security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update T1036.yaml (#609)

Browse Source 
* Adding T1086 Alternate Data Stream atomic

* Added newline T1086

* Syncing changes with updstream and origin.

* Added Cleanup to Logon Scripts Atomic T1037

* Added timout to allow time for detection logic to register change.

* Fixed issue with upstream sync,  Re-added timout to allow time for detection logic.

* Fixed cleanup command. Yaml tag not working to allow it to run.

* Update T1158 test 11. 

Corrected ADS syntax. Added loop to run embedded ADS command from shell. Also added cleanup code.

* Update T1037.yaml

Moved Reg delete command under the cleanup_command tag for consistency.

* Update T1037.yaml

Moved reg removal command under cleanup_command tag for consistency.

* Update T1086.yaml

Bug Fix: Updated Base64 encoded command in T1086-12 with correct syntax and environment variables for power shell compatibility (was for cmd.exe only). Original decoded payload referenced %SystemRoot%, whereas PowerShell uses $env:SystemRoot. Also replaced single quotes with double quotes to prevent PowerShell from interpreting it as a literal string.

Enhancement: Added Cleanup_commands for T1086-12. Added comments for what the Base64 encoded payload is.

* Update T1036.yaml

Added Cleanup commands for the windows tests
This commit is contained in:
dwhite9
2019-11-05 13:07:15 -06:00
committed by Michael Haag
parent 6170883105
commit 0f77fd91fb
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1036/T1036.yaml
+8
View File
@@ -16,6 +16,8 @@ atomic_tests:
command: |
cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
cmd.exe /c %SystemRoot%\Temp\lsass.exe
cleanup_command: |
del /Q /F %SystemRoot%\Temp\lsass.exe
- name: Masquerading as Linux crond process.
description: |
@@ -44,6 +46,8 @@ atomic_tests:
command: |
copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y
cmd.exe /c %APPDATA%\notepad.exe /B
cleanup_command: |
del /Q /F %APPDATA%\notepad.exe
- name: Masquerading - wscript.exe running as svchost.exe
description: |
@@ -58,6 +62,8 @@ atomic_tests:
command: |
copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
cmd.exe /c %APPDATA%\svchost.exe /B
cleanup_command: |
del /Q /F %APPDATA%\svchost.exe
- name: Masquerading - powershell.exe running as taskhostw.exe
description: |
@@ -72,3 +78,5 @@ atomic_tests:
command: |
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y
cmd.exe /K %APPDATA%\taskhostw.exe
cleanup_command: |
del /Q /F %APPDATA%\taskhostw.exe