security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

clarify test and add prereqs (#931)

Browse Source 
* clarify test and add prereqs

* typo fixes

* path fix
This commit is contained in:
Carrie Roberts
2020-04-07 14:28:54 -06:00
committed by GitHub
parent f8e02588c8
commit d95cc985d9
6 changed files with 15 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1138/T1138.yaml
+15 -5
View File
@@ -5,16 +5,19 @@ display_name: Application Shimming
atomic_tests:
- name: Application Shim Installation
description: |
Install a shim database. This technique is used for privelage escalation and bypassing user access control. Upon execution, "Installation of AtomicShim complete."
will be displayed.
Install a shim database. This technique is used for privilege escalation and bypassing user access control.
Upon execution, "Installation of AtomicShim complete." will be displayed. To verify the shim behavior, run
the AtomicTest.exe from the <PathToAtomicsFolder>\T1138\bin directory. You should see a message box appear
with "Atomic Shim DLL Test!" as defined in the AtomicTest.dll. To better understand what is happening, review
the source code files is the <PathToAtomicsFolder>\T1138\src directory.
supported_platforms:
- windows
input_arguments:
file_path:
description: Path to the shim databaase file
description: Path to the shim database file
type: String
default: PathToAtomicsFolder\T1138\src\AtomicShimx86.sdb
default: PathToAtomicsFolder\T1138\bin\AtomicShimx86.sdb
dependency_executor_name: powershell
dependencies:
@@ -24,7 +27,14 @@ atomic_tests:
if (Test-Path #{file_path}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1138/src/AtomicShimx86.sdb" -OutFile "#{file_path}"
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1138/bin/AtomicShimx86.sdb" -OutFile "#{file_path}"
- description: |
AtomicTest.dll must exist at c:\Tools\AtomicTest.dll
prereq_command: |
if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1138/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll
executor:
name: command_prompt
atomics/T1138/src/AtomicShimx86.sdb → atomics/T1138/bin/AtomicShimx86.sdb
Executable → Regular
View File
atomics/T1138/src/AtomicTest.dll → atomics/T1138/bin/AtomicTest.dll
Executable → Regular
View File
atomics/T1138/bin/AtomicTest.exe
BIN
View File
Binary file not shown.
atomics/T1138/src/AtomicShim.zip
BIN
View File
Binary file not shown.
atomics/T1138/src/README.md
-4
View File
@@ -1,9 +1,5 @@
## Application Compatibility Shims
[Reference](https://blogs.technet.microsoft.com/askperf/2011/06/17/demystifying-shims-or-using-the-app-compat-toolkit-to-make-your-old-stuff-work-with-your-new-stuff/)
[Additional References:](https://sdb.tools/resources.html)
All Files Contained in .Zip.
Otherwise you can roll your own.