security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create sys_info.vbs (#1182)

Browse Source 
* Create sys_info.vbs

This file is to be used with a new atomic I am writing for T1059.005.

* Create sys_info.vbs

Moved vbscript to /src directory.

* Create T1059.005.yaml

Added yaml file for T1059.005

* Delete sys_info.vbs

* Update T1059.005.yaml

* Update T1059.005.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
harml3ss
2020-08-07 18:31:18 -05:00
committed by GitHub
parent bfa4d8bc54
commit 84416dfdb3
2 changed files with 43 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1059.005/T1059.005.yaml
+29
View File
@@ -0,0 +1,29 @@
attack_technique: T1059.005
display_name: 'Command and Scripting Interpreter: Visual Basic'
atomic_tests:
- name: Visual Basic script execution to gather local computer information
description: |-
Visual Basic execution test, execute vbscript via PowerShell.
When successful, system information will be written to $env:TEMP\T1059.005.out.txt.
supported_platforms:
- windows
input_arguments:
vbscript:
description: Path to sample script
type: String
default: PathToAtomicsFolder\T1059.005\src\sys_info.vbs
dependency_executor_name: powershell
dependencies:
- description: Sample script must exist on disk at specified location (#{vbscript})
prereq_command: 'if (Test-Path #{vbscript}) {exit 0} else {exit 1} '
get_prereq_command: |-
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "$env:TEMP\sys_info.vbs"
New-Item -ItemType Directory (Split-Path #{vbscript}) -Force | Out-Null
Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
executor:
command: 'cscript #{vbscript} > $env:TEMP\out.txt'
cleanup_command: |-
Remove-Item $env:TEMP\sys_info.vbs -ErrorAction Ignore
Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
name: powershell
atomics/T1059.005/src/sys_info.vbs
+14
View File
@@ -0,0 +1,14 @@
Set objWMIService = GetObject( "winmgmts:\\.\root\cimv2" )
Set objList = objWMIService.ExecQuery( "Select * from Win32_ComputerSystem" )
For Each objItem in objList
strDomain = objItem.Domain
strName = objItem.Name
strManu = objItem.Manufacturer
strModel = objItem.Model
WScript.Echo "Domain: " & strDomain
WScript.Echo "Computer Name: " & strName
WScript.Echo "Manufacturer: " & strManu
WScript.Echo "Model: " & strModel
Next