Update T1491.001.yaml (#3184)
This commit is contained in:
Bakeneko
@@ -153,3 +153,81 @@ atomic_tests:
|
||||
name: command_prompt
|
||||
elevation_required: false
|
||||
|
||||
- name: Windows - Display a simulated ransom note via Notepad (non-destructive)
|
||||
description: |
|
||||
Creates a temporary ransom-note text file and opens it in Notepad to
|
||||
simulate ransomware "note display" behavior without making destructive
|
||||
changes. SAFE and non-destructive.
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
note_filename:
|
||||
description: File name for the simulated ransom note
|
||||
type: string
|
||||
default: "ART-T1491-ransom-note.txt"
|
||||
pid_filename:
|
||||
description: File name for storing Notepad PID
|
||||
type: string
|
||||
default: "ART-T1491-notepad.pid"
|
||||
note_title:
|
||||
description: Title at the top of the ransom note
|
||||
type: string
|
||||
default: "!!! READ_ME_NOW !!!"
|
||||
note_body:
|
||||
description: The body of the ransom note (plain text)
|
||||
type: string
|
||||
default: |
|
||||
Your files are SAFE. This is a TEST note for detection validation
|
||||
by bak3n3k0. No data has been encrypted. This simulation exercises
|
||||
detections for:
|
||||
- notepad.exe launched with a ransom-themed text file
|
||||
- creation of a ransom-themed text file in %TEMP%
|
||||
NON-DESTRUCTIVE Atomic Red Team test.
|
||||
dependencies:
|
||||
- description: Notepad must be present on the system
|
||||
dependency_executor_name: command_prompt
|
||||
prereq_command: "where notepad"
|
||||
get_prereq_command: ""
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
command: |
|
||||
$notePath = Join-Path $env:TEMP "#{note_filename}"
|
||||
$pidPath = Join-Path $env:TEMP "#{pid_filename}"
|
||||
|
||||
$Title = "#{note_title}"
|
||||
$Body = "#{note_body}"
|
||||
|
||||
$header = $Title + "`r`n" + ('=' * $Title.Length) + "`r`n`r`n"
|
||||
$content = $header + $Body
|
||||
|
||||
[System.IO.File]::WriteAllText($notePath, $content, [System.Text.Encoding]::UTF8)
|
||||
|
||||
$p = Start-Process notepad.exe -ArgumentList "`"$notePath`"" -PassThru
|
||||
$p.Id | Out-File -FilePath $pidPath -Encoding ascii -Force
|
||||
cleanup_command: |
|
||||
try {
|
||||
# 1. Kill all Notepad processes
|
||||
Get-Process notepad -ErrorAction SilentlyContinue |
|
||||
ForEach-Object {
|
||||
Stop-Process -Id $_.Id -Force -ErrorAction SilentlyContinue
|
||||
}
|
||||
|
||||
# 2. Wait briefly for Windows to release file handles
|
||||
Start-Sleep -Seconds 1
|
||||
|
||||
# 3. Force delete ransom note + PID file
|
||||
$notePath = Join-Path $env:TEMP "ART-T1491-ransom-note.txt"
|
||||
$pidPath = Join-Path $env:TEMP "ART-T1491-notepad.pid"
|
||||
|
||||
if (Test-Path $notePath) {
|
||||
Remove-Item $notePath -Force -ErrorAction Stop
|
||||
}
|
||||
if (Test-Path $pidPath) {
|
||||
Remove-Item $pidPath -Force -ErrorAction Stop
|
||||
}
|
||||
}
|
||||
catch {
|
||||
Write-Warning "Cleanup failed with error: $_"
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user