security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add test "Remove the Zone.Identifier alternate data stream" (#1612)

Browse Source 
Add test "Remove the Zone.Identifier alternate data stream". Test command removes the zone.identifier. The cleanup command adds the zone.identifier with the id for "internet". Check prereq checks that the test file exists. Get prereq gets the file from the internet and adds the zone.identifier with the id for "internet". 
More info:
https://www.howtogeek.com/70012/what-causes-the-file-downloaded-from-the-internet-warning-and-how-can-i-easily-remove-it/
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7
https://www.reddit.com/r/PowerShell/comments/6yyf07/remove_alternate_data_streams/dmrb6zl/

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Brian Thacker
2021-08-30 14:52:02 -05:00
committed by GitHub
parent e95076c17d
commit aca73307fa
1 changed files with 31 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1553.005/T1553.005.yaml
+31 -1
View File
@@ -58,4 +58,34 @@ atomic_tests:
cleanup_command: |
Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
Stop-process -name "hello" -Force -ErrorAction ignore
name: powershell
name: powershell
- name: Remove the Zone.Identifier alternate data stream
description: |
Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
Removing this allows more freedom in executing scripts in PowerShell and avoids opening files in protected view.
supported_platforms:
- windows
input_arguments:
file_to_download:
description: File that will be downloaded to test against.
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/README.md
file_path:
description: File to have the Zone.Identifier removed.
type: String
default: '$env:tmp\ReadMe.md'
dependency_executor_name: powershell
dependencies:
- description: A test file with the Zone.Identifier attribute must be present.
prereq_command: |
if (Test-Path #{file_path}) { EXIT 0 } else { EXIT 1 }
get_prereq_command: |
Invoke-WebRequest #{file_to_download} -OutFile #{file_path}
Set-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'
executor:
command: |
Unblock-File -Path #{file_path}
cleanup_command: |
Set-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'
name: powershell