New Atomic - Excel Application Object for LM

[tsale]

Details:
This lateral movement technique is within the Distributed Component Object Model (DCOM) of the Excel application, specifically utilizing the ActivateMicrosoftApp() method. It is based on initial research by Matt Nelson regarding lateral movement using Excel.Application and DCOM. The steps to reproduce including the PowerShell commands are highlighted on the referenced link from specterops blog post.

Testing:
This technique was tested in local and remote hosts. It was also tested on hosts that do not have the Excel application installed for error validation.

Associated Issues:
No issues found.

[josehelps]

Hey, there are some minor changes that need to be made but this is an amazing addition thank you!

[tsale]

Thanks @josehelps. I fixed the yaml issue.

[josehelps]

Hey @tsale I removed the README.md and also the auto_generated_guid from the yaml since those things are auto generated but CI still failing because there is a hostname input argument that is not used in the execution command: https://github.com/redcanaryco/atomic-red-team/pull/2582/checks#step:6:16

[tsale]

Ah ok, I changed the field name from hostname to computer_name. Hopefully should be fine now.

[cyberbuff]

Ah ok, I changed the field name from hostname to computer_name. Hopefully should be fine now.

Hey @tsale ,

Looks like there is another issue. computer_name parameter is not used in the atomic. Can you change your command to

 $com = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application","#{computer_name}"))

[tsale]

Done.

Loving the automation here🙂

[josehelps]

Awesome thank you!

[josehelps]

this markdown file is automatically generated from the yaml by the tooling in the project and will be clobbered would you mind removing it?