH}M?z2f^N~*vMzNdq+4g2N^EqIF~ zBWZ$w(gFUr7e)RtUH|C+!)qf7(*GLZUmfiK0RGVze`w;L{Oo@P{;R9^pMhf^Yt#ST z @@ -26,10 +26,26 @@ this error is happening, but I wanted to at least get the Excel file for anyone **Supported Platforms:** Windows - #### Run it with `powershell`! ``` [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest -Uri https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingInvoice.xlsm?raw=true -OutFile PhishingInvoice.xlsm ```
+ +## Atomic Test #2 - Download Spearphishing Attachment - VBScript +The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com). The below will successfully download the macro-enabled Excel file to the current location. + +**Supported Platforms:** Windows + +#### Run it with `powershell`! +```powershell +$url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingAttachment.xlsm' +$fileName = 'PhishingAttachment.xlsm' +New-Item -Type File -Force -Path $fileName | out-null +$wc = New-Object System.Net.WebClient +$wc.Encoding = [System.Text.Encoding]::UTF8 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +($wc.DownloadString("$url")) | Out-File $fileName +``` +
\ No newline at end of file diff --git a/atomics/T1193/T1193.yaml b/atomics/T1193/T1193.yaml index f4fe298a..7565f720 100644 --- a/atomics/T1193/T1193.yaml +++ b/atomics/T1193/T1193.yaml @@ -17,3 +17,20 @@ atomic_tests: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest -Uri https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingInvoice.xlsm?raw=true -OutFile PhishingInvoice.xlsm + +- name: Download Phishing Attachment - VBScript + description: | + The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com). + The below will successfully download the macro-enabled Excel file to the current location. + supported_platforms: + - windows + executor: + name: powershell + command: | + $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingAttachment.xlsm' + $fileName = 'PhishingAttachment.xlsm' + New-Item -Type File -Force -Path $fileName | out-null + $wc = New-Object System.Net.WebClient + $wc.Encoding = [System.Text.Encoding]::UTF8 + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + ($wc.DownloadString("$url")) | Out-File $fileName \ No newline at end of file