diff --git a/atomics/T1059.010/T1059.010.yaml b/atomics/T1059.010/T1059.010.yaml new file mode 100644 index 00000000..5e2dd109 --- /dev/null +++ b/atomics/T1059.010/T1059.010.yaml @@ -0,0 +1,38 @@ +attack_technique: T1059.010 +display_name: 'Command and Scripting Interpreter: AutoHotKey & AutoIT' +atomic_tests: +- name: AutoHotKey script execution + auto_generated_guid: + description: | + An adversary may attempt to execute malicious script using AutoHotKey software instead of regular terminal like powershell or cmd. A messagebox will be displayed and calculator will popup when the script is executed successfully + supported_platforms: + - windows + dependency_executor_name: powershell + dependencies: + - description: | + AutoHotKey executable file must exist on disk at the specified location (#{autohotkey_path}) + prereq_command: | + if(Test-Path "#{autohotkey_path}") { + exit 0 + } else { + exit 1 + } + get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + $AutoHotKeyURL = "https://www.autohotkey.com/download/ahk.zip" + $InstallerPath = "$PathToAtomicsFolder\..\ExternalPayloads" + Invoke-WebRequest -Uri $AutoHotKeyURL -OutFile $InstallerPath\ahk.zip + Expand-Archive -Path $InstallerPath -Force; + input_arguments: + script_path: + description: AutoHotKey Script Path + type: path + default: PathToAtomicsFolder\T1059.010\src\calc.ahk + autohotkey_path: + description: AutoHotKey Executable File Path + type: path + default: $PathToAtomicsFolder\..\ExternalPayloads\ahk\AutoHotKeyU64.exe + executor: + command: | + Start-Process -FilePath "#{autohotkey_path}" -ArgumentList "#{script_path}" + name: powershell diff --git a/atomics/T1059.010/src/calc.ahk b/atomics/T1059.010/src/calc.ahk new file mode 100644 index 00000000..5571541e --- /dev/null +++ b/atomics/T1059.010/src/calc.ahk @@ -0,0 +1,2 @@ +MsgBox, This is a test AutoHotKey script. +Run, calc.exe