Mika Ayenson
40 lines
1.1 KiB
Python
40 lines
1.1 KiB
Python
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
# or more contributor license agreements. Licensed under the Elastic License
|
|
# 2.0; you may not use this file except in compliance with the Elastic License
|
|
# 2.0.
|
|
|
|
from . import common
|
|
from . import RtaMetadata
|
|
|
|
|
|
metadata = RtaMetadata(
|
|
uuid="456ec321-41c8-4a41-8f6f-40b8e3d1c295",
|
|
platforms=["windows"],
|
|
endpoint=[
|
|
{"rule_name": "Suspicious MS Office Execution via DCOM", "rule_id": "6a714747-2671-4523-b233-744f119949b6"}
|
|
],
|
|
siem=[],
|
|
techniques=["T1112", "T1566"],
|
|
)
|
|
|
|
EXE_FILE = common.get_path("bin", "renamed_posh.exe")
|
|
|
|
|
|
@common.requires_os(metadata.platforms)
|
|
def main():
|
|
winword = "C:\\Users\\Public\\winword.exe"
|
|
common.copy_file(EXE_FILE, winword)
|
|
|
|
key = "SOFTWARE\\Microsoft\\Office\\Test\\Security"
|
|
value = "AccessVBOM"
|
|
data = "1"
|
|
|
|
with common.temporary_reg(common.HKCU, key, value, data):
|
|
pass
|
|
common.execute([winword, "-c", "echo", "-Embedding", ";powershell"], timeout=5, kill=True)
|
|
common.remove_file(winword)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
exit(main())
|