From 83ca10639b4d83939c3dfcae04ed37d114afd3af Mon Sep 17 00:00:00 2001
From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com>
Date: Tue, 8 Nov 2022 08:21:05 +1100
Subject: [PATCH] Update T1003 (#2225)

* Added AppCmd list command

AppCmd list command can be used to retrieve IIS service account credentials.

* Update - Test name update and a new test

Updated the test name of 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
Added a new test to simulate /config command for AppCmd
---
 atomics/T1003/T1003.yaml | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/atomics/T1003/T1003.yaml b/atomics/T1003/T1003.yaml
index 5ba57501..ffdc05d3 100644
--- a/atomics/T1003/T1003.yaml
+++ b/atomics/T1003/T1003.yaml
@@ -104,7 +104,7 @@ atomic_tests:
       Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
     name: powershell
     elevation_required: true
-- name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd
+- name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
   auto_generated_guid: 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
   description: |-
    AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
@@ -124,3 +124,21 @@ atomic_tests:
       C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
     name: powershell
     elevation_required: true
+- name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
+  auto_generated_guid: 42510244-5019-48fa-a0e5-66c3b76e6049
+  description: |-
+   AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
+   [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: IIS must be installed prior to running the test
+    prereq_command: if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
+    get_prereq_command: |-
+      Install-WindowsFeature -name Web-Server -IncludeManagementTools
+  executor:
+    command: |-
+      C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
+    name: powershell
+    elevation_required: true