From f2d55e2799a1612f7dcc2d1897975115ced5e944 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Thu, 1 Sep 2022 11:36:23 -0600 Subject: [PATCH] T1218.001 - HH Decompile CHM File (#2109) * Updated T1556.002 - PW Filter * Update T1556.002.yaml * Update T1556.002.yaml * HH Decompile Co-authored-by: Carrie Roberts --- atomics/T1218.001/T1218.001.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/atomics/T1218.001/T1218.001.yaml b/atomics/T1218.001/T1218.001.yaml index 536347f3..f7d1db11 100644 --- a/atomics/T1218.001/T1218.001.yaml +++ b/atomics/T1218.001/T1218.001.yaml @@ -187,3 +187,28 @@ atomic_tests: executor: command: 'Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}' name: powershell +- name: Decompile Local CHM File + description: | + Uses hh.exe to decompile a local compiled HTML Help file. + Upon successful execution the chm file will decompile to disk. + Reference:https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ + supported_platforms: + - windows + input_arguments: + local_chm_file: + description: Local .chm payload + type: Path + default: PathToAtomicsFolder\T1218.001\src\T1218.001.chm + dependency_executor_name: powershell + dependencies: + - description: | + The payload must exist on disk at specified location (#{local_chm_file}) + prereq_command: | + if (Test-Path #{local_chm_file}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{local_chm_file}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.001/src/T1218.001.chm" -OutFile "#{local_chm_file}" + executor: + command: | + hh.exe -decompile #{local_chm_file} PathToAtomicsFolder\T1218.001\src + name: command_prompt \ No newline at end of file