security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1137 - Word spawned a command shell and used an IP address in the command line (#610)

Browse Source 
* create document and test

* update default atomics path

* refactor tests

* change back path

The PathToAtomicsFolder path works when installed from the script, but when closed from github the folder name is different. I think we should unify these and just have people clone from github if they want to use it, instead of having a seperate install script.

* removed duplicate, used powershell to launch document
This commit is contained in:
Andrew Beers
2019-11-25 10:55:38 -06:00
committed by Carrie Roberts
parent 1b05ec3b29
commit abefc468d2
3 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1193/T1193.yaml
+15 -3
View File
@@ -5,7 +5,7 @@ display_name: Spearphishing Attachment
atomic_tests:
- name: Download Phishing Attachment - VBScript
description: |
The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com).
The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com).
The below will successfully download the macro-enabled Excel file to the current location.
supported_platforms:
- windows
@@ -17,11 +17,23 @@ atomic_tests:
return 'Please install Microsoft Excel before running this test.'
}
else{
$url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingAttachment.xlsm'
$url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/bin/PhishingAttachment.xlsm'
$fileName = 'PhishingAttachment.xlsm'
New-Item -Type File -Force -Path $fileName | out-null
$wc = New-Object System.Net.WebClient
$wc.Encoding = [System.Text.Encoding]::UTF8
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
($wc.DownloadString("$url")) | Out-File $fileName
}
}
- name: Word spawned a command shell and used an IP address in the command line
description: |
Opens a word document that will run powershell and perform an nslookup on the IP 192.168.1.1 and a sleep command
supported_platforms:
- windows
executor:
name: powershell
command: |
Start-Process PathToAtomicsFolder\T1193\src\PowerShell_IP_Doc.doc
atomics/T1193/PhishingAttachment.xlsm → atomics/T1193/bin/PhishingAttachment.xlsm
Executable → Regular
View File
atomics/T1193/bin/PowerShell_IP_Doc.doc
BIN
View File
Binary file not shown.