security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1036 file extension masquerading fix (#999)

Browse Source 
* change executer to help with writing detection

* putting guid back in

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Andrew Beers
2020-05-20 08:43:35 -05:00
committed by GitHub
parent 455840f3bb
commit 1b2bf832c3
3 changed files with 30 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1036/T1036.yaml
+28 -28
View File
@@ -205,35 +205,35 @@ atomic_tests:
default: PathToAtomicsFolder\T1036\src\T1036_masquerading.ps1
executor:
name: powershell
name: command_prompt
elevation_required: false
command: |
Copy-Item #{exe_path} -Destination $env:TEMP\T1036_masquerading.docx.exe -Force
Copy-Item #{exe_path} -Destination $env:TEMP\T1036_masquerading.pdf.exe -Force
Copy-Item #{exe_path} -Destination $env:TEMP\T1036_masquerading.ps1.exe -Force
Copy-Item #{vbs_path} -Destination $env:TEMP\T1036_masquerading.xls.vbs -Force
Copy-Item #{vbs_path} -Destination $env:TEMP\T1036_masquerading.xlsx.vbs -Force
Copy-Item #{vbs_path} -Destination $env:TEMP\T1036_masquerading.png.vbs -Force
Copy-Item #{ps1_path} -Destination $env:TEMP\T1036_masquerading.vbs.ps1 -Force
Copy-Item #{ps1_path} -Destination $env:TEMP\T1036_masquerading.exe.ps1 -Force
Copy-Item #{ps1_path} -Destination $env:TEMP\T1036_masquerading.js.ps1 -Force
Invoke-Expression $env:TEMP\T1036_masquerading.docx.exe
Invoke-Expression $env:TEMP\T1036_masquerading.pdf.exe
Invoke-Expression $env:TEMP\T1036_masquerading.ps1.exe
Invoke-Expression $env:TEMP\T1036_masquerading.xls.vbs
Invoke-Expression $env:TEMP\T1036_masquerading.xlsx.vbs
Invoke-Expression $env:TEMP\T1036_masquerading.png.vbs
Invoke-Expression $env:TEMP\T1036_masquerading.vbs.ps1
Invoke-Expression $env:TEMP\T1036_masquerading.exe.ps1
Invoke-Expression $env:TEMP\T1036_masquerading.js.ps1
copy #{exe_path} %temp%\T1036_masquerading.docx.exe /Y
copy #{exe_path} %temp%\T1036_masquerading.pdf.exe /Y
copy #{exe_path} %temp%\T1036_masquerading.ps1.exe /Y
copy #{vbs_path} %temp%\T1036_masquerading.xls.vbs /Y
copy #{vbs_path} %temp%\T1036_masquerading.xlsx.vbs /Y
copy #{vbs_path} %temp%\T1036_masquerading.png.vbs /Y
copy #{ps1_path} %temp%\T1036_masquerading.doc.ps1 /Y
copy #{ps1_path} %temp%\T1036_masquerading.pdf.ps1 /Y
copy #{ps1_path} %temp%\T1036_masquerading.rtf.ps1 /Y
%temp%\T1036_masquerading.docx.exe
%temp%\T1036_masquerading.pdf.exe
%temp%\T1036_masquerading.ps1.exe
%temp%\T1036_masquerading.xls.vbs
%temp%\T1036_masquerading.xlsx.vbs
%temp%\T1036_masquerading.png.vbs
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036_masquerading.doc.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036_masquerading.pdf.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036_masquerading.rtf.ps1
cleanup_command: |
Remove-Item $env:TEMP\T1036_masquerading.docx.exe -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.pdf.exe -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.ps1.exe -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.xls.vbs -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.xlsx.vbs -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.png.vbs -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.vbs.ps1 -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.exe.ps1 -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.js.ps1 -Force -ErrorAction Ignore | Out-Null
del /f %temp%\T1036_masquerading.docx.exe > nul 2>&1
del /f %temp%\T1036_masquerading.pdf.exe > nul 2>&1
del /f %temp%\T1036_masquerading.ps1.exe > nul 2>&1
del /f %temp%\T1036_masquerading.xls.vbs > nul 2>&1
del /f %temp%\T1036_masquerading.xlsx.vbs > nul 2>&1
del /f %temp%\T1036_masquerading.png.vbs > nul 2>&1
del /f %temp%\T1036_masquerading.doc.ps1 > nul 2>&1
del /f %temp%\T1036_masquerading.pdf.ps1 > nul 2>&1
del /f %temp%\T1036_masquerading.rtf.ps1 > nul 2>&1
atomics/T1036/src/T1036_masquerading.ps1
+1 -1
View File
@@ -1 +1 @@
exit
Exit-PSSession
atomics/T1036/src/T1036_masquerading.vbs
+1 -2
View File
@@ -1,2 +1 @@
Wscript.Echo "T1036_maquerading"
Wscript.Quit 1
Wscript.Quit