T1036 Masquerading (#361)

* T1036 Masquerading * T1036, not T1306. Duh
2018-10-01 22:53:53 -05:00
parent 4c78e54768
commit 75f452195a
1 changed files with 30 additions and 0 deletions
@@ -0,0 +1,30 @@
+---
+attack_technique: T1036
+display_name: Masquerading
+
+atomic_tests:
+- name: Masquerading as Windows LSASS process
+  description: |
+    Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
+
+  supported_platforms:
+    - windows
+
+  executor:
+    name: command_prompt
+    command: |
+      cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
+      cmd.exe /c %SystemRoot%\Temp\lsass.exe
+
+- name: Masquerading as Linux crond process.
+  description: |
+    Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
+
+  supported_platforms:
+    - linux
+
+  executor:
+    name: sh
+    command: |
+      cp /bin/sh /tmp/crond
+      /tmp/crond