security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1023 LNK file to launch CMD placed in startup folders (#674)

Browse Source 
* put lnk files in startup folder

* fix typo
This commit is contained in:
Andrew Beers
2019-11-19 14:13:45 -08:00
committed by Carrie Roberts
parent b5db6b26fb
commit 934aaa1435
1 changed files with 29 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1023/T1023.yaml
+29 -2
View File
@@ -5,8 +5,8 @@ display_name: Shortcut Modification
atomic_tests:
- name: Shortcut Modification
description: |
This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell;
gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL
This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell;
gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL
supported_platforms:
- windows
@@ -23,3 +23,30 @@ atomic_tests:
command: |
echo [InternetShortcut] > test.url && echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path} && #{shortcut_file_path}
- name: Create shortcut to cmd in startup folders
description: |
LNK file to launch CMD placed in startup folder
supported_platforms:
- windows
executor:
name: powershell
elevation_required: true
command: |
$Shell = New-Object -ComObject ("WScript.Shell")
$ShortCut = $Shell.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk")
$ShortCut.TargetPath="cmd.exe"
$ShortCut.WorkingDirectory = "C:\Windows\System32";
$ShortCut.WindowStyle = 1;
$ShortCut.Description = "T1023.";
$ShortCut.Save()
$Shell = New-Object -ComObject ("WScript.Shell")
$ShortCut = $Shell.CreateShortcut("$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk")
$ShortCut.TargetPath="cmd.exe"
$ShortCut.WorkingDirectory = "C:\Windows\System32";
$ShortCut.WindowStyle = 1;
$ShortCut.Description = "T1023.";
$ShortCut.Save()
cleanup_command: |
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk"
Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk"