security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add test for T1006 Direct Volume Access (#1254)

Browse Source
This commit is contained in:
gregclermont
2020-10-15 18:36:07 +02:00
committed by GitHub
parent c783bcc9db
commit 8e322ecb76
1 changed files with 30 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1006/T1006.yaml
+30
View File
@@ -0,0 +1,30 @@
attack_technique: T1006
display_name: Direct Volume Access
atomic_tests:
- name: Read volume boot sector via DOS device path (PowerShell)
description: |-
This test uses PowerShell to open a handle on the drive volume via the `\\.\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume.
On success, a hex dump of the first 11 bytes of the volume is displayed.
For a NTFS volume, it should correspond to the following sequence ([NTFS partition boot sector](https://en.wikipedia.org/wiki/NTFS#Partition_Boot_Sector_(VBR))):
```
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 EB 52 90 4E 54 46 53 20 20 20 20 ëR?NTFS
```
supported_platforms:
- windows
input_arguments:
volume:
description: Drive letter of the volume to access
type: string
default: 'C:'
executor:
command: |
$buffer = New-Object byte[] 11
$handle = New-Object IO.FileStream "\\.\#{volume}", 'Open', 'Read', 'ReadWrite'
$handle.Read($buffer, 0, $buffer.Length)
$handle.Close()
Format-Hex -InputObject $buffer
name: powershell
elevation_required: true