security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updated executor to powershell and updated command syntax. (#635)

Browse Source
This commit is contained in:
dwhite9
2019-11-12 01:08:58 -06:00
committed by Carrie Roberts
parent c6ea937fb4
commit df73365c8a
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1086/T1086.yaml
+5 -5
View File
@@ -219,15 +219,15 @@ atomic_tests:
- windows
executor:
name: command_prompt
name: powershell
elevation_required: false
command: |
REM Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
cleanup_command: |
del /Q /F %SystemRoot%\Temp\art-marker.txt
REG DELETE "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /f
cmd /c del /Q /F %SystemRoot%\Temp\art-marker.txt
cmd /c REG DELETE "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /f
- name: PowerShell Downgrade Attack
description: |