security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix Name and format (#2151)

Browse Source 
* Fix Format

* Fix Format T1592.001

* keep guid

must keep the same guid for the test. display name comes from MITRE ATT&CK

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Zeta
2022-09-24 00:43:51 +07:00
committed by GitHub
parent dac55eca04
commit e18e6da264
2 changed files with 15 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1592.001/T1592.001.md
+11 -4
View File
@@ -2,17 +2,16 @@
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1592/001/)
<blockquote>Adversaries may use powershell script to gather information about the system, configuration, and even mounted hardware on the target host.
Dark Crystal Rat use several technique to gather hardware information of the compromised host like gathering the microphone, CPU, GPU, camera and many as part of its data collection and backdoor capabilities.
</blockquote>
Dark Crystal Rat use several technique to gather hardware information of the compromised host like gathering the microphone, CPU, GPU, camera and many as part of its data collection and backdoor capabilities.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Query Registry](#atomic-test-1---Enumerate PlugNPlay Camera)
- [Atomic Test #1 - Enumerate PlugNPlay Camera](#atomic-test-1---enumerate-plugnplay-camera)
<br/>
## Atomic Test #1 - Query Registry
## Atomic Test #1 - Enumerate PlugNPlay Camera
Enumerate PlugNPlay Camera.
Upon successful execution, powershell.exe will perform queries to plugnplay camera device mounted on the host.
References:
@@ -24,3 +23,11 @@ https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
**Supported Platforms:** Windows
**auto_generated_guid:** 08a04133-3f2a-4eb0-bdd8-2aa513d2fb60
#### Attack Commands: Run with `powershell`!
```powershell
Get-CimInstance -Query "SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')"
```
atomics/T1592.001/T1592.001.yml
+4 -5
View File
@@ -4,12 +4,11 @@ atomic_tests:
- name: Enumerate PlugNPlay Camera
auto_generated_guid: d430bf85-b656-40e7-b238-42db01df0183
description: |
Enumerate PlugNPlay Camera using powershell commandlet. this technique was seen in dcrat malware backdoor capabilities where it enumerate the camera info mounted on the compromised host.
reference: https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor
Enumerate PlugNPlay Camera using powershell commandlet. this technique was seen in dcrat malware backdoor capabilities where it enumerate the camera info mounted on the compromised host. reference: https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor
supported_platforms:
- windows
- windows
executor:
name: powershell
elevation_required: true
command: |
Get-CimInstance -Query "SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')"
name: powershell
elevation_required: true