Added two more generic tests to T1036: test 6 and test 7. Test 6 meant to masquerade non-windows exes as real windows exes. Test 7 meant to masquerade windows exes as other windows exes. Added cleanup and input arguments logic to test 6 and 7. Added a generic executable for testing masquerading a non-windows exe as a windows exe. Added source files used for creating the executable in the T1036\bin folder. (#617)
This commit is contained in:
Brian Thacker
committed by
Carrie Roberts
Carrie Roberts
parent
7f62513b8e
commit
940b93af67
@@ -80,3 +80,57 @@ atomic_tests:
|
||||
cmd.exe /K %APPDATA%\taskhostw.exe
|
||||
cleanup_command: |
|
||||
del /Q /F %APPDATA%\taskhostw.exe
|
||||
|
||||
- name: Masquerading - non-windows exe running as windows exe
|
||||
description: |
|
||||
Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe
|
||||
|
||||
supported_platforms:
|
||||
- windows
|
||||
|
||||
input_arguments:
|
||||
inputfile:
|
||||
description: path of file to copy
|
||||
type: path
|
||||
default: $PathToAtomicsFolder\T1036\bin\t1036.exe
|
||||
outputfile:
|
||||
description: path of file to execute
|
||||
type: path
|
||||
default: ($env:SystemRoot + "\Temp\scvhost.exe")
|
||||
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
command: |
|
||||
copy #{inputfile} #{outputfile}
|
||||
$myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id
|
||||
Stop-Process -ID $myT1036
|
||||
cleanup_command: |
|
||||
del #{outputfile}
|
||||
|
||||
- name: Masquerading - windows exe running as different windows exe
|
||||
description: |
|
||||
Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe
|
||||
|
||||
supported_platforms:
|
||||
- windows
|
||||
|
||||
input_arguments:
|
||||
inputfile:
|
||||
description: path of file to copy
|
||||
type: path
|
||||
default: $env:ComSpec
|
||||
outputfile:
|
||||
description: path of file to execute
|
||||
type: path
|
||||
default: ($env:SystemRoot + "\Temp\scvhost.exe")
|
||||
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
command: |
|
||||
copy #{inputfile} #{outputfile}
|
||||
$myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id
|
||||
Stop-Process -ID $myT1036
|
||||
cleanup_command: |
|
||||
del #{outputfile}
|
||||
Binary file not shown.
@@ -0,0 +1,37 @@
|
||||
[Version]
|
||||
Class=IEXPRESS
|
||||
SEDVersion=3
|
||||
[Options]
|
||||
PackagePurpose=InstallApp
|
||||
ShowInstallProgramWindow=0
|
||||
HideExtractAnimation=0
|
||||
UseLongFileName=0
|
||||
InsideCompressed=0
|
||||
CAB_FixedSize=0
|
||||
CAB_ResvCodeSigning=0
|
||||
RebootMode=N
|
||||
InstallPrompt=%InstallPrompt%
|
||||
DisplayLicense=%DisplayLicense%
|
||||
FinishMessage=%FinishMessage%
|
||||
TargetName=%TargetName%
|
||||
FriendlyName=%FriendlyName%
|
||||
AppLaunched=%AppLaunched%
|
||||
PostInstallCmd=%PostInstallCmd%
|
||||
AdminQuietInstCmd=%AdminQuietInstCmd%
|
||||
UserQuietInstCmd=%UserQuietInstCmd%
|
||||
SourceFiles=SourceFiles
|
||||
[Strings]
|
||||
InstallPrompt=
|
||||
DisplayLicense=
|
||||
FinishMessage=
|
||||
TargetName=C:\AtomicRedTeam\atomic-red-team\atomics\T1036\bin\t1036.EXE
|
||||
FriendlyName=Test_T1036
|
||||
AppLaunched=cmd /c t1036_test.bat
|
||||
PostInstallCmd=<None>
|
||||
AdminQuietInstCmd=
|
||||
UserQuietInstCmd=
|
||||
FILE0="t1036_test.bat"
|
||||
[SourceFiles]
|
||||
SourceFiles0=C:\AtomicRedTeam\atomic-red-team\atomics\T1036\src\
|
||||
[SourceFiles0]
|
||||
%FILE0%=
|
||||
@@ -0,0 +1,3 @@
|
||||
@echo off
|
||||
echo Hi
|
||||
pause
|
||||
Reference in New Issue
Block a user