From bbb1d1d7ea32db0ba0b888af7653b7800c969db4 Mon Sep 17 00:00:00 2001 From: msdlearn <48013681+msdlearn@users.noreply.github.com> Date: Wed, 21 Sep 2022 07:15:21 +0530 Subject: [PATCH] New atomic Test-1072.001 (#2141) * New atomic Test-1072.001 The Software deployment tool-PDQ Deploy used to deploy remote access tool in the device. Adding as T1072.001 for PDQ Deploy tool. * Update T1072.yaml Co-authored-by: Carrie Roberts --- atomics/T1072/T1072.yaml | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/atomics/T1072/T1072.yaml b/atomics/T1072/T1072.yaml index cecdcede..70f97986 100644 --- a/atomics/T1072/T1072.yaml +++ b/atomics/T1072/T1072.yaml @@ -31,4 +31,35 @@ atomic_tests: name: command_prompt elevation_required: true command: | - "#{radmin_exe}" \ No newline at end of file + "#{radmin_exe}" + +- name: PDQ Deploy RAT + description: | + An adversary may use PDQ Deploy Software to deploy the Remote Adminstartion Tool, this will start the PDQ console. + supported_platforms: + - windows + input_arguments: + PDQ_Deploy_installer: + description: PDQ Deploy Install + type: Path + default: '%TEMP%\PDQDeploysetup.exe' + PDQ_Deploy_exe: + description: The PDQDeployConsole.exe executable from PDQDeploysetup.exe + type: Path + default: '%PROGRAMFILES(x86)%\Admin Arsenal\PDQ Deploy\PDQDeployConsole.exe' + + dependencies: + - description: | + Radmin Viewer Utility must be installed at specified location (#{PDQ_Deploy_exe}) + prereq_command: | + if not exist "#{PDQ_Deploy_exe}" (exit /b 1) + get_prereq_command: | + echo Downloading PDQ Deploy installer + bitsadmin /transfer myDownloadJob /download /priority normal "https://download.pdq.com/release/19/Deploy_19.3.350.0.exe" #{PDQ_Deploy_installer} + msiexec /i "#{PDQ_Deploy_installer}" /qn + + executor: + name: command_prompt + elevation_required: true + command: | + "#{PDQ_Deploy_exe}"