Create T1592.002.yaml (#2094)
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Leo Verlod
@@ -0,0 +1,30 @@
|
||||
attack_technique: T1592.002
|
||||
display_name: 'Gather Victim Host Information: Software'
|
||||
atomic_tests:
|
||||
- name: Enumerate COM Objects with Powershell
|
||||
description: |-
|
||||
This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file.
|
||||
An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes.
|
||||
See: https://www.mandiant.com/resources/hunting-com-objects
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: File to output list of COM objects to
|
||||
type: String
|
||||
default: $env:temp\T1592.002Test1.txt
|
||||
executor:
|
||||
command: |
|
||||
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
|
||||
Get-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > $env:temp\clsids.txt
|
||||
ForEach($CLSID in Get-Content "$env:temp\clsids.txt")
|
||||
{try{write-output "$($Position)-$($CLSID)"
|
||||
write-output "------------"| out-file #{output_file} -append
|
||||
write-output $($CLSID)| out-file #{output_file} -append
|
||||
$handle=[activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID))
|
||||
$handle | get-member -erroraction silentlycontinue | out-file #{output_file} -append
|
||||
$position += 1} catch{}}
|
||||
cleanup_command: |
|
||||
remove-item #{output_file} -force -erroraction silentlycontinue
|
||||
remove-item $env:temp\clsids.txt -force -erroraction silentlycontinue
|
||||
name: powershell
|
||||
Reference in New Issue
Block a user