diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index c2ab1fc8..fe402e9b 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -116578,7 +116578,9 @@ impact: type: path default: "$env:temp\\test.txt" dependencies: - - description: 'GPG must exist at (#{GPG_Exe_Location}) + - description: 'GPG must exist at (#{GPG_Exe_Location}). If -GetPrereqs fails, + try to install GPG4WIN manually at ''https://www.gpg4win.org/download.html''. + Once done, run -CheckPrereqs to confirm that it works. ' prereq_command: 'if (test-path ''#{GPG_Exe_Location}''){exit 0} else {exit @@ -116586,19 +116588,19 @@ impact: ' get_prereq_command: | + Set-Content -Path "#{File_to_Encrypt_Location}" -Value "populating this file with some text" # Create the test.txt file New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null invoke-webrequest "https://files.gpg4win.org/gpg4win-4.1.0.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" cmd /c "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" /S executor: name: powershell elevation_required: false - command: 'cmd /c ''#{GPG_Exe_Location}'' -c ''#{File_to_Encrypt_Location}'' - - ' - cleanup_command: 'remove-item ''#{File_to_Encrypt_Location}.gpg'' -force -erroraction - silentlycontinue | out-null - - ' + command: | + Set-Content -Path "#{File_to_Encrypt_Location}" -Value "populating this file with some text" # Create the test.txt file again in case prereqs failed + cmd /c "`"C:\Program Files (x86)\GnuPG\bin\gpg.exe`" --passphrase 'SomeParaphraseBlah' --batch --yes -c `"#{File_to_Encrypt_Location}`"" + cleanup_command: | + Remove-Item -Path "#{File_to_Encrypt_Location}" -Force -ErrorAction SilentlyContinue + Remove-Item -Path "#{File_to_Encrypt_Location}.gpg" -Force -ErrorAction SilentlyContinue - name: Data Encrypt Using DiskCryptor auto_generated_guid: 44b68e11-9da2-4d45-a0d9-893dabd60f30 description: 'DiskCryptor, an open source encryption utility, can be exploited diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml index 5e626cb0..8c362c13 100644 --- a/atomics/Indexes/windows-index.yaml +++ b/atomics/Indexes/windows-index.yaml @@ -96439,7 +96439,9 @@ impact: type: path default: "$env:temp\\test.txt" dependencies: - - description: 'GPG must exist at (#{GPG_Exe_Location}) + - description: 'GPG must exist at (#{GPG_Exe_Location}). If -GetPrereqs fails, + try to install GPG4WIN manually at ''https://www.gpg4win.org/download.html''. + Once done, run -CheckPrereqs to confirm that it works. ' prereq_command: 'if (test-path ''#{GPG_Exe_Location}''){exit 0} else {exit @@ -96447,19 +96449,19 @@ impact: ' get_prereq_command: | + Set-Content -Path "#{File_to_Encrypt_Location}" -Value "populating this file with some text" # Create the test.txt file New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null invoke-webrequest "https://files.gpg4win.org/gpg4win-4.1.0.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" cmd /c "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" /S executor: name: powershell elevation_required: false - command: 'cmd /c ''#{GPG_Exe_Location}'' -c ''#{File_to_Encrypt_Location}'' - - ' - cleanup_command: 'remove-item ''#{File_to_Encrypt_Location}.gpg'' -force -erroraction - silentlycontinue | out-null - - ' + command: | + Set-Content -Path "#{File_to_Encrypt_Location}" -Value "populating this file with some text" # Create the test.txt file again in case prereqs failed + cmd /c "`"C:\Program Files (x86)\GnuPG\bin\gpg.exe`" --passphrase 'SomeParaphraseBlah' --batch --yes -c `"#{File_to_Encrypt_Location}`"" + cleanup_command: | + Remove-Item -Path "#{File_to_Encrypt_Location}" -Force -ErrorAction SilentlyContinue + Remove-Item -Path "#{File_to_Encrypt_Location}.gpg" -Force -ErrorAction SilentlyContinue - name: Data Encrypt Using DiskCryptor auto_generated_guid: 44b68e11-9da2-4d45-a0d9-893dabd60f30 description: 'DiskCryptor, an open source encryption utility, can be exploited diff --git a/atomics/T1486/T1486.md b/atomics/T1486/T1486.md index 0a26b018..b3fbd9c8 100644 --- a/atomics/T1486/T1486.md +++ b/atomics/T1486/T1486.md @@ -396,24 +396,27 @@ Gpg4win is a Windows tool (also called Kleopatra which is the preferred certific ```powershell -cmd /c '#{GPG_Exe_Location}' -c '#{File_to_Encrypt_Location}' +Set-Content -Path "#{File_to_Encrypt_Location}" -Value "populating this file with some text" # Create the test.txt file again in case prereqs failed +cmd /c "`"C:\Program Files (x86)\GnuPG\bin\gpg.exe`" --passphrase 'SomeParaphraseBlah' --batch --yes -c `"#{File_to_Encrypt_Location}`"" ``` #### Cleanup Commands: ```powershell -remove-item '#{File_to_Encrypt_Location}.gpg' -force -erroraction silentlycontinue | out-null +Remove-Item -Path "#{File_to_Encrypt_Location}" -Force -ErrorAction SilentlyContinue +Remove-Item -Path "#{File_to_Encrypt_Location}.gpg" -Force -ErrorAction SilentlyContinue ``` #### Dependencies: Run with `powershell`! -##### Description: GPG must exist at (#{GPG_Exe_Location}) +##### Description: GPG must exist at (#{GPG_Exe_Location}). If -GetPrereqs fails, try to install GPG4WIN manually at 'https://www.gpg4win.org/download.html'. Once done, run -CheckPrereqs to confirm that it works. ##### Check Prereq Commands: ```powershell if (test-path '#{GPG_Exe_Location}'){exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell +Set-Content -Path "#{File_to_Encrypt_Location}" -Value "populating this file with some text" # Create the test.txt file New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null invoke-webrequest "https://files.gpg4win.org/gpg4win-4.1.0.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" cmd /c "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" /S