Carrie Roberts
1bfefdacfc
* provide elevation_required attribute * provide elevation_required attribute * provide elevation_required attribute
27 lines
1.1 KiB
YAML
27 lines
1.1 KiB
YAML
---
|
|
attack_technique: T1193
|
|
display_name: Spearphishing Attachment
|
|
|
|
atomic_tests:
|
|
- name: Download Phishing Attachment - VBScript
|
|
description: |
|
|
The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com).
|
|
The below will successfully download the macro-enabled Excel file to the current location.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
if (-not(Test-Path HKLM:SOFTWARE\Classes\Excel.Application)){
|
|
return 'Please install Microsoft Excel before running this test.'
|
|
}
|
|
else{
|
|
$url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingAttachment.xlsm'
|
|
$fileName = 'PhishingAttachment.xlsm'
|
|
New-Item -Type File -Force -Path $fileName | out-null
|
|
$wc = New-Object System.Net.WebClient
|
|
$wc.Encoding = [System.Text.Encoding]::UTF8
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
($wc.DownloadString("$url")) | Out-File $fileName
|
|
} |