diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index c101fe36..75f2ffb2 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -27500,11 +27500,27 @@ privilege-escalation:
'
supported_platforms:
- windows
+ input_arguments:
+ xml_path:
+ description: path of vbs to use when creating masquerading files
+ type: Path
+ default: PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'File to copy must exist on disk at specified location (#{xml_path})
+
+ '
+ prereq_command: 'if (Test-Path #{xml_path}) {exit 0} else {exit 1}
+
+ '
+ get_prereq_command: |
+ New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
+ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml" -OutFile "#{xml_path}"
executor:
name: powershell
elevation_required: true
command: |
- $xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml")
+ $xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false
>$null 2>&1
@@ -27540,11 +27556,27 @@ privilege-escalation:
the industroyer2.\n"
supported_platforms:
- windows
+ input_arguments:
+ xml_path:
+ description: path of vbs to use when creating masquerading files
+ type: Path
+ default: PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'File to copy must exist on disk at specified location (#{xml_path})
+
+ '
+ prereq_command: 'if (Test-Path #{xml_path}) {exit 0} else {exit 1}
+
+ '
+ get_prereq_command: |
+ New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
+ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml" -OutFile "#{xml_path}"
executor:
name: powershell
elevation_required: true
command: |
- $xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml")
+ $xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
cleanup_command: 'Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false
>$null 2>&1
@@ -41567,11 +41599,27 @@ execution:
'
supported_platforms:
- windows
+ input_arguments:
+ xml_path:
+ description: path of vbs to use when creating masquerading files
+ type: Path
+ default: PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'File to copy must exist on disk at specified location (#{xml_path})
+
+ '
+ prereq_command: 'if (Test-Path #{xml_path}) {exit 0} else {exit 1}
+
+ '
+ get_prereq_command: |
+ New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
+ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml" -OutFile "#{xml_path}"
executor:
name: powershell
elevation_required: true
command: |
- $xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml")
+ $xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false
>$null 2>&1
@@ -41607,11 +41655,27 @@ execution:
the industroyer2.\n"
supported_platforms:
- windows
+ input_arguments:
+ xml_path:
+ description: path of vbs to use when creating masquerading files
+ type: Path
+ default: PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'File to copy must exist on disk at specified location (#{xml_path})
+
+ '
+ prereq_command: 'if (Test-Path #{xml_path}) {exit 0} else {exit 1}
+
+ '
+ get_prereq_command: |
+ New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
+ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml" -OutFile "#{xml_path}"
executor:
name: powershell
elevation_required: true
command: |
- $xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml")
+ $xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
cleanup_command: 'Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false
>$null 2>&1
@@ -48052,11 +48116,27 @@ persistence:
'
supported_platforms:
- windows
+ input_arguments:
+ xml_path:
+ description: path of vbs to use when creating masquerading files
+ type: Path
+ default: PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'File to copy must exist on disk at specified location (#{xml_path})
+
+ '
+ prereq_command: 'if (Test-Path #{xml_path}) {exit 0} else {exit 1}
+
+ '
+ get_prereq_command: |
+ New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
+ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml" -OutFile "#{xml_path}"
executor:
name: powershell
elevation_required: true
command: |
- $xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml")
+ $xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false
>$null 2>&1
@@ -48092,11 +48172,27 @@ persistence:
the industroyer2.\n"
supported_platforms:
- windows
+ input_arguments:
+ xml_path:
+ description: path of vbs to use when creating masquerading files
+ type: Path
+ default: PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'File to copy must exist on disk at specified location (#{xml_path})
+
+ '
+ prereq_command: 'if (Test-Path #{xml_path}) {exit 0} else {exit 1}
+
+ '
+ get_prereq_command: |
+ New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
+ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml" -OutFile "#{xml_path}"
executor:
name: powershell
elevation_required: true
command: |
- $xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml")
+ $xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
cleanup_command: 'Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false
>$null 2>&1
diff --git a/atomics/T1053.005/T1053.005.md b/atomics/T1053.005/T1053.005.md
index 7e7c17de..1b7f2627 100644
--- a/atomics/T1053.005/T1053.005.md
+++ b/atomics/T1053.005/T1053.005.md
@@ -249,12 +249,17 @@ Create an scheduled task that executes notepad.exe after user login from XML by
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| xml_path | path of vbs to use when creating masquerading files | Path | PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml|
+
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
-$xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml")
+$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
```
@@ -265,6 +270,19 @@ Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1
+#### Dependencies: Run with `powershell`!
+##### Description: File to copy must exist on disk at specified location (#{xml_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{xml_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml" -OutFile "#{xml_path}"
+```
+
+
@@ -326,12 +344,17 @@ This technique was seen several times in tricbot malware and also with the targe
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| xml_path | path of vbs to use when creating masquerading files | Path | PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml|
+
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
-$xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml")
+$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
```
@@ -342,6 +365,19 @@ Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false >$null 2>&1
+#### Dependencies: Run with `powershell`!
+##### Description: File to copy must exist on disk at specified location (#{xml_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{xml_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml" -OutFile "#{xml_path}"
+```
+
+