Atomic Red Team doc generator
48 lines
1.9 KiB
YAML
48 lines
1.9 KiB
YAML
attack_technique: T1566.002
|
|
display_name: 'Phishing: Spearphishing Link'
|
|
|
|
atomic_tests:
|
|
- name: Paste and run technique
|
|
auto_generated_guid: bc177ef9-6a12-4ebc-a2ec-d41e19c2791d
|
|
description: |
|
|
Tests the **Paste and Run** technique, where users are tricked into running
|
|
malicious PowerShell commands by automating the Win+R command to open the
|
|
Run dialog and input `encoded PowerShell to execute calc.exe.`
|
|
|
|
- [Fake CAPTCHA Campaign](https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf)
|
|
- [From Clipboard to Compromise](https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn)
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
execution_command:
|
|
description: The command to execute in the run
|
|
type: String
|
|
default: 'calc.exe'
|
|
executor:
|
|
name: powershell
|
|
command: |
|
|
# Add user32.dll for keybd_event
|
|
Add-Type @"
|
|
using System;
|
|
using System.Runtime.InteropServices;
|
|
public class K {
|
|
[DllImport("user32.dll")]
|
|
public static extern void keybd_event(byte bVk, byte bScan, uint dwFlags, UIntPtr dwExtraInfo);
|
|
}
|
|
"@
|
|
|
|
# Virtual key codes
|
|
$VK_LWIN, $VK_R, $KEYDOWN, $KEYUP = 0x5B, 0x52, 0x0000, 0x0002
|
|
|
|
# Open Run dialog (Win+R)
|
|
[K]::keybd_event($VK_LWIN, 0, $KEYDOWN, [UIntPtr]::Zero)
|
|
[K]::keybd_event($VK_R, 0, $KEYDOWN, [UIntPtr]::Zero)
|
|
[K]::keybd_event($VK_R, 0, $KEYUP, [UIntPtr]::Zero)
|
|
[K]::keybd_event($VK_LWIN, 0, $KEYUP, [UIntPtr]::Zero)
|
|
|
|
# Short delay for Run dialog
|
|
Start-Sleep -Milliseconds 500
|
|
Add-Type -AssemblyName System.Windows.Forms
|
|
[System.Windows.Forms.SendKeys]::SendWait("cmd /c powershell -ec " + [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('#{execution_command}')) + "{ENTER}")
|