diff --git a/atomics/T1036/T1036.yaml b/atomics/T1036/T1036.yaml index ce95e83e..ac6cd2f3 100644 --- a/atomics/T1036/T1036.yaml +++ b/atomics/T1036/T1036.yaml @@ -80,3 +80,57 @@ atomic_tests: cmd.exe /K %APPDATA%\taskhostw.exe cleanup_command: | del /Q /F %APPDATA%\taskhostw.exe + +- name: Masquerading - non-windows exe running as windows exe + description: | + Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe + + supported_platforms: + - windows + + input_arguments: + inputfile: + description: path of file to copy + type: path + default: $PathToAtomicsFolder\T1036\bin\t1036.exe + outputfile: + description: path of file to execute + type: path + default: ($env:SystemRoot + "\Temp\scvhost.exe") + + executor: + name: powershell + elevation_required: false + command: | + copy #{inputfile} #{outputfile} + $myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id + Stop-Process -ID $myT1036 + cleanup_command: | + del #{outputfile} + +- name: Masquerading - windows exe running as different windows exe + description: | + Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe + + supported_platforms: + - windows + + input_arguments: + inputfile: + description: path of file to copy + type: path + default: $env:ComSpec + outputfile: + description: path of file to execute + type: path + default: ($env:SystemRoot + "\Temp\scvhost.exe") + + executor: + name: powershell + elevation_required: false + command: | + copy #{inputfile} #{outputfile} + $myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id + Stop-Process -ID $myT1036 + cleanup_command: | + del #{outputfile} \ No newline at end of file diff --git a/atomics/T1036/bin/t1036.EXE b/atomics/T1036/bin/t1036.EXE new file mode 100644 index 00000000..eb67343c Binary files /dev/null and b/atomics/T1036/bin/t1036.EXE differ diff --git a/atomics/T1036/src/t1036.SED b/atomics/T1036/src/t1036.SED new file mode 100644 index 00000000..5cfdb625 --- /dev/null +++ b/atomics/T1036/src/t1036.SED @@ -0,0 +1,37 @@ +[Version] +Class=IEXPRESS +SEDVersion=3 +[Options] +PackagePurpose=InstallApp +ShowInstallProgramWindow=0 +HideExtractAnimation=0 +UseLongFileName=0 +InsideCompressed=0 +CAB_FixedSize=0 +CAB_ResvCodeSigning=0 +RebootMode=N +InstallPrompt=%InstallPrompt% +DisplayLicense=%DisplayLicense% +FinishMessage=%FinishMessage% +TargetName=%TargetName% +FriendlyName=%FriendlyName% +AppLaunched=%AppLaunched% +PostInstallCmd=%PostInstallCmd% +AdminQuietInstCmd=%AdminQuietInstCmd% +UserQuietInstCmd=%UserQuietInstCmd% +SourceFiles=SourceFiles +[Strings] +InstallPrompt= +DisplayLicense= +FinishMessage= +TargetName=C:\AtomicRedTeam\atomic-red-team\atomics\T1036\bin\t1036.EXE +FriendlyName=Test_T1036 +AppLaunched=cmd /c t1036_test.bat +PostInstallCmd= +AdminQuietInstCmd= +UserQuietInstCmd= +FILE0="t1036_test.bat" +[SourceFiles] +SourceFiles0=C:\AtomicRedTeam\atomic-red-team\atomics\T1036\src\ +[SourceFiles0] +%FILE0%= diff --git a/atomics/T1036/src/t1036_test.bat b/atomics/T1036/src/t1036_test.bat new file mode 100644 index 00000000..a195d13b --- /dev/null +++ b/atomics/T1036/src/t1036_test.bat @@ -0,0 +1,3 @@ +@echo off +echo Hi +pause \ No newline at end of file