security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1059.007 JScript Tests (#2281)

Browse Source 
* JScript Tests

* correct outfile name

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Tony M Lambert
2023-01-14 16:55:16 -06:00
committed by GitHub
parent a8e3cf63e9
commit 4ae9580a1a
2 changed files with 56 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1059.007/T1059.007.yml
+42
View File
@@ -0,0 +1,42 @@
attack_technique: T1059.007
display_name: "Command and Scripting Interpreter: JavaScript"
atomic_tests:
- name: JScript execution to gather local computer information via cscript
description: JScript execution test, execute JScript via cscript command. When successful, system information will be written to $env:TEMP\T1059.007.out.txt
supported_platforms:
- windows
input_arguments:
jscript:
description: Path to sample script
type: string
default: PathToAtomicsFolder\T1059.007\src\sys_info.js
dependency_executor_name: powershell
dependencies:
- description: Sample script must exist on disk at specified location (#{jscript})
prereq_command: "if (Test-Path #{jscript}) {exit 0} else {exit 1} "
get_prereq_command: |-
New-Item -ItemType Directory (Split-Path #{jscript}) -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.007/src/sys_info.js" -OutFile "#{jscript}"
executor:
command: "cscript #{jscript} > $env:TEMP\\T1059.007.out.txt'"
cleanup_command: Remove-Item $env:TEMP\T1059.007.out.txt -ErrorAction Ignore
name: command_prompt
- name: JScript execution to gather local computer information via wscript
description: JScript execution test, execute JScript via wscript command. When successful, system information will be shown with four message boxes.
supported_platforms:
- windows
input_arguments:
jscript:
description: Path to sample script
type: string
default: PathToAtomicsFolder\T1059.007\src\sys_info.js
dependency_executor_name: powershell
dependencies:
- description: Sample script must exist on disk at specified location (#{jscript})
prereq_command: "if (Test-Path #{jscript}) {exit 0} else {exit 1} "
get_prereq_command: |-
New-Item -ItemType Directory (Split-Path #{jscript}) -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.007/src/sys_info.js" -OutFile "#{jscript}"
executor:
command: "wscript #{jscript}"
name: command_prompt
atomics/T1059.007/src/sys_info.js
+14
View File
@@ -0,0 +1,14 @@
var objWMIService = GetObject("winmgmts:\\\\.\\root\\cimv2");
var objList = objWMIService.ExecQuery("SELECT * FROM Win32_ComputerSystem");
var objItem = new Enumerator(objList);
for (; !objItem.atEnd(); objItem.moveNext()) {
var strDomain = objItem.item().Domain;
var strName = objItem.item().Name;
var strManu = objItem.item().Manufacturer;
var strModel = objItem.item().Model;
WScript.Echo("Domain: " + strDomain);
WScript.Echo("Computer Name: " + strName);
WScript.Echo("Manufacturer: " + strManu);
WScript.Echo("Model: " + strModel);
}