Hare Sudhan
22 lines
943 B
YAML
22 lines
943 B
YAML
attack_technique: T1221
|
|
display_name: Template Injection
|
|
atomic_tests:
|
|
- name: WINWORD Remote Template Injection
|
|
auto_generated_guid: 1489e08a-82c7-44ee-b769-51b72d03521d
|
|
description: |
|
|
Open a .docx file that loads a remote .dotm macro enabled template from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm
|
|
Executes the code specified within the .dotm template.
|
|
Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx.
|
|
Default docs file opens Calculator.exe when test sucessfully executed, while AV turned off.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
docx_file:
|
|
description: Location of the test docx file on the local filesystem.
|
|
type: path
|
|
default: PathToAtomicsFolder\T1221\src\Calculator.docx
|
|
executor:
|
|
command: |
|
|
start "#{docx_file}"
|
|
name: command_prompt
|