T1049 update (#1347)

* T1049-Update * T1049-Update * T1049-Update Co-authored-by: Toua Lor <tlor@nti.local>
2021-01-01 17:43:33 -06:00
parent aa9f47cdae
commit bb9c4b1f6f
1 changed files with 37 additions and 0 deletions
@@ -50,3 +50,40 @@ atomic_tests:
      who -a
    name: sh

+- name: System Discovery using SharpView
+  description: |
+    Get a listing of network connections, domains, domain users, and etc.  
+    sharpview.exe located in the bin folder, an opensource red-team tool.
+    Upon successful execution, cmd.exe will execute sharpview.exe <method>. Results will output via stdout.
+  supported_platforms:
+    - windows
+  input_arguments:
+    SharpView_url:
+      description: sharpview download URL
+      type: url
+      default: https://github.com/tevora-threat/SharpView/blob/b60456286b41bb055ee7bc2a14d645410cca9b74/Compiled/SharpView.exe?raw=true
+    SharpView:
+      description: Path of the executable opensource redteam tool used for the performing this atomic.
+      type: path
+      default: PathToAtomicsFolder\T1049\bin\SharpView.exe
+    syntax:
+      description: Arguements method used along with SharpView to get listing of network connections, domains, domain users, and etc.  
+      type: String
+      default: | 
+        "Invoke-ACLScanner", "Invoke-Kerberoast", "Find-DomainShare" 
+  dependency_executor_name: powershell
+  dependencies:
+    - description: |
+        Sharpview.exe must exist on disk at specified location (#{SharpView})
+      prereq_command: |
+        if (Test-Path #{SharpView}) {exit 0} else {exit 1}
+      get_prereq_command: |
+        New-Item -Type Directory (split-path #{SharpView}) -ErrorAction ignore | Out-Null
+        Invoke-WebRequest #{SharpView_url} -OutFile "#{SharpView}"
+  executor:
+    name: powershell
+    elevation_required: true
+    command: | 
+      $syntaxList = #{syntax}
+      foreach ($syntax in $syntaxList) {
+      #{SharpView} $syntax -}