Matt Graeber
+15
-15
@@ -6269,19 +6269,19 @@ privilege-escalation:
|
||||
powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and
|
||||
copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file )
|
||||
|
||||
Upon execution, open the weak permission file at %temp%\ T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify
|
||||
the weak file permissions, open File Explorer to%temp%\ T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled.
|
||||
Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read "T1574.010 Malicious file". To verify
|
||||
the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled.
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
malicious_file:
|
||||
description: File to replace weak permission file with
|
||||
type: path
|
||||
default: "$env:TEMP\\ T1574.010\\ T1574.010_malicious_file.txt"
|
||||
default: "$env:TEMP\\T1574.010\\T1574.010_malicious_file.txt"
|
||||
weak_permission_file:
|
||||
description: check weak files permission
|
||||
type: path
|
||||
default: "$env:TEMP\\ T1574.010_weak_permission_file.txt"
|
||||
default: "$env:TEMP\\T1574.010_weak_permission_file.txt"
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: A file must exist on disk at specified location (#{weak_permission_file})
|
||||
@@ -6294,7 +6294,7 @@ privilege-escalation:
|
||||
this would be the malicious file gaining extra privileges
|
||||
prereq_command: 'if (Test-Path #{malicious_file}) {exit 0} else {exit 1}'
|
||||
get_prereq_command: |-
|
||||
New-Item -Type Directory -Path $env:TEMP\ T1574.010\ -Force | Out-Null
|
||||
New-Item -Type Directory -Path $env:TEMP\T1574.010\ -Force | Out-Null
|
||||
New-Item #{malicious_file} -Force | Out-Null
|
||||
Set-Content -Path #{malicious_file} -Value " T1574.010 Malicious file"
|
||||
executor:
|
||||
@@ -14327,19 +14327,19 @@ persistence:
|
||||
powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and
|
||||
copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file )
|
||||
|
||||
Upon execution, open the weak permission file at %temp%\ T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify
|
||||
the weak file permissions, open File Explorer to%temp%\ T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled.
|
||||
Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read "T1574.010 Malicious file". To verify
|
||||
the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled.
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
malicious_file:
|
||||
description: File to replace weak permission file with
|
||||
type: path
|
||||
default: "$env:TEMP\\ T1574.010\\ T1574.010_malicious_file.txt"
|
||||
default: "$env:TEMP\\T1574.010\\T1574.010_malicious_file.txt"
|
||||
weak_permission_file:
|
||||
description: check weak files permission
|
||||
type: path
|
||||
default: "$env:TEMP\\ T1574.010_weak_permission_file.txt"
|
||||
default: "$env:TEMP\\T1574.010_weak_permission_file.txt"
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: A file must exist on disk at specified location (#{weak_permission_file})
|
||||
@@ -14352,7 +14352,7 @@ persistence:
|
||||
this would be the malicious file gaining extra privileges
|
||||
prereq_command: 'if (Test-Path #{malicious_file}) {exit 0} else {exit 1}'
|
||||
get_prereq_command: |-
|
||||
New-Item -Type Directory -Path $env:TEMP\ T1574.010\ -Force | Out-Null
|
||||
New-Item -Type Directory -Path $env:TEMP\T1574.010\ -Force | Out-Null
|
||||
New-Item #{malicious_file} -Force | Out-Null
|
||||
Set-Content -Path #{malicious_file} -Value " T1574.010 Malicious file"
|
||||
executor:
|
||||
@@ -30271,19 +30271,19 @@ defense-evasion:
|
||||
powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and
|
||||
copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file )
|
||||
|
||||
Upon execution, open the weak permission file at %temp%\ T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify
|
||||
the weak file permissions, open File Explorer to%temp%\ T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled.
|
||||
Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read "T1574.010 Malicious file". To verify
|
||||
the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled.
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
malicious_file:
|
||||
description: File to replace weak permission file with
|
||||
type: path
|
||||
default: "$env:TEMP\\ T1574.010\\ T1574.010_malicious_file.txt"
|
||||
default: "$env:TEMP\\T1574.010\\T1574.010_malicious_file.txt"
|
||||
weak_permission_file:
|
||||
description: check weak files permission
|
||||
type: path
|
||||
default: "$env:TEMP\\ T1574.010_weak_permission_file.txt"
|
||||
default: "$env:TEMP\\T1574.010_weak_permission_file.txt"
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: A file must exist on disk at specified location (#{weak_permission_file})
|
||||
@@ -30296,7 +30296,7 @@ defense-evasion:
|
||||
this would be the malicious file gaining extra privileges
|
||||
prereq_command: 'if (Test-Path #{malicious_file}) {exit 0} else {exit 1}'
|
||||
get_prereq_command: |-
|
||||
New-Item -Type Directory -Path $env:TEMP\ T1574.010\ -Force | Out-Null
|
||||
New-Item -Type Directory -Path $env:TEMP\T1574.010\ -Force | Out-Null
|
||||
New-Item #{malicious_file} -Force | Out-Null
|
||||
Set-Content -Path #{malicious_file} -Value " T1574.010 Malicious file"
|
||||
executor:
|
||||
|
||||
@@ -16,8 +16,8 @@ This test to show checking file system permissions weakness and which can lead t
|
||||
powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and
|
||||
copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file )
|
||||
|
||||
Upon execution, open the weak permission file at %temp%\ T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify
|
||||
the weak file permissions, open File Explorer to%temp%\ T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled.
|
||||
Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read "T1574.010 Malicious file". To verify
|
||||
the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
@@ -27,8 +27,8 @@ the weak file permissions, open File Explorer to%temp%\ T1574.010_weak_permissio
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| malicious_file | File to replace weak permission file with | path | $env:TEMP\ T1574.010\ T1574.010_malicious_file.txt|
|
||||
| weak_permission_file | check weak files permission | path | $env:TEMP\ T1574.010_weak_permission_file.txt|
|
||||
| malicious_file | File to replace weak permission file with | path | $env:TEMP\T1574.010\T1574.010_malicious_file.txt|
|
||||
| weak_permission_file | check weak files permission | path | $env:TEMP\T1574.010_weak_permission_file.txt|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`!
|
||||
@@ -65,7 +65,7 @@ if (Test-Path #{malicious_file}) {exit 0} else {exit 1}
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```powershell
|
||||
New-Item -Type Directory -Path $env:TEMP\ T1574.010\ -Force | Out-Null
|
||||
New-Item -Type Directory -Path $env:TEMP\T1574.010\ -Force | Out-Null
|
||||
New-Item #{malicious_file} -Force | Out-Null
|
||||
Set-Content -Path #{malicious_file} -Value " T1574.010 Malicious file"
|
||||
```
|
||||
|
||||
@@ -8,19 +8,19 @@ atomic_tests:
|
||||
powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and
|
||||
copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file )
|
||||
|
||||
Upon execution, open the weak permission file at %temp%\ T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify
|
||||
the weak file permissions, open File Explorer to%temp%\ T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled.
|
||||
Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read "T1574.010 Malicious file". To verify
|
||||
the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled.
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
malicious_file:
|
||||
description: File to replace weak permission file with
|
||||
type: path
|
||||
default: $env:TEMP\ T1574.010\ T1574.010_malicious_file.txt
|
||||
default: $env:TEMP\T1574.010\T1574.010_malicious_file.txt
|
||||
weak_permission_file:
|
||||
description: check weak files permission
|
||||
type: path
|
||||
default: $env:TEMP\ T1574.010_weak_permission_file.txt
|
||||
default: $env:TEMP\T1574.010_weak_permission_file.txt
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
@@ -35,7 +35,7 @@ atomic_tests:
|
||||
prereq_command: |
|
||||
if (Test-Path #{malicious_file}) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory -Path $env:TEMP\ T1574.010\ -Force | Out-Null
|
||||
New-Item -Type Directory -Path $env:TEMP\T1574.010\ -Force | Out-Null
|
||||
New-Item #{malicious_file} -Force | Out-Null
|
||||
Set-Content -Path #{malicious_file} -Value " T1574.010 Malicious file"
|
||||
executor:
|
||||
@@ -45,4 +45,4 @@ atomic_tests:
|
||||
cleanup_command: |
|
||||
Remove-Item #{weak_permission_file} -Force -ErrorAction Ignore
|
||||
Remove-Item -Recurse (Split-Path #{malicious_file}) -Force -ErrorAction Ignore
|
||||
name: powershell
|
||||
name: powershell
|
||||
|
||||
Reference in New Issue
Block a user