T1218.001 - HH Decompile CHM File (#2109)

* Updated T1556.002 - PW Filter * Update T1556.002.yaml * Update T1556.002.yaml * HH Decompile Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2022-09-01 11:36:23 -06:00
parent 2aab95c4e4
commit f2d55e2799
1 changed files with 25 additions and 0 deletions
@@ -187,3 +187,28 @@ atomic_tests:
  executor:
    command: 'Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}'
    name: powershell
+- name: Decompile Local CHM File
+  description: |
+    Uses hh.exe to decompile a local compiled HTML Help file.
+    Upon successful execution the chm file will decompile to disk.
+    Reference:https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
+  supported_platforms:
+  - windows
+  input_arguments:
+    local_chm_file:
+      description: Local .chm payload
+      type: Path
+      default: PathToAtomicsFolder\T1218.001\src\T1218.001.chm
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      The payload must exist on disk at specified location (#{local_chm_file})
+    prereq_command: |
+      if (Test-Path #{local_chm_file}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{local_chm_file}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.001/src/T1218.001.chm" -OutFile "#{local_chm_file}"
+  executor:
+    command: |
+      hh.exe -decompile #{local_chm_file} PathToAtomicsFolder\T1218.001\src
+    name: command_prompt