security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

emulating this malware from blog

Browse Source
This commit is contained in:
Carrie Roberts
2023-06-16 19:09:27 -05:00
committed by GitHub
parent 0f229c0e42
commit 47babe02e4
1 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1112/T1112.yaml
+13 -1
View File
@@ -871,4 +871,16 @@ atomic_tests:
cleanup_command: |
$typicalPath = "HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds"; Remove-ItemProperty -Path $typicalPath -Name "AtomicSnake" -ErrorAction SilentlyContinue | Out-Null
name: powershell
elevation_required: true
elevation_required: true
- name: Malware we read about about on a blog
description: |
a desc of the attack commands
supported_platforms:
- windows
executor:
command: |
$typicalPath = "HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds"; $randomBytes = New-Object Byte[] 0x1000; (New-Object Random).NextBytes($randomBytes); New-ItemProperty -Path $typicalPath -Name "AtomicSnake" -Value $randomBytes -PropertyType Binary -Force | Out-Null
cleanup_command: |
$typicalPath = "HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds"; Remove-ItemProperty -Path $typicalPath -Name "AtomicSnake" -ErrorAction SilentlyContinue | Out-Null
name: powershell
elevation_required: true