adam/atomic-red-team-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
atomic-red-team-gs/atomics/T1072/T1072.yaml
T
Phil Hagen fd399bb6ed fix nesting and remove empty entries (#2825) 
* fix nesting and remove empty entries

* missed an indent correction

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2024-07-03 16:31:05 -06:00

93 lines
3.8 KiB
YAML
Raw Permalink Blame History

attack_technique: T1072
display_name: Software Deployment Tools
atomic_tests:
- name: Radmin Viewer Utility
auto_generated_guid: b4988cad-6ed2-434d-ace5-ea2670782129
description: |
An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console.
supported_platforms:
- windows
input_arguments:
radmin_installer:
description: Radmin Viewer installer
type: path
default: 'RadminViewer.msi'
radmin_exe:
description: The radmin.exe executable from RadminViewer.msi
type: path
default: 'Radmin Viewer 3/Radmin.exe'
dependency_executor_name: powershell
dependencies:
- description: |
Radmin Viewer Utility must be installed at specified location (#{radmin_exe})
prereq_command: |
if (Test-Path "${env:ProgramFiles(x86)}/#{radmin_exe}") {exit 0} else {exit 1}
get_prereq_command: |
Write-Host Downloading radmin installer
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\#{radmin_installer}"
Write-Host Install Radmin
Start-Process msiexec -Wait -ArgumentList /i , "PathToAtomicsFolder\..\ExternalPayloads\#{radmin_installer}", /qn
executor:
name: command_prompt
elevation_required: true
command: |
"%PROGRAMFILES(x86)%/#{radmin_exe}"
- name: PDQ Deploy RAT
auto_generated_guid: e447b83b-a698-4feb-bed1-a7aaf45c3443
description: |
An adversary may use PDQ Deploy Software to deploy the Remote Adminstartion Tool, this will start the PDQ console.
supported_platforms:
- windows
input_arguments:
PDQ_Deploy_installer:
description: PDQ Deploy Install
type: path
default: 'PDQDeploysetup.exe'
PDQ_Deploy_exe:
description: The PDQDeployConsole.exe executable from PDQDeploysetup.exe
type: path
default: 'Admin Arsenal/PDQ Deploy/PDQDeployConsole.exe'
dependency_executor_name: powershell
dependencies:
- description: |
PDQ Deploy will be installed at specified location (#{PDQ_Deploy_exe})
prereq_command: |
if (Test-Path "${env:ProgramFiles(x86)}/#{PDQ_Deploy_exe}") {exit 0} else {exit 1}
get_prereq_command: |
Write-Host Downloading PDQ Deploy installer
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.pdq.com/release/19/Deploy_19.3.350.0.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\#{PDQ_Deploy_installer}"
Write-Host Install PDQ Deploy
Start-Process "PathToAtomicsFolder\..\ExternalPayloads\#{PDQ_Deploy_installer}" -Wait -ArgumentList "/s"
executor:
name: command_prompt
elevation_required: true
command: |
"%PROGRAMFILES(x86)%/#{PDQ_Deploy_exe}"
- name: Deploy 7-Zip Using Chocolatey
auto_generated_guid: 2169e8b0-2ee7-44cb-8a6e-d816a5db7d8a
description: |
An adversary may use Chocolatey to remotely deploy the 7-Zip file archiver utility.
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: |
Chocolatey must be installed to deploy 7-Zip.
prereq_command: |
if (Test-Path "${env:ProgramFiles(x86)}\Chocolatey\choco.exe") {exit 0} else {exit 1}
get_prereq_command: |
Write-Host Downloading Chocolatey installer
Invoke-WebRequest -Uri "https://chocolatey.org/install.ps1" -OutFile "chocolatey-install.ps1"
Write-Host Installing Chocolatey
Start-Process -FilePath "powershell.exe" -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File chocolatey-install.ps1" -Wait
executor:
name: powershell
elevation_required: false
command: |
# Deploy 7-Zip using Chocolatey
choco install -y 7zip
Reference in New Issue View Git Blame Copy Permalink