security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update T1003 (#2225)

Browse Source 
* Added AppCmd list command

AppCmd list command can be used to retrieve IIS service account credentials.

* Update - Test name update and a new test

Updated the test name of 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
Added a new test to simulate /config command for AppCmd
This commit is contained in:
BlueTeamOps
2022-11-08 08:21:05 +11:00
committed by GitHub
parent 17b4c931b6
commit 83ca10639b
1 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1003/T1003.yaml
+19 -1
View File
@@ -104,7 +104,7 @@ atomic_tests:
Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd
- name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
auto_generated_guid: 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
description: |-
AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
@@ -124,3 +124,21 @@ atomic_tests:
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
name: powershell
elevation_required: true
- name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
auto_generated_guid: 42510244-5019-48fa-a0e5-66c3b76e6049
description: |-
AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: IIS must be installed prior to running the test
prereq_command: if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
get_prereq_command: |-
Install-WindowsFeature -name Web-Server -IncludeManagementTools
executor:
command: |-
C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
name: powershell
elevation_required: true