fixes

2022-09-22 21:58:16 +01:00
parent c57a3be79f
commit cb98e12fa0
3 changed files with 51 additions and 28 deletions
@@ -10,6 +10,8 @@ Malware or scripts may be used to interact with the devices through an available

 - [Atomic Test #2 - Registry artefact when application use microphone](#atomic-test-2---registry-artefact-when-application-use-microphone)

+- [Atomic Test #3 - using Quicktime Player](#atomic-test-3---using-quicktime-player)
+

 <br/>

@@ -22,22 +24,12 @@ Malware or scripts may be used to interact with the devices through an available
 **auto_generated_guid:** 9c3ad250-b185-4444-b5a9-d69218a10c95


-
-
-
-
 #### Attack Commands: Run with `powershell`! 


 ```powershell
 powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
 ```
-
-
-
-
-
-
 <br/>
 <br/>

@@ -50,10 +42,6 @@ powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
 **auto_generated_guid:** 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a


-
-
-
-
 #### Attack Commands: Run with `command_prompt`! 


@@ -67,8 +55,31 @@ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\C
 reg DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#Temp#atomic.exe /f
 ```

-
-
-
-
 <br/>
+
+## Atomic Test #3 - Using Quicktime Player
+
+
+**Supported Platforms:** macOS
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| filename | Location of the script | Path | PathToAtomicsFolder/T1123/src/T1123.sh|
+| audiofile | Location of the recorded audio file | Path | /tmp/T1123.m4a|
+| duration | Length of recording to make in seconds | Integer | 5|
+
+#### Attack Commands: Run with `sh`! 
+
+```sh
+#{filename} #{audiofile} #{duration}
+```
+
+#### Cleanup Commands:
+```sh
+if test -w #{audiofile}; then
+rm #{audiofile}
+fi
+```
+
+<br/>
@@ -11,6 +11,7 @@ atomic_tests:
    command: |
      powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
    name: powershell
+
 - name: Registry artefact when application use microphone
  auto_generated_guid: 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a
  description: |
@@ -24,13 +25,15 @@ atomic_tests:
    cleanup_command: |
      reg DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#Temp#atomic.exe /f
    name: command_prompt
- name: using Quicktime
+
+- name: using Quicktime Player
  description: |
   Use AppleScript to get Quicktime Player to record an audio file from the default microphone.

   Should create a non-empty m4a file with sound from the microphone.

-   - requires Automation permissions but no additional microphone permissions.
+   - requires Automation permissions but no additional microphone permissions
+   - saves file in /tmp by default. Other locations likely to require more permissions.
  supported_platforms:
  - macos
  input_arguments:
@@ -41,14 +44,14 @@ atomic_tests:
    audiofile:
      description: Location of the recorded audio file
      type: Path
-      default: ./T1123.m4a
+      default: /tmp/T1123.m4a
    duration:
      description: Length of recording to make in seconds
      type: Integer
      default: 5
  executor:
    command: |
-      sh #{filename} #{duration}
+      sh #{filename} #{audiofile} #{duration}
    cleanup_command: |
      if test -w #{audiofile}; then
        rm #{audiofile}
@@ -1,18 +1,27 @@
-echo "Starting recording, make some noise for #{duration} seconds!"
+echo "Starting recording, make some noise for $2 seconds!"
 osascript -e '
    on run argv
        set theFilePath to POSIX path of item 1 of argv
-        set duration to item 2 of argv
+        set durn to item 2 of argv
        tell application "Quicktime Player"
            start (new audio recording)
-            delay duration
+            repeat durn times
+                log (durn)
+                delay 1
+                set durn to (durn - 1)
+            end repeat
            tell document "Audio Recording"
-                pause #do not stop else it becomes a different document
+                pause
                save it in POSIX file theFilePath
                stop
                close
            end tell
+            close
        end tell
    end run
-'
-echo "Recording complete"
+' "$1" $2
+RECSIZE=`cat $1 | wc -c`
+if [ $RECSIZE -gt 100000 ]; then
+    echo "Recording complete"
+else echo "Failed" && exit 1
+fi