diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 3693b427..4cc5b20c 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -45094,27 +45094,30 @@ execution: radmin_installer: description: Radmin Viewer installer type: Path - default: "%TEMP%\\RadminViewer.msi" + default: RadminViewer.msi radmin_exe: description: The radmin.exe executable from RadminViewer.msi type: Path - default: "%PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe" + default: Radmin Viewer 3/Radmin.exe + dependency_executor_name: powershell dependencies: - description: 'Radmin Viewer Utility must be installed at specified location (#{radmin_exe}) ' - prereq_command: 'if not exist "#{radmin_exe}" (exit /b 1) + prereq_command: 'if (Test-Path "${env:ProgramFiles(x86)}/#{radmin_exe}") {exit + 0} else {exit 1} ' get_prereq_command: | - echo Downloading radmin installer - bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer} - msiexec /i "#{radmin_installer}" /qn + Write-Host Downloading radmin installer + (New-Object Net.WebClient).DownloadFile("https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi","$ENV:Temp\#{radmin_installer}") + Write-Host Install Radmin + Start-Process msiexec -Wait -ArgumentList /i , $ENV:Temp\#{radmin_installer}, /qn executor: name: command_prompt elevation_required: true - command: '"#{radmin_exe}" + command: '"%PROGRAMFILES(x86)%/#{radmin_exe}" ' - name: PDQ Deploy RAT @@ -45129,26 +45132,29 @@ execution: PDQ_Deploy_installer: description: PDQ Deploy Install type: Path - default: "%TEMP%\\PDQDeploysetup.exe" + default: PDQDeploysetup.exe PDQ_Deploy_exe: description: The PDQDeployConsole.exe executable from PDQDeploysetup.exe type: Path - default: "%PROGRAMFILES(x86)%\\Admin Arsenal\\PDQ Deploy\\PDQDeployConsole.exe" + default: Admin Arsenal/PDQ Deploy/PDQDeployConsole.exe + dependency_executor_name: powershell dependencies: - description: 'PDQ Deploy will be installed at specified location (#{PDQ_Deploy_exe}) ' - prereq_command: 'if not exist "#{PDQ_Deploy_exe}" (exit /b 1) + prereq_command: 'if (Test-Path "${env:ProgramFiles(x86)}/#{PDQ_Deploy_exe}") + {exit 0} else {exit 1} ' get_prereq_command: | - echo Downloading PDQ Deploy installer - bitsadmin /transfer myDownloadJob /download /priority normal "https://download.pdq.com/release/19/Deploy_19.3.350.0.exe" #{PDQ_Deploy_installer} - msiexec /i "#{PDQ_Deploy_installer}" /qn + Write-Host Downloading PDQ Deploy installer + (New-Object Net.WebClient).DownloadFile("https://download.pdq.com/release/19/Deploy_19.3.350.0.exe","$ENV:Temp\#{PDQ_Deploy_installer}") + Write-Host Install PDQ Deploy + Start-Process $ENV:Temp\#{PDQ_Deploy_installer} -Wait -ArgumentList "/s" executor: name: command_prompt elevation_required: true - command: '"#{PDQ_Deploy_exe}" + command: '"%PROGRAMFILES(x86)%/#{PDQ_Deploy_exe}" ' T1059.001: @@ -70026,27 +70032,30 @@ lateral-movement: radmin_installer: description: Radmin Viewer installer type: Path - default: "%TEMP%\\RadminViewer.msi" + default: RadminViewer.msi radmin_exe: description: The radmin.exe executable from RadminViewer.msi type: Path - default: "%PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe" + default: Radmin Viewer 3/Radmin.exe + dependency_executor_name: powershell dependencies: - description: 'Radmin Viewer Utility must be installed at specified location (#{radmin_exe}) ' - prereq_command: 'if not exist "#{radmin_exe}" (exit /b 1) + prereq_command: 'if (Test-Path "${env:ProgramFiles(x86)}/#{radmin_exe}") {exit + 0} else {exit 1} ' get_prereq_command: | - echo Downloading radmin installer - bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer} - msiexec /i "#{radmin_installer}" /qn + Write-Host Downloading radmin installer + (New-Object Net.WebClient).DownloadFile("https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi","$ENV:Temp\#{radmin_installer}") + Write-Host Install Radmin + Start-Process msiexec -Wait -ArgumentList /i , $ENV:Temp\#{radmin_installer}, /qn executor: name: command_prompt elevation_required: true - command: '"#{radmin_exe}" + command: '"%PROGRAMFILES(x86)%/#{radmin_exe}" ' - name: PDQ Deploy RAT @@ -70061,26 +70070,29 @@ lateral-movement: PDQ_Deploy_installer: description: PDQ Deploy Install type: Path - default: "%TEMP%\\PDQDeploysetup.exe" + default: PDQDeploysetup.exe PDQ_Deploy_exe: description: The PDQDeployConsole.exe executable from PDQDeploysetup.exe type: Path - default: "%PROGRAMFILES(x86)%\\Admin Arsenal\\PDQ Deploy\\PDQDeployConsole.exe" + default: Admin Arsenal/PDQ Deploy/PDQDeployConsole.exe + dependency_executor_name: powershell dependencies: - description: 'PDQ Deploy will be installed at specified location (#{PDQ_Deploy_exe}) ' - prereq_command: 'if not exist "#{PDQ_Deploy_exe}" (exit /b 1) + prereq_command: 'if (Test-Path "${env:ProgramFiles(x86)}/#{PDQ_Deploy_exe}") + {exit 0} else {exit 1} ' get_prereq_command: | - echo Downloading PDQ Deploy installer - bitsadmin /transfer myDownloadJob /download /priority normal "https://download.pdq.com/release/19/Deploy_19.3.350.0.exe" #{PDQ_Deploy_installer} - msiexec /i "#{PDQ_Deploy_installer}" /qn + Write-Host Downloading PDQ Deploy installer + (New-Object Net.WebClient).DownloadFile("https://download.pdq.com/release/19/Deploy_19.3.350.0.exe","$ENV:Temp\#{PDQ_Deploy_installer}") + Write-Host Install PDQ Deploy + Start-Process $ENV:Temp\#{PDQ_Deploy_installer} -Wait -ArgumentList "/s" executor: name: command_prompt elevation_required: true - command: '"#{PDQ_Deploy_exe}" + command: '"%PROGRAMFILES(x86)%/#{PDQ_Deploy_exe}" ' T1210: diff --git a/atomics/T1072/T1072.md b/atomics/T1072/T1072.md index e8adc45f..2690e1cc 100644 --- a/atomics/T1072/T1072.md +++ b/atomics/T1072/T1072.md @@ -30,31 +30,32 @@ An adversary may use Radmin Viewer Utility to remotely control Windows device, t #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| radmin_installer | Radmin Viewer installer | Path | %TEMP%\RadminViewer.msi| -| radmin_exe | The radmin.exe executable from RadminViewer.msi | Path | %PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe| +| radmin_installer | Radmin Viewer installer | Path | RadminViewer.msi| +| radmin_exe | The radmin.exe executable from RadminViewer.msi | Path | Radmin Viewer 3/Radmin.exe| #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd -"#{radmin_exe}" +"%PROGRAMFILES(x86)%/#{radmin_exe}" ``` -#### Dependencies: Run with `command_prompt`! +#### Dependencies: Run with `powershell`! ##### Description: Radmin Viewer Utility must be installed at specified location (#{radmin_exe}) ##### Check Prereq Commands: -```cmd -if not exist "#{radmin_exe}" (exit /b 1) +```powershell +if (Test-Path "${env:ProgramFiles(x86)}/#{radmin_exe}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -```cmd -echo Downloading radmin installer -bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer} -msiexec /i "#{radmin_installer}" /qn +```powershell +Write-Host Downloading radmin installer +(New-Object Net.WebClient).DownloadFile("https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi","$ENV:Temp\#{radmin_installer}") +Write-Host Install Radmin +Start-Process msiexec -Wait -ArgumentList /i , $ENV:Temp\#{radmin_installer}, /qn ``` @@ -78,31 +79,32 @@ An adversary may use PDQ Deploy Software to deploy the Remote Adminstartion Tool #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| PDQ_Deploy_installer | PDQ Deploy Install | Path | %TEMP%\PDQDeploysetup.exe| -| PDQ_Deploy_exe | The PDQDeployConsole.exe executable from PDQDeploysetup.exe | Path | %PROGRAMFILES(x86)%\Admin Arsenal\PDQ Deploy\PDQDeployConsole.exe| +| PDQ_Deploy_installer | PDQ Deploy Install | Path | PDQDeploysetup.exe| +| PDQ_Deploy_exe | The PDQDeployConsole.exe executable from PDQDeploysetup.exe | Path | Admin Arsenal/PDQ Deploy/PDQDeployConsole.exe| #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd -"#{PDQ_Deploy_exe}" +"%PROGRAMFILES(x86)%/#{PDQ_Deploy_exe}" ``` -#### Dependencies: Run with `command_prompt`! +#### Dependencies: Run with `powershell`! ##### Description: PDQ Deploy will be installed at specified location (#{PDQ_Deploy_exe}) ##### Check Prereq Commands: -```cmd -if not exist "#{PDQ_Deploy_exe}" (exit /b 1) +```powershell +if (Test-Path "${env:ProgramFiles(x86)}/#{PDQ_Deploy_exe}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -```cmd -echo Downloading PDQ Deploy installer -bitsadmin /transfer myDownloadJob /download /priority normal "https://download.pdq.com/release/19/Deploy_19.3.350.0.exe" #{PDQ_Deploy_installer} -msiexec /i "#{PDQ_Deploy_installer}" /qn +```powershell +Write-Host Downloading PDQ Deploy installer +(New-Object Net.WebClient).DownloadFile("https://download.pdq.com/release/19/Deploy_19.3.350.0.exe","$ENV:Temp\#{PDQ_Deploy_installer}") +Write-Host Install PDQ Deploy +Start-Process $ENV:Temp\#{PDQ_Deploy_installer} -Wait -ArgumentList "/s" ```