Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -632,6 +632,7 @@ execution,T1204.002,User Execution: Malicious File,7,Headless Chrome code execut
 execution,T1204.002,User Execution: Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
 execution,T1204.002,User Execution: Malicious File,9,Office Generic Payload Download,5202ee05-c420-4148-bf5e-fd7f7d24850c,powershell
 execution,T1204.002,User Execution: Malicious File,10,LNK Payload Download,581d7521-9c4b-420e-9695-2aec5241167f,powershell
+execution,T1204.002,User Execution: Malicious File,11,Mirror Blast Emulation,24fd9719-7419-42dd-bce6-ab3463110b3c,powershell
 execution,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
 execution,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 execution,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -473,6 +473,7 @@ execution,T1204.002,User Execution: Malicious File,7,Headless Chrome code execut
 execution,T1204.002,User Execution: Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
 execution,T1204.002,User Execution: Malicious File,9,Office Generic Payload Download,5202ee05-c420-4148-bf5e-fd7f7d24850c,powershell
 execution,T1204.002,User Execution: Malicious File,10,LNK Payload Download,581d7521-9c4b-420e-9695-2aec5241167f,powershell
+execution,T1204.002,User Execution: Malicious File,11,Mirror Blast Emulation,24fd9719-7419-42dd-bce6-ab3463110b3c,powershell
 execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
 execution,T1106,Native API,2,WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique,ce4e76e6-de70-4392-9efe-b281fc2b4087,powershell
 execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique,7ec5b74e-8289-4ff2-a162-b6f286a33abd,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -986,6 +986,7 @@
   - Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
   - Atomic Test #9: Office Generic Payload Download [windows]
   - Atomic Test #10: LNK Payload Download [windows]
+  - Atomic Test #11: Mirror Blast Emulation [windows]
 - [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
   - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
   - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -738,6 +738,7 @@
   - Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
   - Atomic Test #9: Office Generic Payload Download [windows]
   - Atomic Test #10: LNK Payload Download [windows]
+  - Atomic Test #11: Mirror Blast Emulation [windows]
 - T1559.001 Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1106 Native API](../../T1106/T1106.md)

atomics/Indexes/index.yaml

@@ -43269,6 +43269,21 @@ execution:
           Remove-Item $file1 -ErrorAction Ignore
           Remove-Item $file2 -ErrorAction Ignore
         name: powershell
+    - name: Mirror Blast Emulation
+      auto_generated_guid: 24fd9719-7419-42dd-bce6-ab3463110b3c
+      description: "Emulates the JS -> MSI chain of the MirrorBlast T505 campaign
+        by executing an xlsm file designed. \nRequires the 32 bit version of Office
+        to run. [MirrorBlast Campaign Analysis](https://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies)\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          Cd "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
+          New-ItemProperty -Path Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Security -Name "VBAWarnings" -Value "1" -PropertyType DWORD -Force | Out-Null
+          & '.\Excel 2016.lnk' PathToAtomicsFolder\T1204.002\bin\mirrorblast_emulation.xlsm
+        cleanup_command: reg delete "HKCU\SOFTWARE\Microsoft\Office\16.0\Excel\Security"
+          /v "VBAWarnings" /f
+        name: powershell
   T1053.003:
     technique:
       x_mitre_platforms:

atomics/T1204.002/T1204.002.md

@@ -28,6 +28,8 @@ While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently
 
 - [Atomic Test #10 - LNK Payload Download](#atomic-test-10---lnk-payload-download)
 
+- [Atomic Test #11 - Mirror Blast Emulation](#atomic-test-11---mirror-blast-emulation)
+
 
 <br/>
 
@@ -625,4 +627,39 @@ Remove-Item $file2 -ErrorAction Ignore
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #11 - Mirror Blast Emulation
+Emulates the JS -> MSI chain of the MirrorBlast T505 campaign by executing an xlsm file designed. 
+Requires the 32 bit version of Office to run. [MirrorBlast Campaign Analysis](https://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 24fd9719-7419-42dd-bce6-ab3463110b3c
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Cd "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
+New-ItemProperty -Path Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Security -Name "VBAWarnings" -Value "1" -PropertyType DWORD -Force | Out-Null
+& '.\Excel 2016.lnk' PathToAtomicsFolder\T1204.002\bin\mirrorblast_emulation.xlsm
+```
+
+#### Cleanup Commands:
+```powershell
+reg delete "HKCU\SOFTWARE\Microsoft\Office\16.0\Excel\Security" /v "VBAWarnings" /f
+```
+
+
+
+
+
 <br/>