Closed CV01 closed 4 years ago
Andras32
commented
4 years ago @CV01 this test does not execute the .xlsm. the file extension error is likely due to your security policy. For macro execution see https://github.com/redcanaryco/atomic-red-team/blob/c6582e3b487dd3101c0162470f6a2aa38fe170ff/atomics/T1204/T1204.md This atomic works at the execution tactic of Att&ck.
CV01
commented
4 years ago Per the test description it says, "The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to google.com. The below will successfully download the macro-enabled Excel file to the current location."
Wouldn't the .xlsm need to execute to open the browser to google.com? Are you able to execute this succesfully? I checked my macro settings and it says that they are disabled with notification, but I'm not able to open the file successfully to even get to the macro warning.
Andras32
commented
4 years ago Tested the .xlsm and it worked for me after enabling macro content. Yes the .xlsm would need to be executed manually, this test is written to identify malicious macros and the Inital Access stage. i.e AV on access alerts etc. The macro in phishingattachment.xlsm works, but the test was not written conduct execution. That's what T1204 was written for (the execution of common malicious macro files seen in OSTap Trickbot etc.)
If you want to test your AV signatures on Maldocs run T1193 If you want to test the Identification of malicious behaviors seen in maldocs run T1204. You can DM me on slack if you'd like a more responsive conversation on this topic. @andras32
I'm using Invoke-Atomic as the attack simulation tool in a research paper on Sysmon.
Yesterday, I went to execute the test for T1193. The phishingattachment.xlsm downloaded via PowerShell as expected, but google.com never opened up.
When I opened phishingattachment.xlsm manually, Excel said there was an error between the file format and the file type/extension.