security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reach out to C2 Pointer URLs via command line (#644)

Browse Source 
* add urls and create test folder

* make test more realistic, cleanup command still broken

* use C drive instead of Temp because of permissions

* update paths

* update descriptions
This commit is contained in:
Andrew Beers
2019-11-18 07:50:36 -08:00
committed by Tony M Lambert
parent 08fddb3940
commit aeeba08bbc
1 changed files with 34 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1102/T1102.yaml
+34
View File
@@ -0,0 +1,34 @@
---
attack_technique: T1102
display_name: Web Service
atomic_tests:
- name: Reach out to C2 Pointer URLs via command_prompt
description: |
Download data from a public website using command line
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
bitsadmin.exe /transfer "DonwloadFile" http://www.stealmylogin.com/ %TEMP%\bitsadmindownload.html
cleanup_command: |
del %TEMP%\bitsadmindownload.html
- name: Reach out to C2 Pointer URLs via powershell
description: |
Multiple download methods for files using powershell
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
Invoke-WebRequest -Uri www.twitter.com
$T1102 = (New-Object System.Net.WebClient).DownloadData("https://www.reddit.com/")
$wc = New-Object System.Net.WebClient
$T1102 = $wc.DownloadString("https://www.aol.com/")
cleanup_command: |
Clear-Variable T1102